Hit MOZ_CRASH(assertion failed: dimensions.height >= self.max_dynamic_size.height) at gfx/wr/webrender/src/render_target.rs:279
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
2.98 KB,
application/zip
|
Details |
Testcase found while fuzzing mozilla-central rev e22423381bcd (built with --enable-debug).
Hit MOZ_CRASH(assertion failed: dimensions.height >= self.max_dynamic_size.height) at gfx/wr/webrender/src/render_target.rs:279
#0 0x7f0e124eeda5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
#1 0x7f0e124eeda5 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:17:3
#2 0x7f0e124eed54 in mozglue_static::panic_hook::h6e70bafc479dc06d /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:89:9
#3 0x7f0e124ee67b in core::ops::function::Fn::call::h01fce3a141895069 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
#4 0x7f0e134a9b77 in std::panicking::rust_panic_with_hook::haa1ed36ada4ffb03 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/panicking.rs:573:17
#5 0x7f0e11d8bcc5 in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::h71d3c72cb12674fd /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:498:9
#6 0x7f0e11d7e11f in std::sys_common::backtrace::__rust_end_short_backtrace::he845e1c15d2231ac /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:153:18
#7 0x7f0e11d8bc8e in std::panicking::begin_panic::h7a8bb569a0f27d1b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:497:12
#8 0x7f0e11fe832e in webrender::renderer::Renderer::draw_frame::hed5bd89c1afbb813 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer.rs
#9 0x7f0e11fbb2e8 in webrender::renderer::Renderer::render_impl::h8038a6dba1d0e58e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer.rs:3668:17
#10 0x7f0e11fb85ca in webrender::renderer::Renderer::render::hdfbc7af5f22bb73d /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer.rs:3419:30
#11 0x7f0e11d1188c in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:614:11
#12 0x7f0e0bd4730e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:193:8
#13 0x7f0e0bd460a4 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:488:31
#14 0x7f0e0bd45b0f in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:325:3
#15 0x7f0e0bd4ec2e in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
#16 0x7f0e0bd4ec2e in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
#17 0x7f0e0bd4ec2e in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
#18 0x7f0e0ad01c2f in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:465:9
#19 0x7f0e0ad02775 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:473:5
#20 0x7f0e0ad02a1a in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:548:13
#21 0x7f0e0ad03400 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
#22 0x7f0e0ad018f3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#23 0x7f0e0ad0180d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#24 0x7f0e0ad0180d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#25 0x7f0e0ad0fa97 in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:191:16
#26 0x7f0e0ad0b009 in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#27 0x7f0e20a45608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8
#28 0x7f0e2060e292 in clone /build/glibc-ZN95T4/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
||
Comment 1•3 years ago
|
||
Got a crash : https://crash-stats.mozilla.org/report/index/e8be8ac2-a050-4ec0-9740-bc9af0201116#tab-bugzilla
|
Reporter | |
Comment 2•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201116101121-e22423381bcd.
The bug appears to have been introduced in the following build range:
Start: 07b5def477f77911c23ca458daf5aa7d649c0452 (20200331093231)
End: e3f5c752e57fb82c03a9e8fb288907599b6d9489 (20200331093915)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=07b5def477f77911c23ca458daf5aa7d649c0452&tochange=e3f5c752e57fb82c03a9e8fb288907599b6d9489
|
||
Comment 3•3 years ago
|
||
e3f5c752e57fb82c03a9e8fb288907599b6d9489 Nicolas Silva — Bug 1595768 - Don't track empty items in the texture cache. r=gw
f777b2dc12235eb7668fb639f629db1017ad39cc Nicolas Silva — Bug 1595768 - Don't evict blank glyphs to avoid re-rasterizing them continuously. r=gw
fbeb908b3513f23cb815b207622f492279eff175 Nicolas Silva — Bug 1625220 - Add autocfg to duplicate exceptions. r=gw
793808082134bce53a0066f55f86c4a470a463ba Nicolas Silva — Bug 1625220 - Remove a number of Foo::from_untyped(&bar.to_untyped()) casts. r=gw
17bf8121665a1b6fa9ce8de05b53c9067e9933f9 Nicolas Silva — Bug 1625220 - Use euclid 0.20.8. r=gw
da4563936652c0f91133871df477f99292fac33a Nicolas Silva — Bug 1617050 - Take shadow offsets into account when clipping a primitive. r=gw
From testcase:
scale: 19662 ! important;
height: 69em;
border-top: transparent medium inset !important;
filter: drop-shadow(15mm -46mm springgreen);
|
||
Updated•3 years ago
|
|
||
Comment 4•2 years ago
|
||
Bugmon Analysis
The bug appears to have been fixed in the following build range:
Start: a0b52f4d44f2f583fb6a8033c47973737f713bb8 (20201206213246)
End: 1297d9265f7223e573536af9f3e5adbe79beec25 (20201206210400)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=a0b52f4d44f2f583fb6a8033c47973737f713bb8&tochange=1297d9265f7223e573536af9f3e5adbe79beec25
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 5•2 years ago
|
||
(Bugmon [:jkratzer for issues] from comment #4)
Bugmon Analysis
The bug appears to have been fixed in the following build range:Start: a0b52f4d44f2f583fb6a8033c47973737f713bb8 (20201206213246)
End: 1297d9265f7223e573536af9f3e5adbe79beec25 (20201206210400)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=a0b52f4d44f2f583fb6a8033c47973737f713bb8&tochange=1297d9265f7223e573536af9f3e5adbe79beec25
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
The crash was fixed by:
1297d9265f7223e573536af9f3e5adbe79beec25 Glenn Watson — Bug 1676559 - Pt 9 - Make clip mask sampler depend on explicit cache texture. r=nical
95c9143cca21adf342535ac5e7c08e34032b9cb4 Glenn Watson — Bug 1676559 - Pt 8 - Move render target pool from renderer to frame building. r=nical,jnicol
first good (bug 1676559 comment 33): no crash, but a warning:
mozregression --repo autoland --launch a4209b1f9fc5 -a file:///home/darkspirit/Downloads/testcase/testcase.html -B debug -P stdout
0:57.91 INFO: b'[ERROR webrender::device::gl] Attempting to allocate a texture of size 2816x8448 above the limit, trimming'
The warning is also gone now:
mozregression --find-fix --bad 2020-12-09 --good 2021-10-10 -a file:///home/darkspirit/Downloads/testcase/testcase.html -P stdout
9:46.00 INFO: First good revision: 7ede736ae56e80163f5a169007dbeefdaeeaf195
9:46.00 INFO: Last bad revision: 0fccc6a4922d97ecc341be5ba257e11bbbf5a509
9:46.00 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0fccc6a4922d97ecc341be5ba257e11bbbf5a509&tochange=7ede736ae56e80163f5a169007dbeefdaeeaf195
7ede736ae56e80163f5a169007dbeefdaeeaf195 Nicolas Silva — Bug 1701395 - Report the device's max texture size (up to 16k). r=jrmuizel
Description
•