Closed Bug 1689978 Opened 4 years ago Closed 3 years ago

Crash in [@ cs_clip_rectangle_vert::run]

Categories

(Core :: Graphics: WebRender, defect, P3)

defect

Tracking

()

RESOLVED FIXED
96 Branch
Tracking Status
thunderbird_esr91 --- unaffected
firefox-esr91 --- fixed
firefox94 --- wontfix
firefox95 --- wontfix
firefox96 --- fixed

People

(Reporter: gsvelto, Assigned: lsalzman)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Crash report: https://crash-stats.mozilla.org/report/index/cc664e3f-3144-408a-8675-62fb60210130

Reason: SIGSEGV /SEGV_MAPERR

Top 10 frames of crashing thread:

0 libxul.so cs_clip_rectangle_vert::run x86_64-unknown-linux-gnu/release/build/swgl-bb9abe9c15ca849e/out/cs_clip_rectangle.h:615
1 libxul.so draw_quad gfx/wr/swgl/src/gl.cc:4309
2 libxul.so DrawElementsInstanced gfx/wr/swgl/src/gl.cc:4499
3 libxul.so webrender::renderer::Renderer::draw_instanced_batch gfx/wr/webrender/src/renderer/mod.rs:2701
4 libxul.so webrender::renderer::Renderer::draw_clip_batch_list gfx/wr/webrender/src/renderer/mod.rs:3864
5 libxul.so webrender::renderer::Renderer::draw_frame gfx/wr/webrender/src/renderer/mod.rs:4675
6 libxul.so webrender::renderer::Renderer::render_impl gfx/wr/webrender/src/renderer/mod.rs:2127
7 libxul.so webrender::renderer::Renderer::render gfx/wr/webrender/src/renderer/mod.rs:1873
8 libxul.so wr_renderer_render gfx/webrender_bindings/src/bindings.rs:639
9 libxul.so mozilla::wr::RendererOGL::UpdateAndRender gfx/webrender_bindings/RendererOGL.cpp:186

There's a bit of noise under this signature but I can see at least 2-3 crashes in nightly that come from different users and have the different stack and reason so I suspect it might be valid.

Severity: -- → S3
Priority: -- → P3
OS: Unspecified → All
Hardware: Unspecified → All
Depends on: 1723774
See Also: → 1731636

Attempting to just clamping the base address returning from texelFetchPtr might be causing
some crashes in the case the texture is actually smaller than the offset area. Instead, switch
out the sampler with a zero buffer to ensure we have something sane to sample without having
to do slow bounds checking on everything.

Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Flags: needinfo?(lsalzman)
Pushed by lsalzman@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2d1f7196e88a Fill out-of-bounds texelFetchPtr with zeroes rather than clamping. r=jrmuizel
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch

No crashes on Fx96. Please request ESR approval on this when you get a chance.

Flags: needinfo?(lsalzman)

Comment on attachment 9253086 [details]
Bug 1689978 - Fill out-of-bounds texelFetchPtr with zeroes rather than clamping. r?jrmuizel

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Potential crashes in low memory conditions.
  • Fix Landed on Version: 96
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Tested in release.
Flags: needinfo?(lsalzman)
Attachment #9253086 - Flags: approval-mozilla-esr91?

Ryan, for ESR91 uplift, only the changes in gfx/wr/glsl-to-cxx/src/lib.rs and gfx/wr/swgl/src/texture.h should actually be applied. I think some of the other hunks in that patch might fail simply because the code it modifies might not exist, but it doesn't actually matter.

Looks like only one hunk of the patch fails because out_of_memory in gl.cc does not exist in 91, but that is fine and should have no effect on the patch building or working.

Comment on attachment 9253086 [details]
Bug 1689978 - Fill out-of-bounds texelFetchPtr with zeroes rather than clamping. r?jrmuizel

Approved for 91.6esr, thanks.

Attachment #9253086 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: