Crash in [@ cs_clip_rectangle_vert::run]
Categories
(Core :: Graphics: WebRender, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| thunderbird_esr91 | --- | unaffected |
| firefox-esr91 | --- | fixed |
| firefox94 | --- | wontfix |
| firefox95 | --- | wontfix |
| firefox96 | --- | fixed |
People
(Reporter: gsvelto, Assigned: lsalzman)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
Crash report: https://crash-stats.mozilla.org/report/index/cc664e3f-3144-408a-8675-62fb60210130
Reason: SIGSEGV /SEGV_MAPERR
Top 10 frames of crashing thread:
0 libxul.so cs_clip_rectangle_vert::run x86_64-unknown-linux-gnu/release/build/swgl-bb9abe9c15ca849e/out/cs_clip_rectangle.h:615
1 libxul.so draw_quad gfx/wr/swgl/src/gl.cc:4309
2 libxul.so DrawElementsInstanced gfx/wr/swgl/src/gl.cc:4499
3 libxul.so webrender::renderer::Renderer::draw_instanced_batch gfx/wr/webrender/src/renderer/mod.rs:2701
4 libxul.so webrender::renderer::Renderer::draw_clip_batch_list gfx/wr/webrender/src/renderer/mod.rs:3864
5 libxul.so webrender::renderer::Renderer::draw_frame gfx/wr/webrender/src/renderer/mod.rs:4675
6 libxul.so webrender::renderer::Renderer::render_impl gfx/wr/webrender/src/renderer/mod.rs:2127
7 libxul.so webrender::renderer::Renderer::render gfx/wr/webrender/src/renderer/mod.rs:1873
8 libxul.so wr_renderer_render gfx/webrender_bindings/src/bindings.rs:639
9 libxul.so mozilla::wr::RendererOGL::UpdateAndRender gfx/webrender_bindings/RendererOGL.cpp:186
There's a bit of noise under this signature but I can see at least 2-3 crashes in nightly that come from different users and have the different stack and reason so I suspect it might be valid.
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
||
Comment 2•3 years ago
|
||
significant increase started in version 90
https://crash-stats.mozilla.org/signature/?signature=cs_clip_rectangle_vert%3A%3Arun&date=%3E%3D2021-07-04T04%3A27%3A00.000Z&date=%3C2021-10-04T04%3A27%3A00.000Z#summary
After bug 1731636 landed on nightly, the crashes continue
https://crash-stats.mozilla.org/signature/?version=94.0a1&signature=cs_clip_rectangle_vert%3A%3Arun&date=%3E%3D2021-07-04T04%3A27%3A00.000Z&date=%3C2021-10-04T04%3A27%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_columns=startup_crash&_sort=-date&page=1#reports
|
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 3•2 years ago
|
||
Attempting to just clamping the base address returning from texelFetchPtr might be causing
some crashes in the case the texture is actually smaller than the offset area. Instead, switch
out the sampler with a zero buffer to ensure we have something sane to sample without having
to do slow bounds checking on everything.
|
||
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
Pushed by lsalzman@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2d1f7196e88a Fill out-of-bounds texelFetchPtr with zeroes rather than clamping. r=jrmuizel
|
||
Comment 5•2 years ago
|
||
| bugherder | ||
|
||
Updated•2 years ago
|
|
|
||
Comment 6•2 years ago
|
||
No crashes on Fx96. Please request ESR approval on this when you get a chance.
|
|
Assignee | |
Comment 7•2 years ago
|
||
Comment on attachment 9253086 [details]
Bug 1689978 - Fill out-of-bounds texelFetchPtr with zeroes rather than clamping. r?jrmuizel
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Potential crashes in low memory conditions.
- Fix Landed on Version: 96
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Tested in release.
|
|
Assignee | |
Comment 8•2 years ago
|
||
Ryan, for ESR91 uplift, only the changes in gfx/wr/glsl-to-cxx/src/lib.rs and gfx/wr/swgl/src/texture.h should actually be applied. I think some of the other hunks in that patch might fail simply because the code it modifies might not exist, but it doesn't actually matter.
|
|
Assignee | |
Comment 9•2 years ago
|
||
Looks like only one hunk of the patch fails because out_of_memory in gl.cc does not exist in 91, but that is fine and should have no effect on the patch building or working.
|
|
||
Comment 10•2 years ago
|
||
Comment on attachment 9253086 [details]
Bug 1689978 - Fill out-of-bounds texelFetchPtr with zeroes rather than clamping. r?jrmuizel
Approved for 91.6esr, thanks.
|
|
||
Comment 11•2 years ago
|
||
| bugherder uplift | ||
Description
•