Closed Bug 1695782 Opened 3 years ago Closed 3 years ago

fpe in [@ linear_row_yuv]

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox86 --- unaffected
firefox87 --- disabled
firefox88 --- verified

People

(Reporter: tsmith, Assigned: lsalzman)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files)

testcase.html
2.54 KB, text/html
Details
prefs.js
9.19 KB, application/x-javascript
Details
Bug 1695782 - Verify that YUV texture step is non-zero. r?jrmuizel
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

First seen fuzzing with m-c 20210228-f875a4ffd653

==28247==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x556e8ee8e95a bp 0x7f7c576a6270 sp 0x7f7c576a6260 T39)
==28247==The signal is caused by a WRITE memory access.
==28247==Hint: address points to the zero page.
    #0 0x556e8ee8e95a in mozalloc_abort /gecko/memory/mozalloc/mozalloc_abort.cpp:33:3
    #1 0x7f7c7946b685 in NS_DebugBreak /gecko/xpcom/base/nsDebugImpl.cpp
    #2 0x7f7c84b0970b in fpehandler(int, siginfo_t*, void*) /gecko/toolkit/xre/nsSigHandlers.cpp:148:5
    #3 0x7f7c99ae93bf  (/lib/x86_64-linux-gnu/libpthread.so.0+0x153bf)
    #4 0x7f7c8b793299 in void linear_row_yuv<true>(unsigned int*, int, glsl::sampler2DRect_impl*, glsl::vec2_scalar const&, float, glsl::sampler2DRect_impl*, glsl::sampler2DRect_impl*, glsl::vec2_scalar const&, float, int, YUVMatrix const&) (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x17149299)
    #5 0x7f7c8b7778e5 in int blendYUV<true>(unsigned int*, int, glsl::sampler2DRect_impl*, glsl::vec2, glsl::vec4_scalar const&, float, glsl::sampler2DRect_impl*, glsl::vec2, glsl::vec4_scalar const&, float, glsl::sampler2DRect_impl*, glsl::vec2, glsl::vec4_scalar const&, float, int, int, NoColor) (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x1712d8e5)
    #6 0x7f7c8b777095 in brush_yuv_image_ALPHA_PASS_TEXTURE_RECT_YUV_frag::swgl_drawSpanRGBA8() (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x1712d095)
    #7 0x7f7c8b774b30 in brush_yuv_image_ALPHA_PASS_TEXTURE_RECT_YUV_frag::draw_span_RGBA8(brush_yuv_image_ALPHA_PASS_TEXTURE_RECT_YUV_frag*) (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x1712ab30)
    #8 0x7f7c8b80b035 in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned short, glsl::vec3*, Texture&, int, Texture&, ClipRect const&) (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x171c1035)
    #9 0x7f7c8b615cec in draw_quad(int, Texture&, int, Texture&) (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x16fcbcec)
    #10 0x7f7c8b6131c1 in DrawElementsInstanced (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x16fc91c1)
    #11 0x7f7c8abf7c8f in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::hda2820da10b4b037 /gecko/gfx/wr/webrender/src/device/gl.rs:3620:9
    #12 0x7f7c8abf7c8f in webrender::renderer::Renderer::draw_instanced_batch::h0634b4e954891942 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2505:17
    #13 0x7f7c8abe49e0 in webrender::renderer::Renderer::draw_alpha_batch_container::h5abbcaab9f4e50e3 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2987:17
    #14 0x7f7c8abbccb4 in webrender::renderer::Renderer::draw_picture_cache_target::h614fcefeecf01064 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2812:9
    #15 0x7f7c8abbccb4 in webrender::renderer::Renderer::draw_frame::hb5968c690245d0b2 /gecko/gfx/wr/webrender/src/renderer/mod.rs:4447:21
    #16 0x7f7c8ac1afb8 in webrender::renderer::Renderer::render_impl::haaab4f61b5bcc954 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2150:17
    #17 0x7f7c8ac3be44 in webrender::renderer::Renderer::render::h845e2e42e61a5df0 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1886:30
    #18 0x7f7c8aea972e in wr_renderer_render /gecko/gfx/webrender_bindings/src/bindings.rs:637:11
    #19 0x7f7c7c586d3e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #20 0x7f7c7c585482 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /gecko/gfx/webrender_bindings/RenderThread.cpp:482:31
    #21 0x7f7c7c58461e in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /gecko/gfx/webrender_bindings/RenderThread.cpp:337:3
    #22 0x7f7c7c59d296 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #23 0x7f7c7c59d296 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #24 0x7f7c7c59d296 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #25 0x7f7c7a7c2797 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #26 0x7f7c7a7c34fe in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #27 0x7f7c7a7c3d9b in MessageLoop::DoWork() /gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #28 0x7f7c7a7c5096 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #29 0x7f7c7a7c2341 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #30 0x7f7c7a7c2341 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #31 0x7f7c7a7c2341 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #32 0x7f7c7a7e0648 in base::Thread::ThreadMain() /gecko/ipc/chromium/src/base/thread.cc:191:16
    #33 0x7f7c7a7d423c in ThreadFunc(void*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #34 0x7f7c99add608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #35 0x7f7c996a6292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
Attached file prefs.js
Keywords: bugmon

A Pernosco session is available here: https://pernos.co/debug/H1y5QZpqfMgX9z36If_cbg/index.html

Blocks: gfx-triage
Blocks: sw-wr-stability
No longer blocks: gfx-triage
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2590d04ff745
Verify that YUV texture step is non-zero. r=jrmuizel

https://hg.mozilla.org/mozilla-central/rev/2590d04ff745

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox88: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210312153235-8fdbcaa80217.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox88: fixedverified
Keywords: bugmon
Crash Signature: [@ CompositeYUV] [@ linear_row_yuv<T>]
Crash Signature: [@ CompositeYUV] [@ linear_row_yuv<T>] → [@ CompositeYUV] [@ linear_row_yuv<T>]
status-firefox86: --- → unaffected
status-firefox87: --- → disabled
status-firefox-esr78: --- → unaffected
Flags: in-testsuite? → in-testsuite+
Regressed by: sw-wr-perf-linear
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: