1700232 - Hit MOZ_CRASH(assertion failed: !params.descriptor.size.is_empty()) at gfx/wr/webrender/src/texture_cache.rs:1624

Status: VERIFIED FIXED

(Core :: Graphics: WebRender, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20210320-f56d2bf535d6 (--enable-debug --enable-fuzzing)

Hit MOZ_CRASH(assertion failed: !params.descriptor.size.is_empty()) at gfx/wr/webrender/src/texture_cache.rs:1624

#0 0x7f05198eb135 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
#1 0x7f05198eb135 in RustMozCrash src/mozglue/static/rust/wrappers.cpp:17:3
#2 0x7f05198eb0e4 in mozglue_static::panic_hook::h52aa0e5c41eb49de src/mozglue/static/rust/lib.rs:89:9
#3 0x7f05198eaabb in core::ops::function::Fn::call::h45fce903fef90bf4 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
#4 0x7f051a903515 in std::panicking::rust_panic_with_hook::hb27ea14285131c61 /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/panicking.rs:595:17
#5 0x7f051a903006 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hc552fcee62aad17f /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/panicking.rs:495:13
#6 0x7f051a8ff45b in std::sys_common::backtrace::__rust_end_short_backtrace::hb9f0aa9a78e885a0 /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/sys_common/backtrace.rs:141:18
#7 0x7f051a902f98 in rust_begin_unwind /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/panicking.rs:493:5
#8 0x7f051a96c760 in core::panicking::panic_fmt::h12ac4570ea43d06f /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/core/src/panicking.rs:92:14
#9 0x7f051a96c6ac in core::panicking::panic::h72bd72f6f4a70105 /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/core/src/panicking.rs:50:5
#10 0x7f05191f1ebe in webrender::texture_cache::TextureCache::allocate_cache_entry::h763e588ad9dc6d46 src/gfx/wr/webrender/src/texture_cache.rs:1624:9
#11 0x7f05191f1ebe in webrender::texture_cache::TextureCache::allocate::h16d2670c1c4eb9be src/gfx/wr/webrender/src/texture_cache.rs:1644:46
#12 0x7f05191f1ebe in webrender::texture_cache::TextureCache::update::h2c0dafcab9a505af src/gfx/wr/webrender/src/texture_cache.rs:1090:13
#13 0x7f0519100125 in webrender::render_task_cache::RenderTaskCache::alloc_render_task::he0c71eddc357de83 src/gfx/wr/webrender/src/render_task_cache.rs:176:9
#14 0x7f05190c547f in webrender::render_task_cache::RenderTaskCache::request_render_task::hb70aee8980e8b0cc src/gfx/wr/webrender/src/render_task_cache.rs:253:13
#15 0x7f05190c547f in webrender::resource_cache::ResourceCache::request_render_task::h0326ade2adb7daad src/gfx/wr/webrender/src/resource_cache.rs:594:9
#16 0x7f05190c547f in webrender::prim_store::gradient::radial::RadialGradientTemplate::update::ha379b5a7039fa262 src/gfx/wr/webrender/src/prim_store/gradient/radial.rs:224:23
#17 0x7f05190b1847 in webrender::prepare::prepare_interned_prim_for_render::h54fde54805c853e9 src/gfx/wr/webrender/src/prepare.rs:938:13
#18 0x7f05190afe15 in webrender::prepare::prepare_prim_for_render::hcef705fef2e19b0d src/gfx/wr/webrender/src/prepare.rs:251:5
#19 0x7f05190afe15 in webrender::prepare::prepare_primitives::h30480fd0f11d2ed9 src/gfx/wr/webrender/src/prepare.rs:119:16
#20 0x7f05190524f4 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::hbd196e0a355fa892 src/gfx/wr/webrender/src/frame_builder.rs:480:17
#21 0x7f05190524f4 in webrender::frame_builder::FrameBuilder::build::hbbf24da9aab9928a src/gfx/wr/webrender/src/frame_builder.rs:572:9
#22 0x7f05190d907e in webrender::render_backend::Document::build_frame::h35cee1820359000b src/gfx/wr/webrender/src/render_backend.rs:622:25
#23 0x7f05190e9fcb in webrender::render_backend::RenderBackend::update_document::hb327ca0df4994300 src/gfx/wr/webrender/src/render_backend.rs:1508:41
#24 0x7f05190e0366 in webrender::render_backend::RenderBackend::prepare_transactions::h3253b83741782ded src/gfx/wr/webrender/src/render_backend.rs:1362:28
#25 0x7f05190e0366 in webrender::render_backend::RenderBackend::process_api_msg::h669825647dd68f81 src/gfx/wr/webrender/src/render_backend.rs:1218:17
#26 0x7f0518ecccdd in webrender::render_backend::RenderBackend::run::h9d404f4f82ce9be5 src/gfx/wr/webrender/src/render_backend.rs:894:21
#27 0x7f0518ecccdd in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h0287ea296518ff7c src/gfx/wr/webrender/src/renderer/mod.rs:1281:13
#28 0x7f0518ecccdd in std::sys_common::backtrace::__rust_begin_short_backtrace::h1e021cc148337dd0 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:125:18
#29 0x7f0518eeedd9 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h692c75054f207650 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:474:17
#30 0x7f0518eeedd9 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h6eeba4835c596917 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
#31 0x7f0518eeedd9 in std::panicking::try::do_call::hfbc785d5d54f4d36 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:379:40
#32 0x7f0518eeedd9 in std::panicking::try::h79a89e99f34dc379 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:343:19
#33 0x7f0518eeedd9 in std::panic::catch_unwind::hd62f3d38488be536 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
#34 0x7f0518eeedd9 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h586ce072699f6516 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:473:30
#35 0x7f0518eeedd9 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hf4220e17974a62de /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
#36 0x7f051a913929 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h9ed215ba67984d70 /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/alloc/src/boxed.rs:1328:9
#37 0x7f051a913929 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hcece06e1fe04906f /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/alloc/src/boxed.rs:1328:9
#38 0x7f051a913929 in std::sys::unix::thread::Thread::new::thread_start::h6e82a4b7be15319a /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/sys/unix/thread.rs:71:17
#39 0x7f0526843608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#40 0x7f052640c292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/EW_KtaNp2MCeOxms5bnwvA/index.html

Comment 2

[Andrew Osmond [:aosmond] (he/him)]

Reproducible just by visiting the test case:

https://crash-stats.mozilla.org/report/index/9992df40-06aa-4a93-b919-b7b600210325

Assert was added in bug 1595768.

Comment 3

[Nicolas Silva [:nical]]

Attachment: Bug 1700232 - Don't create zero-sized radial/conic gradients.

Comment 4

[Pulsebot]

Pushed by nsilva@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a986fdbc1e9f
Don't create zero-sized radial/conic gradients. r=gfx-reviewers,bradwerth

Comment 5

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/a986fdbc1e9f

Comment 6

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210329152522-098c3172afae.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 7

[(Out Sep 17-23) Ryan VanderMeulen]

Hi Nicolas, does this need a Beta approval request?

Comment 8

[Nicolas Silva [:nical]]

Comment on attachment 9211782 [details]
Bug 1700232 - Don't create zero-sized radial/conic gradients.

Beta/Release Uplift Approval Request

• User impact if declined: Crashes
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Very simple patch.
• String changes made/needed:

Comment 9

[(Out Sep 17-23) Ryan VanderMeulen]

Comment on attachment 9211782 [details]
Bug 1700232 - Don't create zero-sized radial/conic gradients.

Approved for Desktop 88.0b5 & Fenix 88.0.0-beta.3. That said, it would be nice if we could still land the testcase?

Comment 10

[(Out Sep 17-23) Ryan VanderMeulen]

https://hg.mozilla.org/releases/mozilla-beta/rev/d55f03fd3f47

Comment 11

[Nicolas Silva [:nical]]

Attachment: Bug 1700232 - Add the crash test. r=jnicol

Comment 12

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/2bf97020a1e6
Add the crash test. r=jnicol

Comment 13

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/2bf97020a1e6

Comment 14

[(Out Sep 17-23) Ryan VanderMeulen]

https://hg.mozilla.org/releases/mozilla-beta/rev/2ec036188487

Comment 15

[BugBot [:suhaib / :marco/ :calixte]]

:nical, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Comment 16

[Marco Castelluccio [:marco]]

Sorry, wrong needinfo because of a bug in the bot.