Open Bug 1700242 Opened 2 years ago Updated 2 months ago

Crash in [@ webrender::visibility::update_primitive_visibility]

Categories

(Core :: Graphics: WebRender, defect, P3)

defect

Tracking

()

People

(Reporter: mccr8, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/cfba5755-4cf1-4349-9f05-8cc2c0210319

MOZ_CRASH Reason: index out of bounds: the len is 16 but the index is 4294967295

Top 10 frames of crashing thread:

0 xul.dll RustMozCrash mozglue/static/rust/wrappers.cpp:16
1 xul.dll mozglue_static::panic_hook mozglue/static/rust/lib.rs:89
2 xul.dll core::ops::function::Fn::call<fn ../cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/core/src/ops/function.rs:227
3 xul.dll std::panicking::rust_panic_with_hook ../cb75ad5db02783e8b0222fee363c5f63f7e2cf5b//library/std/src/panicking.rs:595
4 xul.dll std::panicking::begin_panic_handler::{{closure}} ../cb75ad5db02783e8b0222fee363c5f63f7e2cf5b//library/std/src/panicking.rs:497
5 xul.dll std::sys_common::backtrace::__rust_end_short_backtrace<closure-0, !> ../cb75ad5db02783e8b0222fee363c5f63f7e2cf5b//library/std/src/sys_common/backtrace.rs:141
6 xul.dll std::panicking::begin_panic_handler ../cb75ad5db02783e8b0222fee363c5f63f7e2cf5b//library/std/src/panicking.rs:493
7 xul.dll core::panicking::panic_fmt ../cb75ad5db02783e8b0222fee363c5f63f7e2cf5b//library/core/src/panicking.rs:92
8 xul.dll core::panicking::panic_bounds_check ../cb75ad5db02783e8b0222fee363c5f63f7e2cf5b//library/core/src/panicking.rs:69
9 xul.dll webrender::visibility::update_primitive_visibility gfx/wr/webrender/src/visibility.rs:319

Looks like the index is -1? Not super high volume, but there are a couple of install times.

OS: Windows 7 → All
Hardware: x86 → All

There are two distinct signatures here, representing half of the distribution:

As reported, we see:
https://crash-stats.mozilla.org/report/index/5a911c1e-4bc4-4d1f-8adf-ffcfe0210322

And an assertion called `Option::unwrap()` on a `None` value:
https://crash-stats.mozilla.org/report/index/c679a1e1-8c0d-479b-90c4-7a4820210325

Severity: -- → S3
Flags: needinfo?(gwatson)
Priority: -- → P3

Do we have any URLs or possible repro steps for this?

Flags: needinfo?(gwatson)

Nothing stands out. about:newtab, about:blank, YouTube, Reddit, etc. Seems like it could happen anywhere based on that.

Taking another look at this. It's a bit confusing since there are (have been) several different crashes getting correlated to the same signature.

All the most recent ones seem to be a panic, but the panic string doesn't seem to show up in the crash reports. From looking at the line numbers, there is only one panic I can see, but I can't see how that could occur given the caller. So we'll need some detailed repro and/or URLs to have a chance of diagnosing the most recent reports.

(In reply to Glenn Watson [:gw] from comment #4)

All the most recent ones seem to be a panic, but the panic string doesn't seem to show up in the crash reports.

You need protected data access on crash-stats to see the panic string, so you need to either get access yourself following the procedure on that page, or you can ask somebody else to get the strings for you.

Looking at a few recent Nightly crashes with this signature:

bp-c5971584-0292-4bd6-83ca-0e8b80211126
"index out of bounds: the len is 1059 but the index is 8816"

bp-08ad1649-572c-4379-ac2d-9f2640211125
"assertion failed: spatial_tree.is_ancestor(node.spatial_node_index, prim_spatial_node_index)"

(In reply to Andrew McCreight [:mccr8] from comment #5)

(In reply to Glenn Watson [:gw] from comment #4)

All the most recent ones seem to be a panic, but the panic string doesn't seem to show up in the crash reports.

You need protected data access on crash-stats to see the panic string, so you need to either get access yourself following the procedure on that page, or you can ask somebody else to get the strings for you.

Looking at a few recent Nightly crashes with this signature:

bp-c5971584-0292-4bd6-83ca-0e8b80211126
"index out of bounds: the len is 1059 but the index is 8816"

bp-08ad1649-572c-4379-ac2d-9f2640211125
"assertion failed: spatial_tree.is_ancestor(node.spatial_node_index, prim_spatial_node_index)"

Is that something that's recently changed or something that is per-bug? I've definitely seen crash reports previously where I could see the content of the panic string...

The reports in 4, 5 and 6 don't crash reasons for me, either, so I guess the crash report just doesn't have them. Maybe something went wrong with the crash reporter.

It looks like the crash reports I linked actually do have sanitized crash reasons. I thought it used to show both sanitized and raw if you had data access, but looking at it now it seems to only show raw, so I was just confused there.

Flags: needinfo?(continuation)

OK, I'll see if we can work out what might cause the ones where we do have reasons available, thanks!

See Also: → 1745775

I believe the remaining crashes with this signature will be resolved by the fix in https://bugzilla.mozilla.org/show_bug.cgi?id=1745775

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 5 GPU process crashes on release

:gw, could you consider increasing the severity of this top-crash bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(gwatson)
Keywords: topcrash

There seems to have been a spike in crashes recently, but all on old versions of Firefox? Doesn't seem to be any crashes in recent versions of Firefox, is that right?

Flags: needinfo?(gwatson) → needinfo?(mcastelluccio)

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit auto_nag documentation.

Keywords: topcrash

Yeah, maybe we should ignore really old versions (we are currently filtering just by channel). I filed https://github.com/mozilla/relman-auto-nag/issues/1675.

Flags: needinfo?(mcastelluccio)
You need to log in before you can comment on or make changes to this bug.