Closed
Bug 1705270
Opened 3 years ago
Closed 3 years ago
Hit MOZ_CRASH(assertion failed: sub_slice_index < self.sub_slices.len() - 1) at gfx/wr/webrender/src/picture.rs:3256
Categories
(Core :: Graphics: WebRender, defect)
Core
Graphics: WebRender
Tracking
()
VERIFIED
FIXED
89 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox87 | --- | unaffected |
| firefox88 | --- | unaffected |
| firefox89 | --- | verified |
People
(Reporter: tsmith, Assigned: gw)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(3 files)
First found while fuzzing m-c 20210414-e105fb5fb5cf (--enable-debug --enable-fuzzing)
Hit MOZ_CRASH(assertion failed: sub_slice_index < self.sub_slices.len() - 1) at gfx/wr/webrender/src/picture.rs:3256
#0 0x7fb8de07c465 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:246:3
#1 0x7fb8de07c465 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:17:3
#2 0x7fb8de07c414 in mozglue_static::panic_hook::h99e59ae8464cffce /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:89:9
#3 0x7fb8de07bdeb in core::ops::function::Fn::call::hb3ebde122b59edf5 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
#4 0x7fb8df08ea45 in std::panicking::rust_panic_with_hook::h71e6a073d87de1f5 /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/panicking.rs:595:17
#5 0x7fb8df08e536 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hd549436f6bb6dbb8 /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/panicking.rs:495:13
#6 0x7fb8df08a72b in std::sys_common::backtrace::__rust_end_short_backtrace::h4e5f4b72b04174c3 /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/sys_common/backtrace.rs:141:18
#7 0x7fb8df08e4c8 in rust_begin_unwind /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/panicking.rs:493:5
#8 0x7fb8df0f7640 in core::panicking::panic_fmt::hcd56f7f635f62c74 /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/core/src/panicking.rs:92:14
#9 0x7fb8df0f758c in core::panicking::panic::h07405d6be4bce887 /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/core/src/panicking.rs:50:5
#10 0x7fb8dd9768ad in webrender::picture::TileCacheInstance::setup_compositor_surfaces_impl::hde204019a1164dda /builds/worker/checkouts/gecko/gfx/wr/webrender/src/picture.rs:3256:9
#11 0x7fb8dd97887f in webrender::picture::TileCacheInstance::setup_compositor_surfaces_yuv::h26dd2ae55fd0df28 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/picture.rs:2979:9
#12 0x7fb8dd97887f in webrender::picture::TileCacheInstance::update_prim_dependencies::h753f5dbfd972eefe /builds/worker/checkouts/gecko/gfx/wr/webrender/src/picture.rs:3552:42
#13 0x7fb8ddadd0bd in webrender::visibility::update_primitive_visibility::ha0736ac51848dacb /builds/worker/checkouts/gecko/gfx/wr/webrender/src/visibility.rs:459:17
#14 0x7fb8ddadbe59 in webrender::visibility::update_primitive_visibility::ha0736ac51848dacb /builds/worker/checkouts/gecko/gfx/wr/webrender/src/visibility.rs:294:44
#15 0x7fb8dd944b5d in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::h97bca849e81221c3 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:418:17
#16 0x7fb8dd944b5d in webrender::frame_builder::FrameBuilder::build::h3bf43a5bd3ead318 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:574:9
#17 0x7fb8dd9cde47 in webrender::render_backend::Document::build_frame::h16f61c5110094dfe /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:626:25
#18 0x7fb8dd9df383 in webrender::render_backend::RenderBackend::update_document::h3261e84ba2b4aec0 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1556:41
#19 0x7fb8dd9d56b6 in webrender::render_backend::RenderBackend::prepare_transactions::hc00182363586dcd4 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1408:28
#20 0x7fb8dd9d56b6 in webrender::render_backend::RenderBackend::process_api_msg::h5b28bd2de2afdd0a /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1261:17
#21 0x7fb8dd7c6a49 in webrender::render_backend::RenderBackend::run::h7f4cbbe2ecba02a2 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:909:21
#22 0x7fb8dd7c6a49 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h17544c4b55264a8e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1285:13
#23 0x7fb8dd7c6a49 in std::sys_common::backtrace::__rust_begin_short_backtrace::ha1d3b7e6a58e9161 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:125:18
#24 0x7fb8dd7e8449 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hca00fb971ab6655f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:474:17
#25 0x7fb8dd7e8449 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h8bb23e0206900091 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:344:9
#26 0x7fb8dd7e8449 in std::panicking::try::do_call::hf6798e7b0859edca /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:379:40
#27 0x7fb8dd7e8449 in std::panicking::try::ha37a570903fe5af9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:343:19
#28 0x7fb8dd7e8449 in std::panic::catch_unwind::h4c53a488c053c07d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:431:14
#29 0x7fb8dd7e8449 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h2f8650268659bc1e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:473:30
#30 0x7fb8dd7e8449 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h0d2fc460a30ad122 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
#31 0x7fb8df09f039 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h61144a2be4ee36d8 /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/alloc/src/boxed.rs:1521:9
#32 0x7fb8df09f039 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hcf5d395fdd120c17 /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/alloc/src/boxed.rs:1521:9
#33 0x7fb8df09f039 in std::sys::unix::thread::Thread::new::thread_start::hb5e40d3d934ebb7a /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/sys/unix/thread.rs:71:17
#34 0x7fb8ebcda608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#35 0x7fb8eb8a3292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
|
Reporter | |
Comment 1•3 years ago
|
||
|
Assignee | |
Comment 2•3 years ago
|
||
I can reproduce this locally - investigating now.
|
|
Assignee | |
Comment 3•3 years ago
|
||
We don't currently handle the case where a compositor surface is inside a
picture primitive that is a pass through (has composite mode of None),
because we only count required compositor surfaces at the top level prim
list of a tile cache.
However, the code to promote a surface was only checking if it existed on
the same physical surface, not the root picture cache.
This patch prevents compositor surfaces being promoted in this case (which
only occurs if inside a backdrop-filter container, or a 3d transform root).
|
||
Updated•3 years ago
|
Assignee: nobody → gwatson
Status: NEW → ASSIGNED
|
||
Comment 4•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210415040011-3b9876116bf1.
Failed to bisect testcase (Unable to launch the start build!):
Start: 300228102cea98e8f7de648a439c19cda71d1973 (20200416030004)
End: e105fb5fb5cfef90d80a69e121f971a08df83e64 (20210414160838)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False)
Whiteboard: [bugmon:bisected,confirmed]
Pushed by gwatson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e3ee5a86a98c Fix assert when compositor surface is in a pass-through picture r=gfx-reviewers,lsalzman
|
||
Comment 6•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch
|
|
||
Comment 7•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210416030733-d26e6241a273.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•3 years ago
|
status-firefox87:
--- → unaffected
status-firefox88:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
|
||
Comment 8•2 years ago
|
||
:gw, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(gwatson)
You need to log in
before you can comment on or make changes to this bug.
Description
•