Open Bug 1714699 Opened 3 years ago Updated 2 years ago

Assertion failure: it != mRenderTextures.end(), at src/gfx/webrender_bindings/RenderThread.cpp:762

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox90 --- affected
firefox91 --- affected

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

testcase.html
194 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20210404-1ec31daa1ae0 (--enable-debug --enable-fuzzing)

The attached test case is not very reliable. I will try to get a Pernosco session.

Assertion failure: it != mRenderTextures.end(), at src/gfx/webrender_bindings/RenderThread.cpp:762

#0 0x7f2f673a8ac6 in mozilla::wr::RenderThread::GetRenderTexture(mozilla::wr::ExternalImageId) src/gfx/webrender_bindings/RenderThread.cpp:762:3
#1 0x7f2f673b6b87 in GetRenderTexture src/gfx/webrender_bindings/RendererOGL.cpp:412:19
#2 0x7f2f673b6b87 in wr_renderer_lock_external_image src/gfx/webrender_bindings/RendererOGL.cpp:64:42
#3 0x7f2f6d7313dc in _$LT$webrender_bindings..bindings..WrExternalImageHandler$u20$as$u20$webrender_api..image..ExternalImageHandler$GT$::lock::h80e76f3cfed2d6fb src/gfx/webrender_bindings/src/bindings.rs:421:30
#4 0x7f2f6d9df788 in webrender::renderer::Renderer::update_deferred_resolves::h2de68cd379999015 src/gfx/wr/webrender/src/renderer/mod.rs:4272:25
#5 0x7f2f6d9df788 in webrender::renderer::gpu_cache::_$LT$impl$u20$webrender..renderer..Renderer$GT$::prepare_gpu_cache::ha18fef90a71188ac src/gfx/wr/webrender/src/renderer/gpu_cache.rs:494:36
#6 0x7f2f6da0dbc9 in webrender::renderer::Renderer::render_impl::hf0eaaa1ba1fb3c73 src/gfx/wr/webrender/src/renderer/mod.rs:2148:15
#7 0x7f2f6da0c048 in webrender::renderer::Renderer::render::h35bafb0dd4cf9b06 src/gfx/wr/webrender/src/renderer/mod.rs:1894:30
#8 0x7f2f6d731827 in wr_renderer_render src/gfx/webrender_bindings/src/bindings.rs:636:11
#9 0x7f2f673b33ca in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) src/gfx/webrender_bindings/RendererOGL.cpp:186:8
#10 0x7f2f673b2314 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) src/gfx/webrender_bindings/RenderThread.cpp:486:31
#11 0x7f2f673b1c92 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) src/gfx/webrender_bindings/RenderThread.cpp:341:3
#12 0x7f2f673bbf0e in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#13 0x7f2f673bbf0e in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#14 0x7f2f673bbf0e in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#15 0x7f2f66367a0c in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) src/ipc/chromium/src/base/message_loop.cc:468:11
#16 0x7f2f66368575 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) src/ipc/chromium/src/base/message_loop.cc:477:5
#17 0x7f2f6636881a in MessageLoop::DoWork() src/ipc/chromium/src/base/message_loop.cc:552:13
#18 0x7f2f66369200 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) src/ipc/chromium/src/base/message_pump_default.cc:35:31
#19 0x7f2f66367673 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#20 0x7f2f6636758d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#21 0x7f2f6636758d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#22 0x7f2f663754d7 in base::Thread::ThreadMain() src/ipc/chromium/src/base/thread.cc:191:16
#23 0x7f2f66370a29 in ThreadFunc(void*) src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#24 0x7f2f7d0aa608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#25 0x7f2f7cc73292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/SmQHVW_x6CO5VyRTtIMY0g/index.html

Sotaro, any ideas what is happening here?

Blocks: wr-fuzz
Severity: -- → S3
Flags: needinfo?(sotaro.ikeda.g)

The assert failure happened by aExternalImageId = 34359738401. And RenderThread::UnregisterExternalImage() of aExternalImageId = 34359738401 was called by SharedSurfacesParent::Remove().

:aosmond, can you take a look? ASSERT failure seems to related to SharedSurfacesParent::Remove().

Flags: needinfo?(sotaro.ikeda.g) → needinfo?(aosmond)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: