Closed Bug 1716469 Opened 3 years ago Closed 2 years ago

Assertion failure: [GFX1 28]: ImageRenderer::Draw problem 0, at /builds/worker/checkouts/gecko/gfx/2d/Logging.h:760

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
99 Branch
Tracking Flags:
Tracking Status
firefox91 --- wontfix

People

(Reporter: tsmith, Assigned: jrmuizel)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
336 bytes, text/html
Details
prefs.js needed to reproduce
9.21 KB, application/x-javascript
Details
Attached file testcase.html

Found while fuzzing m-c 20210614-e77eb14241b9 (--enable-debug --enable-fuzzing)

Assertion failure: [GFX1 28]: ImageRenderer::Draw problem 0, at /builds/worker/checkouts/gecko/gfx/2d/Logging.h:760

#0 0x7f7a8186e1ff in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::WriteLog(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) src/gfx/2d/Logging.h:761:9
#1 0x7f7a8186e10e in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::Flush() src/gfx/2d/Logging.h:277:7
#2 0x7f7a85338acb in ~Log /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Logging.h:270:12
#3 0x7f7a85338acb in mozilla::nsImageRenderer::Draw(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, nsRect const&, nsPoint const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, float) src/layout/painting/nsImageRenderer.cpp:467:7
#4 0x7f7a8533a171 in mozilla::nsImageRenderer::DrawLayer(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, nsPoint const&, nsRect const&, nsSize const&, float) src/layout/painting/nsImageRenderer.cpp:763:10
#5 0x7f7a852d18dc in nsCSSRendering::PaintStyleImageLayerWithSC(nsCSSRendering::PaintBGParams const&, gfxContext&, mozilla::ComputedStyle*, nsStyleBorder const&) src/layout/painting/nsCSSRendering.cpp:2580:38
#6 0x7f7a851c1df3 in mozilla::PaintMaskSurface(mozilla::SVGIntegrationUtils::PaintFramesParams const&, mozilla::gfx::DrawTarget*, float, mozilla::ComputedStyle*, nsTArray<mozilla::SVGMaskFrame*> const&, mozilla::gfx::BaseMatrix<float> const&, nsPoint const&) src/layout/svg/SVGIntegrationUtils.cpp:554:35
#7 0x7f7a851e9ed0 in mozilla::CreateAndPaintMaskSurface(mozilla::SVGIntegrationUtils::PaintFramesParams const&, float, mozilla::ComputedStyle*, nsTArray<mozilla::SVGMaskFrame*> const&, nsPoint const&) src/layout/svg/SVGIntegrationUtils.cpp:624:25
#8 0x7f7a851c329e in void mozilla::PaintMaskAndClipPathInternal<std::function<void ()> >(mozilla::SVGIntegrationUtils::PaintFramesParams const&, std::function<void ()> const&) src/layout/svg/SVGIntegrationUtils.cpp:903:37
#9 0x7f7a85318c2e in nsDisplayMasksAndClipPaths::PaintWithContentsPaintCallback(nsDisplayListBuilder*, gfxContext*, std::function<void ()> const&) src/layout/painting/nsDisplayList.cpp:9741:3
#10 0x7f7a85318d4c in nsDisplayMasksAndClipPaths::Paint(nsDisplayListBuilder*, gfxContext*) src/layout/painting/nsDisplayList.cpp:9753:3
#11 0x7f7a852f13e2 in nsDisplayList::Paint(nsDisplayListBuilder*, gfxContext*, int) src/layout/painting/nsDisplayList.cpp:2453:11
#12 0x7f7a85311f2d in nsDisplayTransform::Paint(nsDisplayListBuilder*, gfxContext*, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/layout/painting/nsDisplayList.cpp:8394:20
#13 0x7f7a85311728 in nsDisplayTransform::Paint(nsDisplayListBuilder*, gfxContext*) src/layout/painting/nsDisplayList.cpp:8363:3
#14 0x7f7a852f13e2 in nsDisplayList::Paint(nsDisplayListBuilder*, gfxContext*, int) src/layout/painting/nsDisplayList.cpp:2453:11
#15 0x7f7a85311f2d in nsDisplayTransform::Paint(nsDisplayListBuilder*, gfxContext*, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/layout/painting/nsDisplayList.cpp:8394:20
#16 0x7f7a85311728 in nsDisplayTransform::Paint(nsDisplayListBuilder*, gfxContext*) src/layout/painting/nsDisplayList.cpp:8363:3
#17 0x7f7a852f13e2 in nsDisplayList::Paint(nsDisplayListBuilder*, gfxContext*, int) src/layout/painting/nsDisplayList.cpp:2453:11
#18 0x7f7a852f184b in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) src/layout/painting/nsDisplayList.cpp:2496:5
#19 0x7f7a84f5a512 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3526:45
#20 0x7f7a850e8e15 in nsPageSequenceFrame::PrintNextSheet() src/layout/generic/nsPageSequenceFrame.cpp:674:3
#21 0x7f7a8533f652 in nsPrintJob::PrintSheet(nsPrintObject*, bool&) src/layout/printing/nsPrintJob.cpp:2364:31
#22 0x7f7a8533f1f6 in nsPagePrintTimer::Run() src/layout/printing/nsPagePrintTimer.cpp:74:43
#23 0x7f7a804fe972 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:143:20
#24 0x7f7a805299ce in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:479:16
#25 0x7f7a805074d9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:782:26
#26 0x7f7a80506348 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:618:15
#27 0x7f7a805065c3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:402:36
#28 0x7f7a8052d239 in operator() src/xpcom/threads/TaskController.cpp:138:37
#29 0x7f7a8052d239 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#30 0x7f7a805190ef in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1159:16
#31 0x7f7a8051fd7a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#32 0x7f7a82098660 in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_3>(nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_3&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:93:25
#33 0x7f7a8209697f in nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5433:5
#34 0x7f7a82095a8d in nsGlobalWindowOuter::PrintOuter(mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5237:3
#35 0x7f7a84f37609 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1175:43
#36 0x7f7a86045e65 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6513:20
#37 0x7f7a8604595f in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5903:7
#38 0x7f7a860467df in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#39 0x7f7a8177c28c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1362:3
#40 0x7f7a8177b85a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:968:14
#41 0x7f7a81779c67 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:787:9
#42 0x7f7a8177ae4f in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:670:5
#43 0x7f7a860668b8 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) src/docshell/base/nsDocShell.cpp:13679:23
#44 0x7f7a806b876a in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:614:22
#45 0x7f7a806b9be3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:518:10
#46 0x7f7a8218257d in mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:11333:18
#47 0x7f7a8215f920 in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:11263:9
#48 0x7f7a82171916 in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7785:3
#49 0x7f7a821e18b6 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1150:12
#50 0x7f7a821e18b6 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1156:12
#51 0x7f7a821e18b6 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1203:13
#52 0x7f7a804fe972 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:143:20
#53 0x7f7a805299ce in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:479:16
#54 0x7f7a805074d9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:782:26
#55 0x7f7a80506348 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:618:15
#56 0x7f7a805065c3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:402:36
#57 0x7f7a8052d1c6 in operator() src/xpcom/threads/TaskController.cpp:135:37
#58 0x7f7a8052d1c6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#59 0x7f7a805190ef in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1159:16
#60 0x7f7a8051fd7a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#61 0x7f7a80e1c756 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#62 0x7f7a80d84507 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#63 0x7f7a80d84422 in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#64 0x7f7a80d84422 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#65 0x7f7a84bc7a38 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#66 0x7f7a8656b373 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:910:20
#67 0x7f7a80e1d64a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#68 0x7f7a80d84507 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#69 0x7f7a80d84422 in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#70 0x7f7a80d84422 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#71 0x7f7a8656af8e in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:742:34
#72 0x55fc864fec56 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#73 0x55fc864fec56 in main src/browser/app/nsBrowserApp.cpp:313:18
#74 0x7f7a954970b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#75 0x55fc864dba5c in _start (/home/user/workspace/browsers/m-c-20210614095307-fuzzing-debug/firefox-bin+0x15a5c)
Severity: -- → S2
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/r73JhxAtSy83zkCrPm21Yg/index.html

Tries to create a 48k x 63k draw target, 3GB * pixel size, so 12GB?

We're printing a mask with 'exclude' which turns into the 'XOR' blend mode.

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210708154614-ab46ef66acce.
The bug appears to have been introduced in the following build range:

Start: 8803bc71047a75f0983844d891d82b4a5edecda4 (20210310041823)
End: 10ca32d83c66663d73c0600ff90022e85f52b92b (20210310054241)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8803bc71047a75f0983844d891d82b4a5edecda4&tochange=10ca32d83c66663d73c0600ff90022e85f52b92b

Whiteboard: [bugmon:bisected,confirmed]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210614095307-e77eb14241b9) but not with tip (mozilla-central 20211203213802-92df9c655be5.)
The bug appears to have been fixed in the following build range:

Start: f5cb6b2465f3042f3ec5bb096a75fbe24f71465e (20211116073345)
End: 5d32dbafda59a62fba936250375782a4cc9c6300 (20211116082732)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f5cb6b2465f3042f3ec5bb096a75fbe24f71465e&tochange=5d32dbafda59a62fba936250375782a4cc9c6300
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

This is a prefs.js file I got from another fuzzer bug that is needed to reproduce locally.

This seems to be fixed now. I bisected debug builds with the attached prefs.js to bug 1755988.

Status: NEW → RESOLVED
Closed: 2 years ago
Depends on: 1755988
Resolution: --- → FIXED
Assignee: nobody → jmuizelaar
status-firefox91: affectedwontfix
Target Milestone: --- → 99 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: