Closed Bug 1717655 Opened 3 months ago Closed 2 months ago

Hit MOZ_CRASH(Unexpected disabled-antialiasing in a border, likely won't work or will be ignored) at /builds/worker/checkouts/gecko/gfx/wr/webrender_api/src/display_item.rs:429

Categories

(Core :: Graphics: WebRender, defect, P3)

defect

Tracking

()

VERIFIED FIXED
92 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox90 --- unaffected
firefox91 --- fixed
firefox92 --- verified

People

(Reporter: jkratzer, Assigned: miko)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 997f00815e6b (built with --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 997f00815e6b --debug --fuzzing -n mc-debug
$ python -m grizzly.replay ./mc-debug/firefox ./testcase.html
Hit MOZ_CRASH(Unexpected disabled-antialiasing in a border, likely won't work or will be ignored) at /builds/worker/checkouts/gecko/gfx/wr/webrender_api/src/display_item.rs:429

    #0 0x7f4921f51c75 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
    #1 0x7f4921f51c75 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:17:3
    #2 0x7f4921f51c24 in mozglue_static::panic_hook::hd8ae002a37e5b7b9 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:89:9
    #3 0x7f4921f5164b in core::ops::function::Fn::call::hdfa3d208384281a6 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
    #4 0x7f4922eaecaf in std::panicking::rust_panic_with_hook::h79a18548bd90c7d4 /rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/std/src/panicking.rs:595:17
    #5 0x7f4921701ed5 in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::h7b371a145982bd23 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:520:9
    #6 0x7f49216f324f in std::sys_common::backtrace::__rust_end_short_backtrace::h2fd9103223ed6e82 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:141:18
    #7 0x7f49195a4c3e in std::panicking::begin_panic::h55cfb3a8b331585f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:519:12
    #8 0x7f49218b2eda in webrender_api::display_item::NormalBorder::normalize::h3200ef8996fee304 /builds/worker/checkouts/gecko/gfx/wr/webrender_api/src/display_item.rs:429:9
    #9 0x7f49218b2eda in webrender::prim_store::borders::_$LT$impl$u20$core..convert..From$LT$webrender..prim_store..PrimKey$LT$webrender..prim_store..borders..NormalBorderPrim$GT$$GT$$u20$for$u20$webrender..prim_store..PrimTemplate$LT$webrender..prim_store..borders..NormalBorderData$GT$$GT$::from::h81e0184858190d5f /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prim_store/borders.rs:121:9
    #10 0x7f49218c71bd in _$LT$T$u20$as$u20$core..convert..Into$LT$U$GT$$GT$::into::hce194780cde0ad9b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/convert/mod.rs:538:9
    #11 0x7f49218c71bd in webrender::intern::DataStore$LT$I$GT$::apply_updates::hde9392baff29e416 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/intern.rs:174:27
    #12 0x7f49218c71bd in webrender::render_backend::DataStores::apply_updates::h2377c60156f2e3f4 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:247:21
    #13 0x7f49218c71bd in webrender::render_backend::RenderBackend::process_transaction::h80512912964b7603 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:945:21
    #14 0x7f49218cd896 in webrender::render_backend::RenderBackend::process_scene_builder_result::h368f224f0f4327c2 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1205:17
    #15 0x7f49218cd896 in webrender::render_backend::RenderBackend::process_api_msg::hc3438f2f91ae3cfe /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1189:24
    #16 0x7f49216f4819 in webrender::render_backend::RenderBackend::run::h3d27bbc55b935c03 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:842:21
    #17 0x7f49216f4819 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::hce3fb7195d2793cc /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1307:13
    #18 0x7f49216f4819 in std::sys_common::backtrace::__rust_begin_short_backtrace::hccc7bb6afd35306d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:125:18
    #19 0x7f4921712d9e in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h11ce96ae15f77797 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:481:17
    #20 0x7f4921712d9e in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hf2482a56d5221867 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:344:9
    #21 0x7f4921712d9e in std::panicking::try::do_call::hb63df9f169774b11 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:379:40
    #22 0x7f4921712d9e in std::panicking::try::hf00d8a632277a472 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:343:19
    #23 0x7f4921712d9e in std::panic::catch_unwind::h17557ca28c174211 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:431:14
    #24 0x7f4921712d9e in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h12ac79d4d0a0a182 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:480:30
    #25 0x7f4921712d9e in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h310ec7e7a9fc865e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
    #26 0x7f4922ebd8a9 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h75c2ca1daad47228 /rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/alloc/src/boxed.rs:1546:9
    #27 0x7f4922ebd8a9 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hdf9f8afc9d34e311 /rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/alloc/src/boxed.rs:1546:9
    #28 0x7f4922ebd8a9 in std::sys::unix::thread::Thread::new::thread_start::hc238bac7748b195d /rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/std/src/sys/unix/thread.rs:71:17
    #29 0x7f49304a3608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #30 0x7f493006b292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?

Debug-only crash that I can't reproduce. Will find an owner.

Blocks: gfx-triage
Severity: -- → S3
Priority: -- → P3

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210708154614-ab46ef66acce.
The bug appears to have been introduced in the following build range:

Start: ca7f5841039d61904e6406936f11afa50c17d0b7 (20210611141122)
End: 5c28878ca6adc5155c1d30d75983794b1822310b (20210611150543)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ca7f5841039d61904e6406936f11afa50c17d0b7&tochange=5c28878ca6adc5155c1d30d75983794b1822310b

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Miko, any thoughts here?

Flags: needinfo?(mikokm)
Assignee: nobody → mikokm
Status: NEW → ASSIGNED
Flags: needinfo?(mikokm)

:miko, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(mikokm)
Flags: needinfo?(mikokm)
Regressed by: 1711648
No longer blocks: gfx-triage
Pushed by mikokm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/eb57374cd854
Fix bevelRect size calculation r=nical
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210721212617-ee40230413eb.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

Miko, do we have interest in uplifting that patch to beta 91 as it seems this got regressed in 91 nightly or it's not a big issue and we can let the fix fix ship in 92 (we have 2 betas left this week). Thanks

Flags: needinfo?(mikokm)

Comment on attachment 9231365 [details]
Bug 1717655 - Fix bevelRect size calculation r=nical

Beta/Release Uplift Approval Request

  • User impact if declined: In some cases, borders might render incorrectly
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch restores the original behavior that was regressed.
  • String changes made/needed:
Flags: needinfo?(mikokm)
Attachment #9231365 - Flags: approval-mozilla-beta?

(In reply to Pascal Chevrel:pascalc from comment #9)

Miko, do we have interest in uplifting that patch to beta 91 as it seems this got regressed in 91 nightly or it's not a big issue and we can let the fix fix ship in 92 (we have 2 betas left this week). Thanks

This is probably quite rare bug that triggers at very small border sizes.
I think that uplift is still reasonable, because before the patch, the testcase causes us to pass a negative size rectangle to WebRender and divide by zero, both of which may cause unexpected behavior.

Comment on attachment 9231365 [details]
Bug 1717655 - Fix bevelRect size calculation r=nical

Approved for 91 beta 8, thanks.

Attachment #9231365 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.