Closed
Bug 1745775
Opened 3 years ago
Closed 3 years ago
Hit MOZ_CRASH(index out of bounds: the len is 10 but the index is 10) at gfx/wr/webrender/src/visibility.rs:218
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
VERIFIED
FIXED
97 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox95 | --- | wontfix |
| firefox96 | --- | wontfix |
| firefox97 | --- | verified |
People
(Reporter: jkratzer, Assigned: gw)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])
Crash Data
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 0afa754df085 (built with: --enable-address-sanitizer --enable-fuzzing).
Please note, this issue only arose recently and is occurring at such a high rate that it is having a negative impact on fuzzing. Please prioritize accordingly.
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 0afa754df085 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(index out of bounds: the len is 10 but the index is 10) at gfx/wr/webrender/src/visibility.rs:218
=================================================================
==2318401==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fe8f3706510 bp 0x7fe823504d10 sp 0x7fe823504d00 T103)
==2318401==The signal is caused by a WRITE memory access.
==2318401==Hint: address points to the zero page.
#0 0x7fe8f3706510 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7fe8f3706510 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fe8f3706436 in mozglue_static::panic_hook::h61696a4324a5d117 /mozglue/static/rust/lib.rs:91:9
#3 0x7fe8f37050f5 in core::ops::function::Fn::call::h4225dabb1a2af65e /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
#4 0x7fe8f6445f3f in std::panicking::rust_panic_with_hook::h12df1cde34faedfe (/home/jkratzer/builds/mc-asan/libxul.so+0x1ecacf3f)
#5 0x7fe8f646336f in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h1112bbc0bd387537 std.37975f9d-cgu.4
#6 0x7fe8f64626b3 in std::sys_common::backtrace::__rust_end_short_backtrace::h014d03f4c05b9aaa crtstuff.c
#7 0x7fe8f6445991 in rust_begin_unwind (/home/jkratzer/builds/mc-asan/libxul.so+0x1ecac991)
#8 0x7fe8dfbe1410 in core::panicking::panic_fmt::hcb79d2bd962905f6 (/home/jkratzer/builds/mc-asan/libxul.so+0x8448410)
#9 0x7fe8dfbe13d1 in core::panicking::panic_bounds_check::hb0b4c98dd75cc510 (/home/jkratzer/builds/mc-asan/libxul.so+0x84483d1)
#10 0x7fe8f23596c6 in webrender::visibility::update_primitive_visibility::hce6c9667c4d008b8 /gfx/wr/webrender/src/visibility.rs
#11 0x7fe8f235334c in webrender::visibility::update_primitive_visibility::hce6c9667c4d008b8 /gfx/wr/webrender/src/visibility.rs:287:44
#12 0x7fe8f2353195 in webrender::visibility::update_primitive_visibility::hce6c9667c4d008b8 /gfx/wr/webrender/src/visibility.rs:287:44
#13 0x7fe8f1dc7e7b in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::h5f73c3c9a3138c1d /gfx/wr/webrender/src/frame_builder.rs:449:25
#14 0x7fe8f1dc7e7b in webrender::frame_builder::FrameBuilder::build::h4bc86093a3b68689 /gfx/wr/webrender/src/frame_builder.rs:616:9
#15 0x7fe8f1f84248 in webrender::render_backend::Document::build_frame::h933d7aa757eb4575 /gfx/wr/webrender/src/render_backend.rs:452:25
#16 0x7fe8f1fd03cb in webrender::render_backend::RenderBackend::update_document::h9e10ba8d864867d8 /gfx/wr/webrender/src/render_backend.rs:1346:41
#17 0x7fe8f1fa8b8d in webrender::render_backend::RenderBackend::prepare_transactions::h0ac07fe05a2086b1 /gfx/wr/webrender/src/render_backend.rs:1195:28
#18 0x7fe8f1fa8b8d in webrender::render_backend::RenderBackend::process_api_msg::hee1e94c6dc855884 /gfx/wr/webrender/src/render_backend.rs:1047:17
#19 0x7fe8f1739d78 in webrender::render_backend::RenderBackend::run::hf0cd3d594dc82b3d /gfx/wr/webrender/src/render_backend.rs:717:21
#20 0x7fe8f1739d78 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h873311b48397ff46 /gfx/wr/webrender/src/renderer/mod.rs:1325:13
#21 0x7fe8f1739d78 in std::sys_common::backtrace::__rust_begin_short_backtrace::hed32159837ba85e5 /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:123:18
#22 0x7fe8f17bed0f in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h2530a272768893b4 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:483:17
#23 0x7fe8f17bed0f in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h19585ea9e42f3123 /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
#24 0x7fe8f17bed0f in std::panicking::try::do_call::h73a16f3069ca863c /builds/worker/fetches/rust/library/std/src/panicking.rs:403:40
#25 0x7fe8f17bed0f in std::panicking::try::h080ff7c79635e596 /builds/worker/fetches/rust/library/std/src/panicking.rs:367:19
#26 0x7fe8f17bed0f in std::panic::catch_unwind::h9dc5199e598b4df1 /builds/worker/fetches/rust/library/std/src/panic.rs:133:14
#27 0x7fe8f17bed0f in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::hb7894f57decb1449 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:482:30
#28 0x7fe8f17bed0f in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h8c7ac8d497dbe621 /builds/worker/fetches/rust/library/core/src/ops/function.rs:227:5
#29 0x7fe8f6454b72 in std::sys::unix::thread::Thread::new::thread_start::h20a09259a176b254 std.37975f9d-cgu.2
#30 0x7fe904f96608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#31 0x7fe904b5e292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
Thread T103 (WRRende~ckend#1) created by T60 (Renderer) here:
#0 0x560646e0dc3c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
#1 0x7fe8f64549f4 in std::sys::unix::thread::Thread::new::h9389f88d83e4b5c1 (/home/jkratzer/builds/mc-asan/libxul.so+0x1ecbb9f4)
#2 0x7fe8f2095c85 in webrender::renderer::Renderer::new::hf118a095809dae98 /gfx/wr/webrender/src/renderer/mod.rs:1283:9
#3 0x7fe8f1580074 in wr_window_new /gfx/webrender_bindings/src/bindings.rs:1689:36
#4 0x7fe8e3bb0909 in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /gfx/webrender_bindings/WebRenderAPI.cpp:157:10
#5 0x7fe8e3b7d8dd in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) /gfx/webrender_bindings/RenderThread.cpp:441:11
#6 0x7fe8e3b96926 in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > >, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > >&, std::integer_sequence<unsigned long, 0ul, 1ul>) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#7 0x7fe8e3b9666b in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#8 0x7fe8e3b9666b in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#9 0x7fe8e097be2b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1177:16
#10 0x7fe8e0986aec in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
#11 0x7fe8e1e964f1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
#12 0x7fe8e1d14471 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
#13 0x7fe8e1d14471 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#14 0x7fe8e1d14471 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#15 0x7fe8e097432f in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
#16 0x7fe902e7f02e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#17 0x7fe904f96608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
Thread T60 (Renderer) created by T0 (GeckoMain) here:
#0 0x560646e0dc3c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
#1 0x7fe902e6f0b4 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7fe902e6035e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7fe8e0977685 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:615:18
#4 0x7fe8e09848cf in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /xpcom/threads/nsThreadManager.cpp:581:12
#5 0x7fe8e098fe61 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadUtils.cpp:163:57
#6 0x7fe8e3b77801 in NS_NewNamedThread<9UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
#7 0x7fe8e3b77801 in mozilla::wr::RenderThread::Start() /gfx/webrender_bindings/RenderThread.cpp:92:17
#8 0x7fe8e392c51e in InitLayersIPC /gfx/thebes/gfxPlatform.cpp:1290:7
#9 0x7fe8e392c51e in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:956:3
#10 0x7fe8e392f590 in GetPlatform /gfx/thebes/gfxPlatform.cpp:466:5
#11 0x7fe8e392f590 in gfxPlatform::InitializeCMS() /gfx/thebes/gfxPlatform.cpp:2083:9
#12 0x7fe8e8c5f319 in GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:521:5
#13 0x7fe8e8c5f319 in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /widget/nsXPLookAndFeel.cpp:867:9
#14 0x7fe8e8c62d9e in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1202:47
#15 0x7fe8e8bd6598 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:450:12
#16 0x7fe8e8bd6598 in ThemedAccentColor /widget/ThemeColors.cpp:89:37
#17 0x7fe8e8bd6598 in mozilla::widget::ThemeColors::RecomputeAccentColors() /widget/ThemeColors.cpp:170:20
#18 0x7fe8e8c1962a in nsNativeBasicTheme::LookAndFeelChanged() /widget/nsNativeBasicTheme.cpp:123:3
#19 0x7fe8e8c5d7f2 in nsXPLookAndFeel::GetInstance() /widget/nsXPLookAndFeel.cpp:359:3
#20 0x7fe8e8c6379d in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /widget/nsXPLookAndFeel.cpp:1319:3
#21 0x7fe8e07d2837 in nsSystemInfo::Init() /xpcom/base/nsSystemInfo.cpp:1047:5
#22 0x7fe8e08d9f24 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9175:7
#23 0x7fe8e0929447 in CreateInstance /xpcom/components/nsComponentManager.cpp:177:46
#24 0x7fe8e0929447 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1276:17
#25 0x7fe8e0929ef8 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1366:10
#26 0x7fe8e08fe1ed in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12282:50
#27 0x7fe8e0789151 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:109:7
#28 0x7fe8e2d794ac in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
#29 0x7fe8e2d794ac in GetServiceImpl /js/xpconnect/src/JSServices.cpp:84:32
#30 0x7fe8e2d794ac in GetService /js/xpconnect/src/JSServices.cpp:131:8
#31 0x7fe8e2d794ac in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /js/xpconnect/src/JSServices.cpp:154:25
#32 0x7fe8ee02a697 in CallResolveOp /js/src/vm/NativeObject-inl.h:634:8
#33 0x7fe8ee02a697 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /js/src/vm/NativeObject-inl.h:751:14
#34 0x7fe8ee02a697 in NativeGetPropertyInline<js::CanGC> /js/src/vm/NativeObject.cpp:2116:10
#35 0x7fe8ee02a697 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2164:10
#36 0x7fe8edb28269 in GetProperty /js/src/vm/ObjectOperations-inl.h:115:10
#37 0x7fe8edb28269 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:122:10
#38 0x7fe8edb278c4 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4552:10
#39 0x7fe8edaf8688 in GetPropertyOperation /js/src/vm/Interpreter.cpp:204:10
#40 0x7fe8edaf8688 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2907:12
#41 0x7fe8edaefe81 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:357:13
#42 0x7fe8edb1ecef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:507:13
#43 0x7fe8edb20e3b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:552:8
#44 0x7fe8edd98eec in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:53:10
#45 0x7fe8e2dc1020 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:973:17
#46 0x7fe8e09ce392 in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#47 0x7fe8e09cd11a in SharedStub xptcstubs_x86_64_linux.cpp
#48 0x7fe8e091f832 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:687:19
#49 0x7fe8ed8573b9 in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:978:11
#50 0x7fe8ed832653 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5045:18
#51 0x7fe8ed835959 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5495:8
#52 0x7fe8ed836693 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5554:21
#53 0x560646e58889 in do_main /browser/app/nsBrowserApp.cpp:225:22
#54 0x560646e58889 in main /browser/app/nsBrowserApp.cpp:395:16
#55 0x7fe904a630b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
==2318401==ABORTING
|
Reporter | |
Comment 1•3 years ago
|
||
|
||
Updated•3 years ago
|
Attachment #9255067 -
Attachment mime type: text/plain → text/html
|
|
||
Comment 2•3 years ago
|
||
Main process crash after hitting F5 a few times: bp-d08420b6-7d2c-4c0b-a6d7-f42bf0211213
Blocks: wr-stability
Crash Signature: @ webrender::visibility::update_primitive_visibility ]
Has STR: --- → yes
status-firefox97:
--- → affected
Keywords: crash
See Also: → 1700242
|
|
||
Updated•3 years ago
|
Crash Signature: @ webrender::visibility::update_primitive_visibility ] → [@ webrender::visibility::update_primitive_visibility ]
|
|
||
Comment 3•3 years ago
|
||
Gnome Xwayland, Debian Testing, Intel
STR: Click into the address bar and press enter, or press Ctrl+F5 or F5. Repeat until the crash occurs.
mozregression --good 2021-05-12 --bad 2021-12-12 --pref gfx.webrender.all:true -a https://bugzilla.mozilla.org/attachment.cgi?id=9255067
17:07.84 INFO: Last good revision: e7b81cc1f26db0a381af49cfa49395727d207f98 (2021-07-27)
17:07.84 INFO: First bad revision: 191e4bdf9e08fa81e2986e0a8664794b7ffa7e42 (2021-07-28)
17:07.84 INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e7b81cc1f26db0a381af49cfa49395727d207f98&tochange=191e4bdf9e08fa81e2986e0a8664794b7ffa7e42
[...]
25:38.77 INFO: Last good revision: e7b81cc1f26db0a381af49cfa49395727d207f98
25:38.77 INFO: First bad revision: 087c377a18238567e38b0d2edf5afa4baa0fc81e
25:38.77 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e7b81cc1f26db0a381af49cfa49395727d207f98&tochange=087c377a18238567e38b0d2edf5afa4baa0fc81e
087c377a18238567e38b0d2edf5afa4baa0fc81e Glenn Watson — Bug 1721943 - Fix clear of picture graph update passes r=kvark,gfx-reviewers
Last good seems to be last good, no success in reproducing the crash with it so far:
https://hg.mozilla.org/integration/autoland/shortlog/087c377a18238567e38b0d2edf5afa4baa0fc81e
mozregression --repo autoland --launch e7b81cc1f26db0a381af49cfa49395727d207f98 --pref gfx.webrender.all:true -a https://bugzilla.mozilla.org/attachment.cgi?id=9255067
Reproducible with first bad:
mozregression --repo autoland --launch 087c377a18238567e38b0d2edf5afa4baa0fc81e --pref gfx.webrender.all:true -a https://bugzilla.mozilla.org/attachment.cgi?id=9255067
Has Regression Range: --- → yes
status-firefox95:
--- → affected
status-firefox96:
--- → affected
status-firefox-esr91:
--- → unaffected
Flags: needinfo?(gwatson)
Keywords: regression
Regressed by: 1721943
|
Assignee | |
Comment 4•3 years ago
|
||
Thanks, I'll investigate this today.
Assignee: nobody → gwatson
Flags: needinfo?(gwatson)
|
|
Assignee | |
Comment 5•3 years ago
|
||
Some parts of the visibility pass have been ported to use the
picture graph infrastructure (update pass assignment and bounding
rect propagation) but the main visibility pass still relies on
the old-style recursive traversal, for now.
If an off-screen surface with a filter has a child primitive that
has backface-visibility: false, it was possible for it to be
excluded from surface assignment during the picture graph setup,
but still visited by the old-style recursive visibility pass.
In future, the main visibility pass will be ported to be based on
the picture graph infrastructure. In the meantime, this introduces
a band-aid fix by including the backface visibility check for a
picture in the general is_visible method, which is already
checked by the visibility and prepare passes, ensuring that the
traversals match.
Pushed by gwatson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/aaa7e1f81404 Fix invalid surface info indexing r=gfx-reviewers,bradwerth
|
||
Comment 7•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211214042524-51773d1ab7b5.
The bug appears to have been introduced in the following build range:
Start: e7b81cc1f26db0a381af49cfa49395727d207f98 (20210727214000)
End: 219ab5d8434c0aed3a7f9af54f0da2e1014255b8 (20210727163203)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=e7b81cc1f26db0a381af49cfa49395727d207f98&tochange=219ab5d8434c0aed3a7f9af54f0da2e1014255b8
Whiteboard: [bugmon:confirm][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker]
|
||
Comment 8•3 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch
|
|
||
Comment 9•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211214094205-4243f988e94a.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 10•3 years ago
|
||
The patch landed in nightly and beta is affected.
:gw, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(gwatson)
|
||
Updated•3 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•