test case for bug 1742382 still crashes the browser
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
People
(Reporter: freddy, Assigned: gw)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
When looking at the test case for bug 1742382 (during our bounty meeting), the linked 1MB test case still crashed Firefox Nightly on Linux.
Looks like a rust panic (causing MOZ_CRASH) due to unwrapping a None, but not in the software backend for webrender. Lee, is this bad?
Dan said it also crashed the browser for him on Mac OS, so he'll probably attach a log file as well.
Comment 1•3 years ago
|
||
Rust panic on Mac, too: bp-3ae99a01-4ee0-4f6f-b446-c630b0211214
Updated•3 years ago
|
Comment 2•3 years ago
|
||
The rust panic does not represent a security issue nor what occurred in bug 1742383.
Maybe Glenn should take a look to see what's going on.
Comment 3•3 years ago
|
||
Test case is not public.
Assignee | ||
Comment 4•3 years ago
|
||
In some extreme test cases, we have > 65535 clip masks being
created. Long term, we might want to restrict the page content
since we can't really render hundreds of thousands of clip masks
for performance reasons anyway. For now, just use a u32 for the
clip mask index so we can handle these cases a bit better.
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Reporter | ||
Comment 6•3 years ago
|
||
Aren't we just kicking the can down the road into a memory/resource exhaustion problem at the OS level? It looks like this will still lead to some other crashy or instable situation. If nobody's stopping the test case from exceeding u16 why should u32 be an improvement? Can we find an operation in there where we can cancel/throw and do that instead?
Assignee | ||
Comment 7•3 years ago
|
||
It is kicking the can down the road (I alluded to this in the commit comment), you're right.
The benefit, I think, of landing this patch now is that we'll be able to see from crash-stats if this crash completely disappears, or if there is also some other bug that can cause us to incorrectly index into the clip instances array.
Comment 9•3 years ago
|
||
bugherder |
Comment 10•3 years ago
|
||
Hi Lee, I'm not sure if this is worth backporting to Beta/ESR or not. Seems like the patch would be low-risk and give parity with the branches receiving the original fix, but it also feels pretty edge case and unlikely to bite us in the wild. What are your thoughts?
Updated•3 years ago
|
Updated•3 years ago
|
Description
•