Closed Bug 1757054 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(assertion failed: !params.descriptor.size.is_empty()) at gfx/wr/webrender/src/texture_cache.rs:1475

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
105 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- wontfix
firefox99 --- wontfix
firefox100 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- wontfix
firefox104 --- wontfix
firefox105 --- fixed

People

(Reporter: tsmith, Assigned: gw)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(3 files)

testcase.html
395 bytes, text/html
Details
prefs.js
9.23 KB, application/x-javascript
Details
Bug 1757054 - Ensure line decoration cache tasks are at least 1x1
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20220224-2eda0885cbad (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(assertion failed: !params.descriptor.size.is_empty()) at gfx/wr/webrender/src/texture_cache.rs:1475

#0 0x7f63272b4850 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f63272b4850 in RustMozCrash /gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f63272b4776 in mozglue_static::panic_hook::hfa977cf1421d9ca6 /gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7f63272b3435 in core::ops::function::Fn::call::h875c5534bb524182 /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
#4 0x7f632a24d277 in std::panicking::rust_panic_with_hook::h213176a09718247f (/home/worker/builds/m-c-20220224093648-fuzzing-asan-opt/libxul.so+0x1f638277)
#5 0x7f632a25b111 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h3cfe49433456fe03 std.cd29c496-cgu.3
#6 0x7f632a25abb3 in std::sys_common::backtrace::__rust_end_short_backtrace::hbf0fc5e1af0506eb crtstuff.c
#7 0x7f632a24cd61 in rust_begin_unwind (/home/worker/builds/m-c-20220224093648-fuzzing-asan-opt/libxul.so+0x1f637d61)
#8 0x7f631340cd80 in core::panicking::panic_fmt::hcb79d2bd962905f6 (/home/worker/builds/m-c-20220224093648-fuzzing-asan-opt/libxul.so+0x87f7d80)
#9 0x7f631340cccc in core::panicking::panic::h0278218a0d986439 (/home/worker/builds/m-c-20220224093648-fuzzing-asan-opt/libxul.so+0x87f7ccc)
#10 0x7f6325e597a5 in webrender::texture_cache::TextureCache::allocate::h366359b3c4039e6d /gecko/gfx/wr/webrender/src/texture_cache.rs:1475:9
#11 0x7f6325e597a5 in webrender::texture_cache::TextureCache::update::h0f92b5186d20dd65 /gecko/gfx/wr/webrender/src/texture_cache.rs:942:13
#12 0x7f6325b3e39f in webrender::render_task_cache::RenderTaskCache::alloc_render_task::h3abfc517896deb58 /gecko/gfx/wr/webrender/src/render_task_cache.rs:194:9
#13 0x7f6325a0d51a in webrender::render_task_cache::RenderTaskCache::request_render_task::h85590f4ecf9df37d /gecko/gfx/wr/webrender/src/render_task_cache.rs:274:13
#14 0x7f6325a0d51a in webrender::resource_cache::ResourceCache::request_render_task::he2a666127bb0b49a /gecko/gfx/wr/webrender/src/resource_cache.rs:609:9
#15 0x7f6325a0d51a in webrender::prepare::prepare_interned_prim_for_render::h56d22ae027685079 /gecko/gfx/wr/webrender/src/prepare.rs:323:37
#16 0x7f63259f61c2 in webrender::prepare::prepare_prim_for_render::hc8661707dce9b242 /gecko/gfx/wr/webrender/src/prepare.rs:236:5
#17 0x7f63259f61c2 in webrender::prepare::prepare_primitives::h319d43682715a801 /gecko/gfx/wr/webrender/src/prepare.rs:108:16
#18 0x7f63258e2b0d in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::hec9a53fb2d7540d2 /gecko/gfx/wr/webrender/src/frame_builder.rs:502:17
#19 0x7f63258e2b0d in webrender::frame_builder::FrameBuilder::build::h8b87586356a2f088 /gecko/gfx/wr/webrender/src/frame_builder.rs:593:9
#20 0x7f6325a9c5a8 in webrender::render_backend::Document::build_frame::h1b26863024153c1b /gecko/gfx/wr/webrender/src/render_backend.rs:493:25
#21 0x7f6325ae8996 in webrender::render_backend::RenderBackend::update_document::h7f4355bca73ef40e /gecko/gfx/wr/webrender/src/render_backend.rs:1387:41
#22 0x7f6325ac0ddd in webrender::render_backend::RenderBackend::prepare_transactions::ha24b8a0698e84e55 /gecko/gfx/wr/webrender/src/render_backend.rs:1236:28
#23 0x7f6325ac0ddd in webrender::render_backend::RenderBackend::process_api_msg::h2dc2abb38752b87b /gecko/gfx/wr/webrender/src/render_backend.rs:1088:17
#24 0x7f6325254488 in webrender::render_backend::RenderBackend::run::h105627bde7bb72f3 /gecko/gfx/wr/webrender/src/render_backend.rs:758:21
#25 0x7f6325254488 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h5fe29a1a1c594639 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1328:13
#26 0x7f6325254488 in std::sys_common::backtrace::__rust_begin_short_backtrace::h3c18f6ae72f3e3ac /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:123:18
#27 0x7f63252d932f in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h2ce57b67a8d5ceba /builds/worker/fetches/rust/library/std/src/thread/mod.rs:484:17
#28 0x7f63252d932f in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h9605f32354925956 /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
#29 0x7f63252d932f in std::panicking::try::do_call::ha7e5f9f3d8aa8328 /builds/worker/fetches/rust/library/std/src/panicking.rs:406:40
#30 0x7f63252d932f in std::panicking::try::h83e108080385458e /builds/worker/fetches/rust/library/std/src/panicking.rs:370:19
#31 0x7f63252d932f in std::panic::catch_unwind::hb405334179d7210b /builds/worker/fetches/rust/library/std/src/panic.rs:133:14
#32 0x7f63252d932f in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::hb51c8b97fbc84cdd /builds/worker/fetches/rust/library/std/src/thread/mod.rs:483:30
#33 0x7f63252d932f in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h0ef6d8633b3ca0ca /builds/worker/fetches/rust/library/core/src/ops/function.rs:227:5
#34 0x7f632a24da22 in std::sys::unix::thread::Thread::new::thread_start::he72929ede3520aea std.cd29c496-cgu.15
#35 0x7f633913e608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#36 0x7f6338d06292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
Component: Layout → Graphics: WebRender

A Pernosco session is available here: https://pernos.co/debug/Li-Jkv4XKLLHQNMoYNmRNw/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220422033915-e54b77f74624.
The bug appears to have been introduced in the following build range:

Start: 7f0c7c21dbfaddd8b0afa6d372368d98b373e69a (20220219214049)
End: 2b42abbdb0df38f31dfa1178fe3b5f773f8e4812 (20220220185923)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7f0c7c21dbfaddd8b0afa6d372368d98b373e69a&tochange=2b42abbdb0df38f31dfa1178fe3b5f773f8e4812

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
status-firefox100: affectedwontfix
status-firefox-esr91: --- → unaffected
Flags: needinfo?(gwatson)
Regressed by: 1749380
Assignee: nobody → gwatson
Flags: needinfo?(gwatson)

I couldn't repro on a local build, yet (looking at the crash it possibly depends on resolution and/or device-pixel ratio).

When I run the specified build under grizzly, I get:

[2022-04-27 06:18:00] Result: Different signature: Hit MOZ_CRASH(Attempting to connect to non-local address!) at /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransport2.cpp:1237 (24556868:b7a8e929)

Is there an extra param or option I need to avoid that?

Flags: needinfo?(twsmith)
Attached file prefs.js

I was able to reproduce with m-c 20220425-9cb38db713cc.

This prefs.js file helped reproduce when running without Grizzly.

Flags: needinfo?(twsmith)

Is this actually S2?

Flags: needinfo?(gwatson)
Severity: S2 → S3
Flags: needinfo?(gwatson)

What's the appropriate way to apply that prefs file? When I do that either by copying to the profile user.js (or prefs.js) I get a startup crash:

Invalid principal infos found: originNoSuffix (file://aaaaaaaaa_aaaa_aaa_aaaaaa) doesn't match passed one (file:///aaaa/aa/aaaaaaaaa/aaaaD_aaaaa/a.aaaa)!

I'm guessing that's not the correct way to use that prefs file?

Adding it to the profile directory should work, that is what we do in automation. If you are using a new profile (empty directory) you also need to add a times.json file.

Set release status flags based on info from the regressing bug 1749380

status-firefox102: --- → affected
Pushed by gwatson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9ced13a92244
Ensure line decoration cache tasks are at least 1x1 r=gfx-reviewers,nical
Regressions: 1781944

Backed out for causing crashtest failures on 1757054.html.

Push where the failures occurred
Push that got backed out

Failure log

Backout link

[task 2022-07-28T01:02:25.130Z] 01:02:25     INFO - #35: main [ipc/app/MozillaRuntimeMain.cpp:81]
[task 2022-07-28T01:02:25.131Z] 01:02:25     INFO - [Child 1628, Main Thread] ###!!! ASSERTION: InitialOverflowProperty must be set first.: 'frame->GetProperty(nsIFrame::DebugInitialOverflowPropertyApplied())', file /builds/worker/checkouts/gecko/layout/base/OverflowChangedTracker.h:117
[task 2022-07-28T01:02:25.131Z] 01:02:25     INFO - #01: NS_DebugBreak [xpcom/base/nsDebugImpl.cpp:492]
[task 2022-07-28T01:02:25.132Z] 01:02:25     INFO - #02: mozilla::OverflowChangedTracker::Flush() [layout/base/OverflowChangedTracker.h:120]
[task 2022-07-28T01:02:25.132Z] 01:02:25     INFO - #03: mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) [layout/base/RestyleManager.cpp:1812]
[task 2022-07-28T01:02:25.133Z] 01:02:25     INFO - #04: mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) [layout/base/RestyleManager.cpp:3124]
[task 2022-07-28T01:02:25.133Z] 01:02:25     INFO - #05: mozilla::RestyleManager::ProcessPendingRestyles() [layout/base/RestyleManager.cpp:3204]
[task 2022-07-28T01:02:25.134Z] 01:02:25     INFO - #06: mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) [layout/base/PresShell.cpp:4331]
[task 2022-07-28T01:02:25.135Z] 01:02:25     INFO - #07: nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) [layout/base/nsRefreshDriver.cpp:2556]
[task 2022-07-28T01:02:25.135Z] 01:02:25     INFO - #08: mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) [layout/base/nsRefreshDriver.cpp:353]
[task 2022-07-28T01:02:25.136Z] 01:02:25     INFO - #09: mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [layout/base/nsRefreshDriver.cpp:371]
[task 2022-07-28T01:02:25.136Z] 01:02:25     INFO - #10: mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [layout/base/nsRefreshDriver.cpp:897]
[task 2022-07-28T01:02:25.137Z] 01:02:25     INFO - #11: mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [layout/base/nsRefreshDriver.cpp:812]
[task 2022-07-28T01:02:25.137Z] 01:02:25     INFO - #12: mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() [layout/base/nsRefreshDriver.cpp:595]
[task 2022-07-28T01:02:25.138Z] 01:02:25     INFO - #13: mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) [dom/ipc/VsyncMainChild.cpp:69]
[task 2022-07-28T01:02:25.139Z] 01:02:25     INFO - #14: mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) [s3:gecko-generated-sources:cddf90894e78d2341d16b9328e85134e5d2e952562bcc3d6423ba1da1513d2f3a9a8317feeecb4fa176ce8ead295e50eabb87d97a405cec3d3fed6556109e377/ipc/ipdl/PVsyncChild.cpp::220]
[task 2022-07-28T01:02:25.139Z] 01:02:25     INFO - #15: mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) [s3:gecko-generated-sources:f43b8d9aa4ec167f4e7e19574d958c30362890a6b63de818d0495ebfec1a3c925a776e3cefa85a83740d45f9227345090aedc47a3eed36db29fcf48c0a572a06/ipc/ipdl/PBackgroundChild.cpp::6326]
[task 2022-07-28T01:02:25.140Z] 01:02:25     INFO - #16: mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) [ipc/glue/MessageChannel.cpp:1749]
[task 2022-07-28T01:02:25.140Z] 01:02:25     INFO - #17: mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) [ipc/glue/MessageChannel.cpp:1674]
[task 2022-07-28T01:02:25.141Z] 01:02:25     INFO - #18: mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) [ipc/glue/MessageChannel.cpp:1474]
[task 2022-07-28T01:02:25.141Z] 01:02:25     INFO - #19: mozilla::ipc::MessageChannel::MessageTask::Run() [ipc/glue/MessageChannel.cpp:1581]
[task 2022-07-28T01:02:25.141Z] 01:02:25     INFO - #20: mozilla::RunnableTask::Run() [xpcom/threads/TaskController.cpp:539]
[task 2022-07-28T01:02:25.142Z] 01:02:25     INFO - #21: mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) [xpcom/threads/TaskController.cpp:851]
[task 2022-07-28T01:02:25.142Z] 01:02:25     INFO - #22: mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) [xpcom/threads/TaskController.cpp:683]
[task 2022-07-28T01:02:25.143Z] 01:02:25     INFO - #23: mozilla::TaskController::ProcessPendingMTTask(bool) [xpcom/threads/TaskController.cpp:461]
[task 2022-07-28T01:02:25.143Z] 01:02:25     INFO - #24: mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() [xpcom/threads/nsThreadUtils.h:532]
[task 2022-07-28T01:02:25.143Z] 01:02:25     INFO - #25: nsThread::ProcessNextEvent(bool, bool*) [xpcom/threads/nsThread.cpp:1209]
[task 2022-07-28T01:02:25.144Z] 01:02:25     INFO - #26: NS_ProcessNextEvent(nsIThread*, bool) [xpcom/threads/nsThreadUtils.cpp:465]
[task 2022-07-28T01:02:25.145Z] 01:02:25     INFO - #27: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [ipc/glue/MessagePump.cpp:86]
[task 2022-07-28T01:02:25.145Z] 01:02:25     INFO - #28: MessageLoop::Run() [ipc/chromium/src/base/message_loop.cc:356]
[task 2022-07-28T01:02:25.145Z] 01:02:25     INFO - #29: nsBaseAppShell::Run() [widget/nsBaseAppShell.cpp:152]
[task 2022-07-28T01:02:25.146Z] 01:02:25     INFO - #30: nsAppShell::Run() [widget/cocoa/nsAppShell.mm:804]
[task 2022-07-28T01:02:25.147Z] 01:02:25     INFO - #31: XRE_RunAppShell() [toolkit/xre/nsEmbedFunctions.cpp:887]
[task 2022-07-28T01:02:25.147Z] 01:02:25     INFO - #32: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) [ipc/glue/MessagePump.cpp:235]
[task 2022-07-28T01:02:25.148Z] 01:02:25     INFO - #33: MessageLoop::Run() [ipc/chromium/src/base/message_loop.cc:356]
[task 2022-07-28T01:02:25.148Z] 01:02:25     INFO - #34: XRE_InitChildProcess(int, char**, XREChildData const*) [toolkit/xre/nsEmbedFunctions.cpp:750]
[task 2022-07-28T01:02:25.149Z] 01:02:25     INFO - #35: main [ipc/app/MozillaRuntimeMain.cpp:81]
[task 2022-07-28T01:02:25.150Z] 01:02:25     INFO - REFTEST TEST-PASS | gfx/tests/crashtests/1757054.html | (LOAD ONLY)
[task 2022-07-28T01:02:25.151Z] 01:02:25     INFO - REFTEST TEST-END | gfx/tests/crashtests/1757054.html
[task 2022-07-28T01:02:25.163Z] 01:02:25     INFO - REFTEST TEST-UNEXPECTED-FAIL | gfx/tests/crashtests/1757054.html | assertion count 2 is more than expected 0 assertions
[task 2022-07-28T01:02:25.164Z] 01:02:25     INFO - REFTEST TEST-START | image/test/crashtests/256-height.ico
Flags: needinfo?(gwatson)

I added a comment at https://bugzilla.mozilla.org/show_bug.cgi?id=1781944#c2 about this - I guess what we can do is land the fix in this patch without the crash test, and then file a different bug for this (unrelated) crash that occurs, and re-land the test once this is fixed.

Flags: needinfo?(gwatson)

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220224093648-2eda0885cbad) but not with tip (mozilla-central 20220729213628-78c1a76cfd3d.)

The bug appears to have been fixed in the following build range:

Start: afb50a831d7ac9e372bc71f0aeb796e479151366 (20220726211718)
End: fd5fa569292188ad8325823f10173471f266a488 (20220726224548)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=afb50a831d7ac9e372bc71f0aeb796e479151366&tochange=fd5fa569292188ad8325823f10173471f266a488

gw, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(gwatson)
Keywords: bugmon
Flags: needinfo?(gwatson)
Blocks: 1782590
Pushed by gwatson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/dbc905b2fa83
Ensure line decoration cache tasks are at least 1x1 r=gfx-reviewers,nical

https://hg.mozilla.org/mozilla-central/rev/dbc905b2fa83

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox105: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: