Closed Bug 1758560 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(assertion failed: task_size.height <= MAX_SURFACE_SIZE as i32) at gfx/wr/webrender/src/picture.rs:6815

Categories

(Core :: Graphics: WebRender, defect, P2)

Product:
Core
Component:
Graphics: WebRender
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1758168
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox98 --- unaffected
firefox99 --- fixed
firefox100 --- fixed

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
543 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev 11820f4551ab (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 11820f4551ab --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(assertion failed: task_size.height <= MAX_SURFACE_SIZE as i32) at gfx/wr/webrender/src/picture.rs:6815

    ==280294==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f28cdaced35 bp 0x7f28b4b570d0 sp 0x7f28b4b570c0 T280439)
    ==280294==The signal is caused by a WRITE memory access.
    ==280294==Hint: address points to the zero page.
        #0 0x7f28cdaced35 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7f28cdaced35 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7f28cdaceb94 in mozglue_static::panic_hook::h773f18c382903796 /mozglue/static/rust/lib.rs:91:9
        #3 0x7f28cdace6fb in core::ops::function::Fn::call::ha1de6d8c8d2b790f /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/ops/function.rs:70:5
        #4 0x7f28ce8bd134 in std::panicking::rust_panic_with_hook::h1a5ea2d6c23051aa /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:610:17
        #5 0x7f28ce8bce01 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h07f549390938b73f /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:500:13
        #6 0x7f28ce8b8d13 in std::sys_common::backtrace::__rust_end_short_backtrace::h5ec3758a92cfb00d /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys_common/backtrace.rs:139:18
        #7 0x7f28ce8bcb68 in rust_begin_unwind /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:498:5
        #8 0x7f28c428f600 in core::panicking::panic_fmt::h3a79a6a99affe1d5 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panicking.rs:116:14
        #9 0x7f28c428f54c in core::panicking::panic::h97167cd315d19cd4 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panicking.rs:48:5
        #10 0x7f28cd45c538 in webrender::picture::get_surface_rects::h2498a292b762deae /gfx/wr/webrender/src/picture.rs:6815:5
        #11 0x7f28cd45c538 in webrender::picture::PicturePrimitive::take_context::hc9431cfe24337ed5 /gfx/wr/webrender/src/picture.rs:4929:43
        #12 0x7f28cd46be11 in webrender::prepare::prepare_prim_for_render::h7a87af478aecc343 /gfx/wr/webrender/src/prepare.rs:159:15
        #13 0x7f28cd46be11 in webrender::prepare::prepare_primitives::hddf1ba99a8ddad2e /gfx/wr/webrender/src/prepare.rs:108:16
        #14 0x7f28cd419a0a in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::hffb17423832a954a /gfx/wr/webrender/src/frame_builder.rs:502:17
        #15 0x7f28cd419a0a in webrender::frame_builder::FrameBuilder::build::he9c3d4392d7dc5fa /gfx/wr/webrender/src/frame_builder.rs:593:9
        #16 0x7f28cd4973f6 in webrender::render_backend::Document::build_frame::hdb47e483955b9990 /gfx/wr/webrender/src/render_backend.rs:493:25
        #17 0x7f28cd4ad9fa in webrender::render_backend::RenderBackend::update_document::hddcfd3ccea10d6f7 /gfx/wr/webrender/src/render_backend.rs:1387:41
        #18 0x7f28cd4a2920 in webrender::render_backend::RenderBackend::prepare_transactions::hb5ea8d5add0fff26 /gfx/wr/webrender/src/render_backend.rs:1236:28
        #19 0x7f28cd4a2920 in webrender::render_backend::RenderBackend::process_api_msg::h420b35c10dc36626 /gfx/wr/webrender/src/render_backend.rs:1088:17
        #20 0x7f28cd4d4fdc in webrender::render_backend::RenderBackend::run::h2e623193e95a1225 /gfx/wr/webrender/src/render_backend.rs:758:21
        #21 0x7f28cd4d4fdc in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h71d03fd1931e9bd6 /gfx/wr/webrender/src/renderer/mod.rs:1328:13
        #22 0x7f28cd4d4fdc in std::sys_common::backtrace::__rust_begin_short_backtrace::haa681597b7253c7c /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys_common/backtrace.rs:123:18
        #23 0x7f28cd26a27e in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h2164df2487f01841 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/thread/mod.rs:477:17
        #24 0x7f28cd26a27e in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h0247046a4e5f6a61 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panic/unwind_safe.rs:271:9
        #25 0x7f28cd26a27e in std::panicking::try::do_call::h34f69670c47ed47f /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:406:40
        #26 0x7f28cd26a27e in std::panicking::try::hb1c8891e6e1c3b28 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:370:19
        #27 0x7f28cd26a27e in std::panic::catch_unwind::he0e01a26201bb699 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panic.rs:133:14
        #28 0x7f28cd26a27e in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h6c42819231972e85 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/thread/mod.rs:476:30
        #29 0x7f28cd26a27e in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hbe8f8a7be2039d20 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/ops/function.rs:227:5
        #30 0x7f28ce8c8d82 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h49b6c7c5155a2296 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/alloc/src/boxed.rs:1854:9
        #31 0x7f28ce8c8d82 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::ha8b5234bfeb15105 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/alloc/src/boxed.rs:1854:9
        #32 0x7f28ce8c8d82 in std::sys::unix::thread::Thread::new::thread_start::h6f207dd842d64859 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys/unix/thread.rs:108:17
        #33 0x7f28dc6ec608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
        #34 0x7f28dc2b3162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    ==280294==ABORTING
Attached file Testcase 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220308220159-c06bbb0ddc24.

The bug appears to have been introduced in the following build range:




Start: cd1ca5184c73edfc4af351ad4c89ea994311625b (20220228215749)

End: 9f3cb0197f1ff639627e97ea474596fc6ccb2a1f (20220228232435)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=cd1ca5184c73edfc4af351ad4c89ea994311625b&tochange=9f3cb0197f1ff639627e97ea474596fc6ccb2a1f




Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Regressed by: 1757002

    
    

    
  
:gw, since you are the author of the regressor, bug 1757002, could you take a look?

For more information, please visit auto_nag documentation.


Flags: needinfo?(gwatson)

    
    

    
  
This should be fixed by the patch in https://bugzilla.mozilla.org/show_bug.cgi?id=1758168 (similar assert, one checking for width, one for height).


Flags: needinfo?(gwatson)
Depends on: 1758168

    
    

    
  
Set release status flags based on info from the regressing bug 1757002



          status-firefox100:
          --- → affected

          status-firefox98:
          --- → unaffected

          status-firefox99:
          --- → affected

          status-firefox-esr91:
          --- → unaffected
Has Regression Range: --- → yes

    
  
Severity: -- → S3
Priority: -- → P2

    
    

    
  
:gw can you confirm if the patch in bug 1758168 fixes this?

If so, can this ticket be closed and could you add a beta uplift request added to bug 1758168


Flags: needinfo?(gwatson)

    
    

    
  
Added the beta request, confirming that the patch in that bug fixes this too.


Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(gwatson)
Resolution: --- → DUPLICATE

    
  
No longer depends on: 1758168

    
    

    
  
No valid actions for resolution (DUPLICATE).

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: