Hit MOZ_CRASH(assertion failed: task_size.height <= MAX_SURFACE_SIZE as i32) at gfx/wr/webrender/src/picture.rs:6815
Categories
(Core :: Graphics: WebRender, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox98 | --- | unaffected |
firefox99 | --- | fixed |
firefox100 | --- | fixed |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
543 bytes,
text/plain
|
Details |
Testcase found while fuzzing mozilla-central rev 11820f4551ab (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 11820f4551ab --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(assertion failed: task_size.height <= MAX_SURFACE_SIZE as i32) at gfx/wr/webrender/src/picture.rs:6815
==280294==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f28cdaced35 bp 0x7f28b4b570d0 sp 0x7f28b4b570c0 T280439)
==280294==The signal is caused by a WRITE memory access.
==280294==Hint: address points to the zero page.
#0 0x7f28cdaced35 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f28cdaced35 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f28cdaceb94 in mozglue_static::panic_hook::h773f18c382903796 /mozglue/static/rust/lib.rs:91:9
#3 0x7f28cdace6fb in core::ops::function::Fn::call::ha1de6d8c8d2b790f /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/ops/function.rs:70:5
#4 0x7f28ce8bd134 in std::panicking::rust_panic_with_hook::h1a5ea2d6c23051aa /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:610:17
#5 0x7f28ce8bce01 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h07f549390938b73f /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:500:13
#6 0x7f28ce8b8d13 in std::sys_common::backtrace::__rust_end_short_backtrace::h5ec3758a92cfb00d /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys_common/backtrace.rs:139:18
#7 0x7f28ce8bcb68 in rust_begin_unwind /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:498:5
#8 0x7f28c428f600 in core::panicking::panic_fmt::h3a79a6a99affe1d5 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panicking.rs:116:14
#9 0x7f28c428f54c in core::panicking::panic::h97167cd315d19cd4 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panicking.rs:48:5
#10 0x7f28cd45c538 in webrender::picture::get_surface_rects::h2498a292b762deae /gfx/wr/webrender/src/picture.rs:6815:5
#11 0x7f28cd45c538 in webrender::picture::PicturePrimitive::take_context::hc9431cfe24337ed5 /gfx/wr/webrender/src/picture.rs:4929:43
#12 0x7f28cd46be11 in webrender::prepare::prepare_prim_for_render::h7a87af478aecc343 /gfx/wr/webrender/src/prepare.rs:159:15
#13 0x7f28cd46be11 in webrender::prepare::prepare_primitives::hddf1ba99a8ddad2e /gfx/wr/webrender/src/prepare.rs:108:16
#14 0x7f28cd419a0a in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::hffb17423832a954a /gfx/wr/webrender/src/frame_builder.rs:502:17
#15 0x7f28cd419a0a in webrender::frame_builder::FrameBuilder::build::he9c3d4392d7dc5fa /gfx/wr/webrender/src/frame_builder.rs:593:9
#16 0x7f28cd4973f6 in webrender::render_backend::Document::build_frame::hdb47e483955b9990 /gfx/wr/webrender/src/render_backend.rs:493:25
#17 0x7f28cd4ad9fa in webrender::render_backend::RenderBackend::update_document::hddcfd3ccea10d6f7 /gfx/wr/webrender/src/render_backend.rs:1387:41
#18 0x7f28cd4a2920 in webrender::render_backend::RenderBackend::prepare_transactions::hb5ea8d5add0fff26 /gfx/wr/webrender/src/render_backend.rs:1236:28
#19 0x7f28cd4a2920 in webrender::render_backend::RenderBackend::process_api_msg::h420b35c10dc36626 /gfx/wr/webrender/src/render_backend.rs:1088:17
#20 0x7f28cd4d4fdc in webrender::render_backend::RenderBackend::run::h2e623193e95a1225 /gfx/wr/webrender/src/render_backend.rs:758:21
#21 0x7f28cd4d4fdc in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h71d03fd1931e9bd6 /gfx/wr/webrender/src/renderer/mod.rs:1328:13
#22 0x7f28cd4d4fdc in std::sys_common::backtrace::__rust_begin_short_backtrace::haa681597b7253c7c /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys_common/backtrace.rs:123:18
#23 0x7f28cd26a27e in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h2164df2487f01841 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/thread/mod.rs:477:17
#24 0x7f28cd26a27e in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h0247046a4e5f6a61 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panic/unwind_safe.rs:271:9
#25 0x7f28cd26a27e in std::panicking::try::do_call::h34f69670c47ed47f /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:406:40
#26 0x7f28cd26a27e in std::panicking::try::hb1c8891e6e1c3b28 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:370:19
#27 0x7f28cd26a27e in std::panic::catch_unwind::he0e01a26201bb699 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panic.rs:133:14
#28 0x7f28cd26a27e in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h6c42819231972e85 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/thread/mod.rs:476:30
#29 0x7f28cd26a27e in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hbe8f8a7be2039d20 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/ops/function.rs:227:5
#30 0x7f28ce8c8d82 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h49b6c7c5155a2296 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/alloc/src/boxed.rs:1854:9
#31 0x7f28ce8c8d82 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::ha8b5234bfeb15105 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/alloc/src/boxed.rs:1854:9
#32 0x7f28ce8c8d82 in std::sys::unix::thread::Thread::new::thread_start::h6f207dd842d64859 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys/unix/thread.rs:108:17
#33 0x7f28dc6ec608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
#34 0x7f28dc2b3162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
==280294==ABORTING
Reporter | ||
Comment 1•2 years ago
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220308220159-c06bbb0ddc24.
The bug appears to have been introduced in the following build range:
Start: cd1ca5184c73edfc4af351ad4c89ea994311625b (20220228215749)
End: 9f3cb0197f1ff639627e97ea474596fc6ccb2a1f (20220228232435)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=cd1ca5184c73edfc4af351ad4c89ea994311625b&tochange=9f3cb0197f1ff639627e97ea474596fc6ccb2a1f
Comment 3•2 years ago
|
||
:gw, since you are the author of the regressor, bug 1757002, could you take a look?
For more information, please visit auto_nag documentation.
Comment 4•2 years ago
|
||
This should be fixed by the patch in https://bugzilla.mozilla.org/show_bug.cgi?id=1758168 (similar assert, one checking for width, one for height).
Comment 5•2 years ago
|
||
Set release status flags based on info from the regressing bug 1757002
Updated•2 years ago
|
Updated•2 years ago
|
Comment 6•2 years ago
|
||
:gw can you confirm if the patch in bug 1758168 fixes this?
If so, can this ticket be closed and could you add a beta uplift request added to bug 1758168
Comment 7•2 years ago
|
||
Added the beta request, confirming that the patch in that bug fixes this too.
Updated•2 years ago
|
Comment 8•1 year ago
|
||
No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•