1765672 - Hit MOZ_CRASH(bug: no resolve set) at gfx/wr/webrender/src/surface.rs:400

Status: RESOLVED FIXED

(Core :: Graphics: WebRender, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20220420-a33cd50e2f73 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(bug: no resolve set) at gfx/wr/webrender/src/surface.rs:400

#0 0x7f40b9d7eef0 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f40b9d7eef0 in RustMozCrash /gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f40b9d7e516 in mozglue_static::panic_hook::hbabeaf6d033978a2 /gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7f40b9d7da35 in core::ops::function::Fn::call::h2e66ea81006e3482 /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
#4 0x7f40bce35745 in std::panicking::rust_panic_with_hook::ha5b022af6db450bf (/home/worker/builds/m-c-20220420215300-fuzzing-asan-opt/libxul.so+0x1f88d745)
#5 0x7f40bce4395f in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h047793a3a1b79e4c std.44d4124d-cgu.4
#6 0x7f40bce42dc3 in std::sys_common::backtrace::__rust_end_short_backtrace::h901cddcf8e784223 crtstuff.c
#7 0x7f40bce35241 in rust_begin_unwind (/home/worker/builds/m-c-20220420215300-fuzzing-asan-opt/libxul.so+0x1f88d241)
#8 0x7f40a5d0ba50 in core::panicking::panic_fmt::hba17afda0a601067 (/home/worker/builds/m-c-20220420215300-fuzzing-asan-opt/libxul.so+0x8763a50)
#9 0x7f40bce8af40 in core::panicking::panic_display::hf2d7a1f4af0ca942 core.aefc1520-cgu.4
#10 0x7f40bce8aeea in core::panicking::panic_str::h127fb0c5d72f9299 core.aefc1520-cgu.4
#11 0x7f40a5d0bdd5 in core::option::expect_failed::h0ffbf207fd4ac110 (/home/worker/builds/m-c-20220420215300-fuzzing-asan-opt/libxul.so+0x8763dd5)
#12 0x7f40b88b6301 in core::option::Option$LT$T$GT$::expect::he53ba85b1f1fe37c /builds/worker/fetches/rust/library/core/src/option.rs:692:21
#13 0x7f40b88b6301 in webrender::surface::SurfaceBuilder::pop_surface::h8a69e3c04270c632 /gecko/gfx/wr/webrender/src/surface.rs:400:43
#14 0x7f40b8370767 in webrender::picture::PicturePrimitive::restore_context::hf92ff139c684a962 /gecko/gfx/wr/webrender/src/picture.rs:5559:13
#15 0x7f40b83a41fe in webrender::prepare::prepare_prim_for_render::hb4f673f279a9839a /gecko/gfx/wr/webrender/src/prepare.rs:165:17
#16 0x7f40b83a41fe in webrender::prepare::prepare_primitives::hfae0d9a31c070810 /gecko/gfx/wr/webrender/src/prepare.rs:74:20
#17 0x7f40b825878d in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::hd07ba357b9208f59 /gecko/gfx/wr/webrender/src/frame_builder.rs:433:17
#18 0x7f40b825878d in webrender::frame_builder::FrameBuilder::build::h64587b6a6aa516b1 /gecko/gfx/wr/webrender/src/frame_builder.rs:529:9
#19 0x7f40b84727f7 in webrender::render_backend::Document::build_frame::h669a6c3681208acb /gecko/gfx/wr/webrender/src/render_backend.rs:493:25
#20 0x7f40b84bae72 in webrender::render_backend::RenderBackend::update_document::hab939172d2b73167 /gecko/gfx/wr/webrender/src/render_backend.rs:1385:41
#21 0x7f40b84965dd in webrender::render_backend::RenderBackend::prepare_transactions::h5b679dccf114893f /gecko/gfx/wr/webrender/src/render_backend.rs:1234:28
#22 0x7f40b84965dd in webrender::render_backend::RenderBackend::process_api_msg::h343174545c86a662 /gecko/gfx/wr/webrender/src/render_backend.rs:1087:17
#23 0x7f40b8563b29 in webrender::render_backend::RenderBackend::run::h595db03f8e723007 /gecko/gfx/wr/webrender/src/render_backend.rs:751:21
#24 0x7f40b8563b29 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::hb88652f8528671c9 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1337:13
#25 0x7f40b8563b29 in std::sys_common::backtrace::__rust_begin_short_backtrace::h81063c886e3a7d9b /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:123:18
#26 0x7f40b7b3739d in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h53e03bedcd9a8100 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:477:17
#27 0x7f40b7b3739d in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h8520b0074aa41e50 /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
#28 0x7f40b7b3739d in std::panicking::try::do_call::hd65820a135b33d67 /builds/worker/fetches/rust/library/std/src/panicking.rs:406:40
#29 0x7f40b7b3739d in std::panicking::try::h7bdb626f4d9e6f18 /builds/worker/fetches/rust/library/std/src/panicking.rs:370:19
#30 0x7f40b7b3739d in std::panic::catch_unwind::h93d1417fa849128d /builds/worker/fetches/rust/library/std/src/panic.rs:133:14
#31 0x7f40b7b3739d in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h36d2e54fccc20401 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:476:30
#32 0x7f40b7b3739d in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h163408733e963932 /builds/worker/fetches/rust/library/core/src/ops/function.rs:227:5
#33 0x7f40bce2f292 in std::sys::unix::thread::Thread::new::thread_start::hea5bd76ff79c6284 std.44d4124d-cgu.14
#34 0x7f40cbdf1608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
#35 0x7f40cb9b8162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/1ri7mF5i-0Ypxg-hgtXueQ/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220420215300-a33cd50e2f73.
The bug appears to have been introduced in the following build range:

Start: f78fb89b9c2f6255da18795f55dd420dcb1be6b2 (20220420033948)
End: 849fefd14eb18d73b04252d40e2807e894c6c2f5 (20220420055531)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f78fb89b9c2f6255da18795f55dd420dcb1be6b2&tochange=849fefd14eb18d73b04252d40e2807e894c6c2f5

Comment 3

[Jim Mathies [:jimm]]

Tim, Sotaro, and Glenn all had landings here. Sotaro, looks like you made a change related to transactions so might be related to that?

Comment 4

[Ryan VanderMeulen [:RyanVM]]

backdrop-filter seems more likely?

Comment 5

[Glenn Watson [:gw]]

This will definitely be related to the backdrop-filter changes, though I've been unable to reproduce so far via either the grizzly harness or just a local run from m-c.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1764005

Comment 7

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220420215300-a33cd50e2f73) but not with tip (mozilla-central 20220506222931-d6ef5a49cd7d.)
The bug appears to have been fixed in the following build range:

Start: d7ad2eff79c5401a961858021ffdbf727e9b79ff (20220426072839)
End: bc6e0a6f3cbce9a2a6bfee5a67791046a0935f7a (20220426095745)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d7ad2eff79c5401a961858021ffdbf727e9b79ff&tochange=bc6e0a6f3cbce9a2a6bfee5a67791046a0935f7a
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:gw, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 9

[Glenn Watson [:gw]]

I believe this has been resolved as part of the recent backdrop-filter fix patches that have landed. Let's close and reopen if it occurs again (crash stats look good so far).