Assertion failure: mHandle, at /dom/canvas/SourceSurfaceWebgl.cpp:116
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox101 | --- | unaffected |
firefox102 | --- | wontfix |
firefox103 | --- | verified |
People
(Reporter: jkratzer, Assigned: lsalzman)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 914ead848de4 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 914ead848de4 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: mHandle, at /dom/canvas/SourceSurfaceWebgl.cpp:116
==3025922==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f36133c64d8 bp 0x7ffca119f330 sp 0x7ffca119f300 T3025922)
==3025922==The signal is caused by a WRITE memory access.
==3025922==Hint: address points to the zero page.
#0 0x7f36133c64d8 in mozilla::gfx::SourceSurfaceWebgl::OnUnlinkTexture(mozilla::gfx::DrawTargetWebgl::SharedContext*) /dom/canvas/SourceSurfaceWebgl.cpp:116:3
#1 0x7f36133a597e in mozilla::gfx::DrawTargetWebgl::SharedContext::UnlinkSurfaceTexture(RefPtr<mozilla::gfx::TextureHandle> const&) /dom/canvas/DrawTargetWebgl.cpp:244:50
#2 0x7f36133a5c1a in mozilla::gfx::DrawTargetWebgl::SharedContext::PruneTextureHandle(RefPtr<mozilla::gfx::TextureHandle> const&) /dom/canvas/DrawTargetWebgl.cpp:1757:3
#3 0x7f36133a4ee4 in mozilla::gfx::DrawTargetWebgl::SharedContext::ClearAllTextures() /dom/canvas/DrawTargetWebgl.cpp:278:5
#4 0x7f36133a46a6 in mozilla::gfx::DrawTargetWebgl::SharedContext::~SharedContext() /dom/canvas/DrawTargetWebgl.cpp:233:3
#5 0x7f36133bb89f in mozilla::detail::RefCounted<mozilla::gfx::DrawTargetWebgl::SharedContext, (mozilla::detail::RefCountAtomicity)1>::Release() const /builds/worker/workspace/obj-build/dist/include/mozilla/RefCounted.h:255:7
#6 0x7f36133a4184 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#7 0x7f36133a4184 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#8 0x7f36133a4184 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#9 0x7f36133a4184 in mozilla::gfx::DrawTargetWebgl::~DrawTargetWebgl() /dom/canvas/DrawTargetWebgl.cpp:225:1
#10 0x7f36133a44eb in mozilla::gfx::DrawTargetWebgl::~DrawTargetWebgl() /dom/canvas/DrawTargetWebgl.cpp:215:37
#11 0x7f36133cde1e in mozilla::dom::CanvasRenderingContext2D::OnShutdown() /dom/canvas/CanvasRenderingContext2D.cpp:1165:15
#12 0x7f36133ca257 in mozilla::dom::CanvasShutdownObserver::Observe(nsISupports*, char const*, char16_t const*) /dom/canvas/CanvasRenderingContext2D.cpp:896:14
#13 0x7f36102c82be in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /xpcom/ds/nsObserverList.cpp:70:19
#14 0x7f36102cbd76 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /xpcom/ds/nsObserverService.cpp:291:19
#15 0x7f3610249051 in mozilla::AppShutdown::AdvanceShutdownPhaseInternal(mozilla::ShutdownPhase, bool, char16_t const*, nsCOMPtr<nsISupports> const&) /xpcom/base/AppShutdown.cpp:372:21
#16 0x7f36103bc1c1 in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:617:7
#17 0x7f36171cff8c in XRE_TermEmbedding() /toolkit/xre/nsEmbedFunctions.cpp:224:3
#18 0x7f3610f5f40e in mozilla::ipc::ScopedXREEmbed::Stop() /ipc/glue/ScopedXREEmbed.cpp:90:5
#19 0x7f36171d0625 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:738:16
#20 0x5584f818ce90 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#21 0x5584f818ce90 in main /browser/app/nsBrowserApp.cpp:338:18
#22 0x7f36268d8082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#23 0x5584f8162c3c in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15c3c) (BuildId: 95dc892a518ae6490294d247d3746efd42b03e73)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/canvas/SourceSurfaceWebgl.cpp:116:3 in mozilla::gfx::SourceSurfaceWebgl::OnUnlinkTexture(mozilla::gfx::DrawTargetWebgl::SharedContext*)
==3025922==ABORTING
Reporter | ||
Comment 1•2 years ago
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220527092603-914ead848de4.
The bug appears to have been introduced in the following build range:
Start: 1d31a009897964e94d43db5961ff68538d5e8ddb (20220520153703)
End: f0c4c97a8e6aa34214f287cb499321b6a0186c2f (20220520152255)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1d31a009897964e94d43db5961ff68538d5e8ddb&tochange=f0c4c97a8e6aa34214f287cb499321b6a0186c2f
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 3•2 years ago
|
||
If a DrawTargetWebgl's snapshot is mapped, then subsequently drawn, this can cause an assert to
trigger as we may not have a handle available when we go to unlink the cached snapshot that later
gets added to the texture cache. This assert is otherwise harmless, so we just fix the assert.
Otherwise, there are some inefficiencies with this scenario that this patch also tries to address.
When we go to draw the snapshot, DrawTargetWillChange gets invoked on the snapshot, and we can
ensure in this case the handle is copied efficiently here rather than later uploaded from mapped
data.
Updated•2 years ago
|
Updated•2 years ago
|
Comment 5•2 years ago
|
||
bugherder |
Comment 6•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220603034138-1377267c6dc1.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 7•2 years ago
|
||
Set release status flags based on info from the regressing bug 1770088
Comment 8•2 years ago
|
||
The patch landed in nightly and beta is affected.
:lsalzman, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•2 years ago
|
Description
•