1771556 - Hit MOZ_CRASH(bug: no resolve set) at gfx/wr/webrender/src/surface.rs:400

Status: VERIFIED FIXED

(Core :: Graphics: WebRender, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20220527-cf40e7b79bb1 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

Hit MOZ_CRASH(bug: no resolve set) at gfx/wr/webrender/src/surface.rs:401

#0 0x7f13e468f500 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f13e468f500 in RustMozCrash /gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f13e468eb26 in mozglue_static::panic_hook::h3395d9151612f644 /gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7f13e468e055 in core::ops::function::Fn::call::h123068b42f5e1fd5 /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
#4 0x7f13e768eb6f in std::panicking::rust_panic_with_hook::hd4b01d10d132fdc5 (/home/worker/builds/m-c-20220527155857-fuzzing-asan-opt/libxul.so+0x1f9c2b6f) (BuildId: 1a4654099a32781318abae29c7752b5e86b22ef7)
#5 0x7f13e76b0e76 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::head537b50d915cd5 std.19cbab4a-cgu.7
#6 0x7f13e76b0663 in std::sys_common::backtrace::__rust_end_short_backtrace::h3809453eea6ed96e crtstuff.c
#7 0x7f13e768e641 in rust_begin_unwind (/home/worker/builds/m-c-20220527155857-fuzzing-asan-opt/libxul.so+0x1f9c2641) (BuildId: 1a4654099a32781318abae29c7752b5e86b22ef7)
#8 0x7f13d0491e92 in core::panicking::panic_fmt::heea304e80a792787 (/home/worker/builds/m-c-20220527155857-fuzzing-asan-opt/libxul.so+0x87c5e92) (BuildId: 1a4654099a32781318abae29c7752b5e86b22ef7)
#9 0x7f13e76e8d60 in core::panicking::panic_display::h0418174c7b78d9c8 core.a48c58b0-cgu.5
#10 0x7f13e76e8d0a in core::panicking::panic_str::hf444fbebfd604682 core.a48c58b0-cgu.5
#11 0x7f13d04922c5 in core::option::expect_failed::h1d1ddded60d05fd4 (/home/worker/builds/m-c-20220527155857-fuzzing-asan-opt/libxul.so+0x87c62c5) (BuildId: 1a4654099a32781318abae29c7752b5e86b22ef7)
#12 0x7f13e31f0f23 in core::option::Option$LT$T$GT$::expect::h3cbd9a2534d6b2c7 /builds/worker/fetches/rust/library/core/src/option.rs:715:21
#13 0x7f13e31f0f23 in webrender::surface::SurfaceBuilder::pop_surface::h361e1d201f0ad391 /gecko/gfx/wr/webrender/src/surface.rs:401:43
#14 0x7f13e2cad8b9 in webrender::picture::PicturePrimitive::restore_context::hea33f256fc774b14 /gecko/gfx/wr/webrender/src/picture.rs:5807:13
#15 0x7f13e2cdef4b in webrender::prepare::prepare_prim_for_render::h3127679d179643e2 /gecko/gfx/wr/webrender/src/prepare.rs:165:17
#16 0x7f13e2cdef4b in webrender::prepare::prepare_primitives::h64193a31c8eac57e /gecko/gfx/wr/webrender/src/prepare.rs:74:20
#17 0x7f13e2cdee72 in webrender::prepare::prepare_prim_for_render::h3127679d179643e2 /gecko/gfx/wr/webrender/src/prepare.rs:151:17
#18 0x7f13e2cdee72 in webrender::prepare::prepare_primitives::h64193a31c8eac57e /gecko/gfx/wr/webrender/src/prepare.rs:74:20
#19 0x7f13e2cdee72 in webrender::prepare::prepare_prim_for_render::h3127679d179643e2 /gecko/gfx/wr/webrender/src/prepare.rs:151:17
#20 0x7f13e2cdee72 in webrender::prepare::prepare_primitives::h64193a31c8eac57e /gecko/gfx/wr/webrender/src/prepare.rs:74:20
#21 0x7f13e2cdee72 in webrender::prepare::prepare_prim_for_render::h3127679d179643e2 /gecko/gfx/wr/webrender/src/prepare.rs:151:17
#22 0x7f13e2cdee72 in webrender::prepare::prepare_primitives::h64193a31c8eac57e /gecko/gfx/wr/webrender/src/prepare.rs:74:20
#23 0x7f13e2cdee72 in webrender::prepare::prepare_prim_for_render::h3127679d179643e2 /gecko/gfx/wr/webrender/src/prepare.rs:151:17
#24 0x7f13e2cdee72 in webrender::prepare::prepare_primitives::h64193a31c8eac57e /gecko/gfx/wr/webrender/src/prepare.rs:74:20
#25 0x7f13e2cdee72 in webrender::prepare::prepare_prim_for_render::h3127679d179643e2 /gecko/gfx/wr/webrender/src/prepare.rs:151:17
#26 0x7f13e2cdee72 in webrender::prepare::prepare_primitives::h64193a31c8eac57e /gecko/gfx/wr/webrender/src/prepare.rs:74:20
#27 0x7f13e2cdee72 in webrender::prepare::prepare_prim_for_render::h3127679d179643e2 /gecko/gfx/wr/webrender/src/prepare.rs:151:17
#28 0x7f13e2cdee72 in webrender::prepare::prepare_primitives::h64193a31c8eac57e /gecko/gfx/wr/webrender/src/prepare.rs:74:20
#29 0x7f13e2b91252 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::hfacb0526c38701a7 /gecko/gfx/wr/webrender/src/frame_builder.rs:433:17
#30 0x7f13e2b91252 in webrender::frame_builder::FrameBuilder::build::hcfa5b96003584445 /gecko/gfx/wr/webrender/src/frame_builder.rs:530:9
#31 0x7f13e2db18f5 in webrender::render_backend::Document::build_frame::h87fa01162ec1d431 /gecko/gfx/wr/webrender/src/render_backend.rs:498:25
#32 0x7f13e2dfa3ac in webrender::render_backend::RenderBackend::update_document::h13d5187f36caf6aa /gecko/gfx/wr/webrender/src/render_backend.rs:1389:41
#33 0x7f13e2dd643b in webrender::render_backend::RenderBackend::prepare_transactions::hd2ded8a4ff5d6f6d /gecko/gfx/wr/webrender/src/render_backend.rs:1239:28
#34 0x7f13e2dd643b in webrender::render_backend::RenderBackend::process_api_msg::hf61670111c454cad /gecko/gfx/wr/webrender/src/render_backend.rs:1092:17
#35 0x7f13e2efadc6 in webrender::render_backend::RenderBackend::run::haa9cb2ae0d343428 /gecko/gfx/wr/webrender/src/render_backend.rs:756:21
#36 0x7f13e2efadc6 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::hcb3a8fa390b06a66 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1337:13
#37 0x7f13e2efadc6 in std::sys_common::backtrace::__rust_begin_short_backtrace::h4dafbc770ad6aa55 /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:122:18
#38 0x7f13e2485366 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h88f8fbd430383405 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:498:17
#39 0x7f13e2485366 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb8804b28ad56541d /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
#40 0x7f13e2485366 in std::panicking::try::do_call::h7bbe05adcef33c3b /builds/worker/fetches/rust/library/std/src/panicking.rs:492:40
#41 0x7f13e2485366 in std::panicking::try::hf260e8cba8145cc4 /builds/worker/fetches/rust/library/std/src/panicking.rs:456:19
#42 0x7f13e2485366 in std::panic::catch_unwind::hc4ce5b75f477e245 /builds/worker/fetches/rust/library/std/src/panic.rs:137:14
#43 0x7f13e2485366 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h24128684628c9b03 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:497:30
#44 0x7f13e2485366 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h78bcaa85df280e3c /builds/worker/fetches/rust/library/core/src/ops/function.rs:227:5
#45 0x7f13e7686d42 in std::sys::unix::thread::Thread::new::thread_start::h84de7bc63cfc8d04 std.19cbab4a-cgu.15
#46 0x7f13f7577608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#47 0x7f13f713e132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/ITnb2tInfd6urs-tH2OGkQ/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220527213513-21fcc945a41d.
The bug appears to have been introduced in the following build range:

Start: e758f99cfd50274790c68853e7e43601dfc5cc03 (20220525034254)
End: 07d584cd2e3ba0f83ff2982d73f46218703ed3bc (20220525053027)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e758f99cfd50274790c68853e7e43601dfc5cc03&tochange=07d584cd2e3ba0f83ff2982d73f46218703ed3bc

Comment 3

[Mayank Bansal]

https://crash-stats.mozilla.org/report/index/4a0a489a-1b34-4e34-9c05-9be7f0220530

Comment 4

[Mayank Bansal]

STR for me :

1. Start with a DPI of 1
2. Open the testcase
3. Use the hamburger menu to zoom-in on the page.

I get a crash at 400% zoom level.

Comment 5

[Glenn Watson [:gw]]

Attachment: Bug 1771556 - Handle backdrop capture failing clip check when sub-graph is visible

This can happen when there is a long nested chain of backdrop-filters
and float inaccuracies cause the final capture primitive to be culled.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

:gw, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Comment 7

[Pulsebot]

Pushed by gwatson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/83b018946c0b
Handle backdrop capture failing clip check when sub-graph is visible r=gfx-reviewers,lsalzman

Comment 8

[Noemi Erli[:noemi_erli]]

https://hg.mozilla.org/mozilla-central/rev/83b018946c0b

Comment 9

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220601040930-47b031489c06.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 10

[Glenn Watson [:gw]]

Comment on attachment 9278853 [details]
Bug 1771556 - Handle backdrop capture failing clip check when sub-graph is visible

Beta/Release Uplift Approval Request

• User impact if declined: Crash in some cases for users on pages with backdrop-filter that have enabled the backdrop-filter preference. A significant number of users have this preference enabled, even though it's off by default.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Small patch, only affects backdrop-filter functionality.
• String changes made/needed:
• Is Android affected?: Yes

Comment 11

[Pascal Chevrel:pascalc (PTO until April 26)]

https://hg.mozilla.org/releases/mozilla-beta/rev/d8b592fc8a41