Closed Bug 1771561 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(bug: no intersection with tile dirty rect) at gfx/wr/webrender/src/picture.rs:4951

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox101 --- unaffected
firefox102 --- fixed
firefox103 --- fixed

People

(Reporter: tsmith, Assigned: gw)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase)

Crash Data

Attachments

(3 files)

testcase.html
221 bytes, text/html
Details
about:support
29.21 KB, text/plain
Details
Bug 1771561 - Fix incorrectly invalidating tiles with zero-sized backdrop filters
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20220527-cf40e7b79bb1 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(bug: no intersection with tile dirty rect) at gfx/wr/webrender/src/picture.rs:4951

#0 0x7fad586a7fb0 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7fad586a7fb0 in RustMozCrash /gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fad586a75d6 in mozglue_static::panic_hook::h3395d9151612f644 /gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7fad586a6b05 in core::ops::function::Fn::call::h123068b42f5e1fd5 /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
#4 0x7fad5b6a530f in std::panicking::rust_panic_with_hook::hd4b01d10d132fdc5 (/home/worker/builds/m-c-20220520153703-fuzzing-asan-opt/libxul.so+0x1f97e30f) (BuildId: 252f060486515371780ffff87ddf935879b659f7)
#5 0x7fad5b6c7616 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::head537b50d915cd5 std.19cbab4a-cgu.7
#6 0x7fad5b6c6e03 in std::sys_common::backtrace::__rust_end_short_backtrace::h3809453eea6ed96e crtstuff.c
#7 0x7fad5b6a4de1 in rust_begin_unwind (/home/worker/builds/m-c-20220520153703-fuzzing-asan-opt/libxul.so+0x1f97dde1) (BuildId: 252f060486515371780ffff87ddf935879b659f7)
#8 0x7fad444d1b62 in core::panicking::panic_fmt::heea304e80a792787 (/home/worker/builds/m-c-20220520153703-fuzzing-asan-opt/libxul.so+0x87aab62) (BuildId: 252f060486515371780ffff87ddf935879b659f7)
#9 0x7fad5b6ff500 in core::panicking::panic_display::h0418174c7b78d9c8 core.a48c58b0-cgu.5
#10 0x7fad5b6ff4aa in core::panicking::panic_str::hf444fbebfd604682 core.a48c58b0-cgu.5
#11 0x7fad444d1f95 in core::option::expect_failed::h1d1ddded60d05fd4 (/home/worker/builds/m-c-20220520153703-fuzzing-asan-opt/libxul.so+0x87aaf95) (BuildId: 252f060486515371780ffff87ddf935879b659f7)
#12 0x7fad56ccd5ba in core::option::Option$LT$T$GT$::expect::h495328f59e710181 /builds/worker/fetches/rust/library/core/src/option.rs:715:21
#13 0x7fad56ccd5ba in webrender::picture::PicturePrimitive::take_context::h2ad4f6bf9e7fac2a /gecko/gfx/wr/webrender/src/picture.rs:4949:63
#14 0x7fad56bb9dd1 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::h68bf8b665f5d85b7 /gecko/gfx/wr/webrender/src/frame_builder.rs:418:72
#15 0x7fad56bb9dd1 in webrender::frame_builder::FrameBuilder::build::h28adc6270830f71f /gecko/gfx/wr/webrender/src/frame_builder.rs:529:9
#16 0x7fad56dd7866 in webrender::render_backend::Document::build_frame::hf92ee3cfd0c4baeb /gecko/gfx/wr/webrender/src/render_backend.rs:494:25
#17 0x7fad56e1e78c in webrender::render_backend::RenderBackend::update_document::h13d5187f36caf6aa /gecko/gfx/wr/webrender/src/render_backend.rs:1385:41
#18 0x7fad56dfac6b in webrender::render_backend::RenderBackend::prepare_transactions::hd2ded8a4ff5d6f6d /gecko/gfx/wr/webrender/src/render_backend.rs:1235:28
#19 0x7fad56dfac6b in webrender::render_backend::RenderBackend::process_api_msg::hf61670111c454cad /gecko/gfx/wr/webrender/src/render_backend.rs:1088:17
#20 0x7fad56f1ffd6 in webrender::render_backend::RenderBackend::run::haa9cb2ae0d343428 /gecko/gfx/wr/webrender/src/render_backend.rs:752:21
#21 0x7fad56f1ffd6 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::hcb3a8fa390b06a66 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1337:13
#22 0x7fad56f1ffd6 in std::sys_common::backtrace::__rust_begin_short_backtrace::h4dafbc770ad6aa55 /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:122:18
#23 0x7fad564c5ded in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h88f8fbd430383405 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:498:17
#24 0x7fad564c5ded in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb8804b28ad56541d /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
#25 0x7fad564c5ded in std::panicking::try::do_call::h7bbe05adcef33c3b /builds/worker/fetches/rust/library/std/src/panicking.rs:492:40
#26 0x7fad564c5ded in std::panicking::try::hf260e8cba8145cc4 /builds/worker/fetches/rust/library/std/src/panicking.rs:456:19
#27 0x7fad564c5ded in std::panic::catch_unwind::hc4ce5b75f477e245 /builds/worker/fetches/rust/library/std/src/panic.rs:137:14
#28 0x7fad564c5ded in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h24128684628c9b03 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:497:30
#29 0x7fad564c5ded in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h78bcaa85df280e3c /builds/worker/fetches/rust/library/core/src/ops/function.rs:227:5
#30 0x7fad5b69d4e2 in std::sys::unix::thread::Thread::new::thread_start::h84de7bc63cfc8d04 std.19cbab4a-cgu.15
#31 0x7fad6b575608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#32 0x7fad6b13c132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/vEvZZzvSQD2NmVtMoZNGqA/index.html

https://crash-stats.mozilla.org/report/index/dc9c1b45-efd2-4cdc-9858-9f6c10220528

Crash Signature: [@ core::option::expect_failed | webrender::picture::PicturePrimitive::take_context ]

Bugmon Analysis
Unable to reproduce bug 1771561 using build mozilla-central 20220527155857-cf40e7b79bb1. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Crashes with layout.css.backdrop-filter.enabled=True

Regression range:
pushes?changeset=79f4180c783b1e72fccb1e49fb8db086ea12ecca&full=1 HTTP/1.1" 200 None
2022-05-29T08:50:06.276000: DEBUG : Found commit message:
Bug 1749625 - Fix up and re-enable backdrop-filter r=gfx-reviewers,lsalzman

Differential Revision: https://phabricator.services.mozilla.com/D146643

2022-05-29T08:50:06.276000: DEBUG : Did not find a branch, checking all integration branches
2022-05-29T08:50:06.276000: INFO : The bisection is done.
2022-05-29T08:50:06.276000: INFO : Stopped

Flags: needinfo?(gwatson)
Regressed by: 1749625
Assignee: nobody → gwatson
Flags: needinfo?(gwatson)

This requires DPI of 1.5 to repro. Or alternatively, start with DPI=1, and then use the hamburger menu buttons to zoom-in on the page
The testcase doesnt repro when DPI is 1 on my system

Attached file about:support
Has Regression Range: --- → yes
Pushed by gwatson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/933672bbf01f Fix incorrectly invalidating tiles with zero-sized backdrop filters r=gfx-reviewers,lsalzman

https://hg.mozilla.org/mozilla-central/rev/933672bbf01f

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox103: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch

Comment on attachment 9278864 [details]
Bug 1771561 - Fix incorrectly invalidating tiles with zero-sized backdrop filters

Beta/Release Uplift Approval Request

  • User impact if declined: Crash in some cases for users on pages with backdrop-filter that have enabled the backdrop-filter preference. A significant number of users have this preference enabled, even though it's off by default.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small patch, only affects backdrop-filter functionality.
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9278864 - Flags: approval-mozilla-beta?
status-firefox101: --- → unaffected
status-firefox102: --- → affected
status-firefox-esr91: --- → unaffected
Flags: in-testsuite? → in-testsuite+

Comment on attachment 9278864 [details]
Bug 1771561 - Fix incorrectly invalidating tiles with zero-sized backdrop filters

We have no crash report on beta with this signature, the patch also does not graft cleanly to the beta branch, unless we intend to activate this feature in 102, I think this should ride the trains.

Attachment #9278864 - Flags: approval-mozilla-beta? → approval-mozilla-beta-

Comment on attachment 9278864 [details]
Bug 1771561 - Fix incorrectly invalidating tiles with zero-sized backdrop filters

The patch didn't graft because it was built on top of Bug 1771556 which was also for uplift. Note that the uplift form has a field asking if an uplift is dependent on another bug to uplift. Approved for 102 beta 5, thanks.

Attachment #9278864 - Flags: approval-mozilla-beta- → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: