Closed
Bug 1793513
Opened 2 years ago
Closed 2 years ago
Hit MOZ_CRASH(bug: no intersection with tile dirty rect) at gfx/wr/webrender/src/picture.rs:5024
Categories
(Core :: Graphics: WebRender, defect)
Core
Graphics: WebRender
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | wontfix |
| firefox105 | --- | wontfix |
| firefox106 | --- | wontfix |
| firefox107 | --- | wontfix |
| firefox108 | --- | fix-optional |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
500 bytes,
text/html
|
Details |
Found while fuzzing m-c 20221002-f4529232e0a8 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(bug: no intersection with tile dirty rect) at gfx/wr/webrender/src/picture.rs:5024
#0 0x7f808ff28485 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f808ff28485 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f808ff28408 in mozglue_static::panic_hook::h78973aca7351e0a7 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7f808ff27e8b in core::ops::function::Fn::call::h39922ba40a8415bd /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/ops/function.rs:77:5
#4 0x7f8090ebdf59 in std::panicking::rust_panic_with_hook::hf26e9d4f97b40096 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:702:17
#5 0x7f8090ebdd96 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hfab912107608087a /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:588:13
#6 0x7f8090ebb053 in std::sys_common::backtrace::__rust_end_short_backtrace::h434b685ce8d9965b /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/sys_common/backtrace.rs:138:18
#7 0x7f8090ebdac8 in rust_begin_unwind /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:584:5
#8 0x7f80862e3cd2 in core::panicking::panic_fmt::ha6dc7f2ab2479463 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/panicking.rs:142:14
#9 0x7f8090f125c0 in core::panicking::panic_display::h372d79c23510af4d /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/panicking.rs:72:5
#10 0x7f8090f1256a in core::panicking::panic_str::h61705effd6c84979 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/panicking.rs:56:5
#11 0x7f80862e3b45 in core::option::expect_failed::hef4294f320c9cc36 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/option.rs:1874:5
#12 0x7f808fa4d3ac in core::option::Option$LT$T$GT$::expect::hdb0fda8518b90463 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/option.rs:738:21
#13 0x7f808fa4d3ac in webrender::picture::PicturePrimitive::take_context::hee697490d4cca1c7 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/picture.rs:5022:63
#14 0x7f808fa07f9e in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::hd7a38dc34aa8f881 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:398:72
#15 0x7f808fa07f9e in webrender::frame_builder::FrameBuilder::build::h79a580411776924d /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:510:9
#16 0x7f808fa7f446 in webrender::render_backend::Document::build_frame::h305d70588992f922 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:515:25
#17 0x7f808fa900ac in webrender::render_backend::RenderBackend::update_document::h3fc4a9cc74235106 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1406:41
#18 0x7f808fa86e99 in webrender::render_backend::RenderBackend::prepare_transactions::h105c31dc47308715 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1250:28
#19 0x7f808fa86e99 in webrender::render_backend::RenderBackend::process_api_msg::h727885676fb76fdc /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1103:17
#20 0x7f808f89962c in webrender::render_backend::RenderBackend::run::h90d5fcd2bf8dc001 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:773:21
#21 0x7f808f89962c in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::hfe34336849990a7a /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:678:9
#22 0x7f808f89962c in std::sys_common::backtrace::__rust_begin_short_backtrace::h941bd6b15e575d82 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/sys_common/backtrace.rs:122:18
#23 0x7f808f8b942e in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h2996c2e12035a041 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/thread/mod.rs:505:17
#24 0x7f808f8b942e in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hfc9d80caa5cf001b /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/panic/unwind_safe.rs:271:9
#25 0x7f808f8b942e in std::panicking::try::do_call::hcc5371bf27c5de7f /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:492:40
#26 0x7f808f8b942e in std::panicking::try::h0642a0f2c3d01a42 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:456:19
#27 0x7f808f8b942e in std::panic::catch_unwind::h0a360707586c5262 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panic.rs:137:14
#28 0x7f808f8b942e in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h62d2feb683afb3b0 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/thread/mod.rs:504:30
#29 0x7f808f8b942e in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::ha2d4541a0570fb4c /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/ops/function.rs:248:5
#30 0x7f8090ec8052 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h56d5fc072706762b /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/alloc/src/boxed.rs:1935:9
#31 0x7f8090ec8052 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h41deef8e33b824bb /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/alloc/src/boxed.rs:1935:9
#32 0x7f8090ec8052 in std::sys::unix::thread::Thread::new::thread_start::ha6436304a1170bba /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/sys/unix/thread.rs:108:17
#33 0x7f809d7f0608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#34 0x7f809d3b7132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
|
Reporter | |
Comment 1•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/mk6fsId_tl65YaSWgRIbFA/index.html
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221003212025-d1d1d489003c.
The bug appears to have been introduced in the following build range:
Start: 1e98fd258975d2e4bc9b7d9ed20d4d0a91f7cf9f (20220518031437)
End: 79f4180c783b1e72fccb1e49fb8db086ea12ecca (20220518033138)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1e98fd258975d2e4bc9b7d9ed20d4d0a91f7cf9f&tochange=79f4180c783b1e72fccb1e49fb8db086ea12ecca
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 3•2 years ago
|
||
Crash Signature: [@ core::option::expect_failed | enum$<T>::expect | webrender::picture::PicturePrimitive::take_context ]
|
|
||
Updated•2 years ago
|
Flags: needinfo?(gwatson)
|
||
Updated•2 years ago
|
Flags: needinfo?(gwatson)
|
||
Comment 4•2 years ago
|
||
Set release status flags based on info from the regressing bug 1749625
:gw, since you are the author of the regressor, bug 1749625, could you take a look? Also, could you set the severity field?
For more information, please visit auto_nag documentation.
status-firefox105:
--- → affected
status-firefox106:
--- → affected
status-firefox-esr102:
--- → affected
Flags: needinfo?(gwatson)
|
|
||
Updated•2 years ago
|
Severity: -- → S3
Flags: needinfo?(gwatson)
|
||
Updated•2 years ago
|
|
||
Comment 5•2 years ago
|
||
Set release status flags based on info from the regressing bug 1749625
status-firefox108:
--- → affected
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 6•2 years ago
|
||
Testcase crashes using the initial build (mozilla-central 20221002212226-f4529232e0a8) but not with tip (mozilla-central 20230203160655-a356e2d3cf46.)
The bug appears to have been fixed in the following build range:
Start: 49ac19f1e04696769d37ba1b347a5b5e73d1bec7 (20230130035123)
End: c2571e59e07b002d81147f456691933ababc17f9 (20230130025721)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=49ac19f1e04696769d37ba1b347a5b5e73d1bec7&tochange=c2571e59e07b002d81147f456691933ababc17f9
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Flags: needinfo?(twsmith)
Keywords: bugmon
|
|
Reporter | |
Updated•2 years ago
|
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(twsmith)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•