Closed Bug 1808830 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at gfx/wr/webrender/src/prepare.rs:275

Categories

(Core :: Graphics: WebRender, defect)

defect

Tracking

()

VERIFIED FIXED
111 Branch
Tracking Status
firefox-esr102 --- wontfix
firefox108 --- wontfix
firefox109 --- wontfix
firefox110 --- wontfix
firefox111 --- verified

People

(Reporter: tsmith, Assigned: gw)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20221105-063bef6f2545 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(called Option::unwrap() on a None value) at gfx/wr/webrender/src/prepare.rs:275

#0 0x7f9ab4b82b15 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f9ab4b82b15 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f9ab4b82a92 in mozglue_static::panic_hook::h54d936b166c9baa9 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7f9ab4b8255b in core::ops::function::Fn::call::hca13bd9519fdde34 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/core/src/ops/function.rs:78:5
#4 0x7f9ab5c2c1d8 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h44df53ea2a13204b /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/alloc/src/boxed.rs:2001:9
#5 0x7f9ab5c2c1d8 in std::panicking::rust_panic_with_hook::hfd45b6b6c12d9fa5 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/panicking.rs:692:13
#6 0x7f9ab5c2bf10 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hf591e8609a75bd4b /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/panicking.rs:577:13
#7 0x7f9ab5c2928b in std::sys_common::backtrace::__rust_end_short_backtrace::h81899558795e4ff7 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/sys_common/backtrace.rs:137:18
#8 0x7f9ab5c2bc71 in rust_begin_unwind /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/panicking.rs:575:5
#9 0x7f9ab5c82932 in core::panicking::panic_fmt::h4235fa9b4675b332 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/core/src/panicking.rs:65:14
#10 0x7f9ab5c82a0c in core::panicking::panic::h9ced3cf2f605ba6a /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/core/src/panicking.rs:115:5
#11 0x7f9ab46d9221 in webrender::prepare::prepare_interned_prim_for_render::h02d66d112ebb1926 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs
#12 0x7f9ab46d1d5f in webrender::prepare::prepare_prim_for_render::h9a66844443c7fb60 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:205:10
#13 0x7f9ab46d1d5f in webrender::prepare::prepare_primitives::h6f1f1693aa03263c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:76:45
#14 0x7f9ab4694bd1 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::h8c1693c48207e17b /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:421:17
#15 0x7f9ab4694bd1 in webrender::frame_builder::FrameBuilder::build::hee3020f2207461f8 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:521:9
#16 0x7f9ab46f3cbe in webrender::render_backend::Document::build_frame::hdf2c7b073acbdf69 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:515:25
#17 0x7f9ab470b2ee in webrender::render_backend::RenderBackend::update_document::hc6e297cbf2a1dbd2 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1406:41
#18 0x7f9ab4702068 in webrender::render_backend::RenderBackend::prepare_transactions::hf461dd6a6817405f /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1250:28
#19 0x7f9ab4702068 in webrender::render_backend::RenderBackend::process_api_msg::hbe92d396a45c969f /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1103:17
#20 0x7f9ab44dd11d in webrender::render_backend::RenderBackend::run::hc8e549ef61e64815 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:773:21
#21 0x7f9ab44dd11d in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::hc2f7b8fee8eaf618 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:678:9
#22 0x7f9ab44dd11d in std::sys_common::backtrace::__rust_begin_short_backtrace::ha0482914c9f7dd66 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/sys_common/backtrace.rs:121:18
#23 0x7f9ab44f0511 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h25ce8d6f1124777d /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/thread/mod.rs:551:17
#24 0x7f9ab44f0511 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h424969af1a14f38a /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/core/src/panic/unwind_safe.rs:271:9
#25 0x7f9ab44f0511 in std::panicking::try::do_call::h969f53f0f5ab2efa /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/panicking.rs:483:40
#26 0x7f9ab44f0511 in std::panicking::try::hda0d858ec1232c04 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/panicking.rs:447:19
#27 0x7f9ab44f0511 in std::panic::catch_unwind::h190b9fe460ff2870 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/panic.rs:137:14
#28 0x7f9ab44f0511 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::hbdb8c95552ccd391 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/thread/mod.rs:550:30
#29 0x7f9ab44f0511 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h7420087903cf817b /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/core/src/ops/function.rs:251:5
#30 0x7f9ab5c35c82 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h4273f95ec44459b3 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/alloc/src/boxed.rs:1987:9
#31 0x7f9ab5c35c82 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h70f28fa4ddc269e5 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/alloc/src/boxed.rs:1987:9
#32 0x7f9ab5c35c82 in std::sys::unix::thread::Thread::new::thread_start::h85a9c16b988e2bd0 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/sys/unix/thread.rs:108:17
#33 0x7f9abeaa8b42 in start_thread nptl/pthread_create.c:442:8
#34 0x7f9abeb3a9ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?
Crash Signature: [@ enum2$<T>::as_mut ]
Keywords: crash

This testcase triggers warning on builds from 2020.
However, the testcase started crashing after bug 1749380

Bug 1749380 - Part 2 - Performance and quality fixes for part 1. r=gfx-reviewers,nical

Differential Revision: https://phabricator.services.mozilla.com/D138982

2023-01-06T14:05:44.937000: DEBUG : Did not find a branch, checking all integration branches
2023-01-06T14:05:44.955000: INFO : The bisection is done.
2023-01-06T14:05:44.964000: INFO : Stopped

Marking this as regression for now.

Flags: needinfo?(gwatson)
Regressed by: 1749380

Different crash signature on Linux, but same regression range: bp-e401a6b2-1d3f-47fc-9069-1983a0230106

Blocks: wr-stability
Crash Signature: [@ enum2$<T>::as_mut ] → [@ enum2$<T>::as_mut ] [@ webrender::prepare::prepare_interned_prim_for_render ]
OS: Unspecified → All
Hardware: Unspecified → All

A Pernosco session is available here: https://pernos.co/debug/pC22AKPUFmgyw-Yno5DlwA/index.html

Verified bug as reproducible on mozilla-central 20230106214742-7968ae37c117.
The bug appears to have been introduced in the following build range:

Start: 7f0c7c21dbfaddd8b0afa6d372368d98b373e69a (20220219214603)
End: 2b42abbdb0df38f31dfa1178fe3b5f773f8e4812 (20220220185923)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7f0c7c21dbfaddd8b0afa6d372368d98b373e69a&tochange=2b42abbdb0df38f31dfa1178fe3b5f773f8e4812

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Severity: -- → S3
Flags: needinfo?(gwatson)

:gw, since you are the author of the regressor, bug 1749380, could you take a look?

For more information, please visit auto_nag documentation.

Flags: needinfo?(gwatson)
Assignee: nobody → gwatson
Flags: needinfo?(gwatson)

Ugh, that first signature is terrible, I'll file a bug to improve it.

Depends on: 1809847

When the scale is very large, we need to adjust that before
doing the cast to integer units.

Pushed by gwatson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/01cc77e04bd3 Fix a panic from an invalid cast in euclid r=gfx-reviewers,jrmuizel
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch

Verified bug as fixed on rev mozilla-central 20230130095434-1d72cd67dda1.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: