Closed Bug 1818786 Opened 2 years ago Closed 2 years ago

Assertion failure: owner->mLatestTextureHost->GetSize() == size, at /builds/worker/checkouts/gecko/gfx/layers/RemoteTextureMap.cpp:507

Categories

(Core :: Graphics: WebGPU, defect, P2)

Product:
Core
Component:
Graphics: WebGPU
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox110 --- unaffected
firefox111 --- wontfix
firefox112 --- wontfix
firefox113 --- fixed

People

(Reporter: tsmith, Assigned: jgilbert)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
955 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20230202-ba5f6662ca80 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: owner->mLatestTextureHost->GetSize() == size, at /builds/worker/checkouts/gecko/gfx/layers/RemoteTextureMap.cpp:507

#0 0x7f9d7c18b538 in mozilla::layers::RemoteTextureMap::GetRemoteTextureForDisplayList(mozilla::layers::RemoteTextureHostWrapper*) /builds/worker/checkouts/gecko/gfx/layers/RemoteTextureMap.cpp:507:9
#1 0x7f9d7c2fef8b in mozilla::layers::RemoteTextureHostWrapper::CheckIsReadyForRendering() /builds/worker/checkouts/gecko/gfx/layers/composite/RemoteTextureHostWrapper.cpp:189:30
#2 0x7f9d7c3fff6d in mozilla::layers::WebRenderImageHost::UseRemoteTexture(mozilla::layers::RemoteTextureId, mozilla::layers::RemoteTextureOwnerId, int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::layers::TextureFlags) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderImageHost.cpp:133:11
#3 0x7f9d7c1a0e80 in operator() /builds/worker/checkouts/gecko/gfx/layers/RemoteTextureMap.cpp:185:31
#4 0x7f9d7c1a0e80 in mozilla::detail::RunnableFunction<mozilla::layers::RemoteTextureMap::PushTexture(mozilla::layers::RemoteTextureId, mozilla::layers::RemoteTextureOwnerId, int, mozilla::UniquePtr<mozilla::layers::TextureData, mozilla::DefaultDelete<mozilla::layers::TextureData>>&&, RefPtr<mozilla::layers::TextureHost>&, std::shared_ptr<mozilla::gl::SharedSurface> const&)::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#5 0x7f9d7af46e42 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
#6 0x7f9d7af4d1cd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#7 0x7f9d7bb9cec3 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#8 0x7f9d7babdaa8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#9 0x7f9d7babd9b1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#10 0x7f9d7babd9b1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#11 0x7f9d7af42237 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
#12 0x7f9d8e41ac86 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#13 0x7f9d8ecc3b42 in start_thread nptl/pthread_create.c:442:8
#14 0x7f9d8ed559ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20230224160401-25a8668d9243.
The bug appears to have been introduced in the following build range:

Start: d1982cee06ca5c4df2bd03dc4f47ee489f8b5a17 (20221023155133)
End: d1982cee06ca5c4df2bd03dc4f47ee489f8b5a17 (20221024093150)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d1982cee06ca5c4df2bd03dc4f47ee489f8b5a17&tochange=d1982cee06ca5c4df2bd03dc4f47ee489f8b5a17

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

(In reply to Bugmon [:jkratzer for issues] from comment #1)

Verified bug as reproducible on mozilla-central 20230224160401-25a8668d9243.
The bug appears to have been introduced in the following build range:

Start: d1982cee06ca5c4df2bd03dc4f47ee489f8b5a17 (20221023155133)
End: d1982cee06ca5c4df2bd03dc4f47ee489f8b5a17 (20221024093150)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d1982cee06ca5c4df2bd03dc4f47ee489f8b5a17&tochange=d1982cee06ca5c4df2bd03dc4f47ee489f8b5a17

The pushlog is empty because both fromchange and tochange are set to the same changeset.

Flags: needinfo?(jkratzer)

Takanori, looks like the testcase may have been intermittent during bisection. I've run the bisection locally and narrowed it down to the following range:

Start: b7f07512450399f35fc38a7e94241b19a4c2693c (20230201215112)
End: 3387e4f266f095d429421e49529dd54c68262f62 (20230202041118)
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b7f07512450399f35fc38a7e94241b19a4c2693c&tochange=3387e4f266f095d429421e49529dd54c68262f62

Jim, is this related to bug 1813719?

Flags: needinfo?(jkratzer) → needinfo?(jimb)

It's in the right neigborhood, but I'm at a loss to see how that commit would affect this bug's test case. We can consider 1813719 the regressor for now.

Flags: needinfo?(jimb)
Regressed by: 1813719

Set release status flags based on info from the regressing bug 1813719

status-firefox110: --- → unaffected
status-firefox111: --- → affected
status-firefox-esr102: --- → unaffected

:jimb could you set a severity on this?
Wonder if a later fix can ride the trains or if this is something to keep an eye on for 111.
Asking since it's a fuzzing bug, but the end-user impact is unclear.

Flags: needinfo?(jimb)

Setting S3. This bug requires WebGPU to reproduce, and WebGPU isn't enabled in our builds, so it cannot impact users.

Severity: -- → S3
Flags: needinfo?(jimb)
Priority: -- → P2

:jimb could you set a severity on this?
Wonder if a later fix can ride the trains or if this is something to keep an eye on for 111.
Asking since it's a fuzzing bug, but the end-user impact is unclear.
EDIT: Don't know why the previous comment was in a draft and added again when setting 111 to wontfix

status-firefox111: affectedwontfix

Set release status flags based on info from the regressing bug 1813719

status-firefox113: --- → affected

Testcase crashes using the initial build (mozilla-central 20230202172003-ba5f6662ca80) but not with tip (mozilla-central 20230407213355-c3356b6d41ca.)

The bug appears to have been fixed in the following build range:

Start: cdea2170a020d1529306ca468d3210133365c477 (20230405213026)
End: 6f3869e6e810960b6a869bfcbd0c1ce23fa9dd4e (20230405223044)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=cdea2170a020d1529306ca468d3210133365c477&tochange=6f3869e6e810960b6a869bfcbd0c1ce23fa9dd4e

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon

This was last reported by fuzzers targeting m-c 20230405-46a27404e36d.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED
Assignee: nobody → jgilbert
status-firefox113: affectedfixed
Depends on: 1814091
Target Milestone: --- → 113 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: