Closed Bug 1826173 Opened 1 year ago Closed 1 year ago

Assertion failure: false (Unhandled external image format), at /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderTextureHostSWGL.cpp:77

Categories

(Core :: Graphics: WebGPU, defect)

defect

Tracking

()

RESOLVED FIXED
113 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox112 --- disabled
firefox113 --- fixed

People

(Reporter: tsmith, Assigned: jgilbert)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

4.00 KB, application/x-zip-compressed
Details
Attached file testcase.zip

Found while fuzzing m-c 20230401-e7000d363b5a (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: false (Unhandled external image format), at /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderTextureHostSWGL.cpp:77

#0 0x7f1b6475f0c5 in mozilla::wr::RenderTextureHostSWGL::UpdatePlanes(mozilla::wr::RenderCompositor*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderTextureHostSWGL.cpp:77:9
#1 0x7f1b6475f468 in mozilla::wr::RenderTextureHostSWGL::LockSWGLCompositeSurface(void*, mozilla::wr::SWGLCompositeSurfaceInfo*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderTextureHostSWGL.cpp:171:10
#2 0x7f1b6475f712 in wr_swgl_lock_composite_surface /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderTextureHostSWGL.cpp:215:19
#3 0x7f1b6c798471 in webrender::compositor::sw_compositor::SwCompositor::try_lock_composite_surface::h00b8a119204cab7e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:1037:20
#4 0x7f1b6c798471 in _$LT$webrender..compositor..sw_compositor..SwCompositor$u20$as$u20$webrender..composite..Compositor$GT$::add_surface::h2f8a71dcc60e6fc3 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:1394:13
#5 0x7f1b6c8955a8 in webrender::renderer::_$LT$impl$u20$webrender..composite..CompositeState$GT$::composite_native::h0159e814dd32b917 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:5757:13
#6 0x7f1b6c8955a8 in webrender::renderer::Renderer::draw_frame::hd9063d06813feccb /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4353:17
#7 0x7f1b6c87d7ec in webrender::renderer::Renderer::render_impl::hee029ca5f81c1a09 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1514:17
#8 0x7f1b6c87b881 in webrender::renderer::Renderer::render::h79a2d332152d9019 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1231:30
#9 0x7f1b6c595bc7 in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:619:11
#10 0x7f1b64764a0c in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186:19
#11 0x7f1b647638fc in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:597:31
#12 0x7f1b64763031 in mozilla::wr::RenderThread::HandleFrameOneDocInner(mozilla::wr::WrWindowId, bool, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:454:3
#13 0x7f1b64762d93 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:406:3
#14 0x7f1b6476e834 in operator()<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &, StoreCopyPassByConstLRef<bool> &, StoreCopyPassByConstLRef<bool> &> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#15 0x7f1b6476e834 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &, StoreCopyPassByConstLRef<bool> &, StoreCopyPassByConstLRef<bool> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/invoke.h:60:14
#16 0x7f1b6476e834 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &, StoreCopyPassByConstLRef<bool> &, StoreCopyPassByConstLRef<bool> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/invoke.h:95:14
#17 0x7f1b6476e834 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool>, StoreCopyPassByConstLRef<bool> > &, 0UL, 1UL, 2UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/tuple:1662:14
#18 0x7f1b6476e834 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool>, StoreCopyPassByConstLRef<bool> > &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/tuple:1671:14
#19 0x7f1b6476e834 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#20 0x7f1b6476e834 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#21 0x7f1b630a70fe in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233:16
#22 0x7f1b630ad51d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#23 0x7f1b63ced2e2 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#24 0x7f1b63c0e108 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#25 0x7f1b63c0e011 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#26 0x7f1b63c0e011 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#27 0x7f1b630a2487 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#28 0x7f1b78e79c86 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#29 0x7f1b78894b42 in start_thread nptl/pthread_create.c:442:8
#30 0x7f1b789269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Verified bug as reproducible on mozilla-central 20230403215207-9a0019f8494d.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 8d8a4fb2551795333511633583a311534272d9a1 (20220405094056)
End: e7000d363b5a18e09f21286292287cddd4f79b3a (20230401210031)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

Testcase crashes using the initial build (mozilla-central 20230401210031-e7000d363b5a) but not with tip (mozilla-central 20230407213355-c3356b6d41ca.)

The bug appears to have been fixed in the following build range:

Start: cdea2170a020d1529306ca468d3210133365c477 (20230405213026)
End: 6f3869e6e810960b6a869bfcbd0c1ce23fa9dd4e (20230405223044)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=cdea2170a020d1529306ca468d3210133365c477&tochange=6f3869e6e810960b6a869bfcbd0c1ce23fa9dd4e

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon

This was last reported by fuzzers targeting m-c 20230403-3b11236bdbac.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED
Assignee: nobody → jgilbert
Depends on: 1814091
Target Milestone: --- → 113 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: