Closed Bug 1826177 Opened 3 years ago Closed 1 year ago

backdrop-filter: Hit MOZ_CRASH(bug: no intersection with tile dirty rect) at gfx/wr/webrender/src/picture.rs:4910

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
127 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- disabled
firefox-esr115 --- fixed
firefox111 --- wontfix
firefox112 --- wontfix
firefox113 --- wontfix
firefox114 --- wontfix
firefox127 --- fixed

People

(Reporter: tsmith, Assigned: gw)

References

(Blocks 3 open bugs, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.html
440 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20230401-e7000d363b5a (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Hit MOZ_CRASH(bug: no intersection with tile dirty rect) at gfx/wr/webrender/src/picture.rs:4910

#0 0x7f2ab4cb34c5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f2ab4cb34c5 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f2ab4cb343f in mozglue_static::panic_hook::h1892a8f16e411599 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7f2ab4cb2e6b in core::ops::function::Fn::call::hc6352892abced57a /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/core/src/ops/function.rs:79:5
#4 0x7f2ab5b4a7a9 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h4e6ced11e07d8b24 /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/alloc/src/boxed.rs:2002:9
#5 0x7f2ab5b4a7a9 in std::panicking::rust_panic_with_hook::h8d5c434518ef298c /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/std/src/panicking.rs:692:13
#6 0x7f2ab5b4a528 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hf33414f5dabf6faf /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/std/src/panicking.rs:579:13
#7 0x7f2ab5b4788b in std::sys_common::backtrace::__rust_end_short_backtrace::hc50389427413bb75 /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/std/src/sys_common/backtrace.rs:137:18
#8 0x7f2ab5b4a231 in rust_begin_unwind /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/std/src/panicking.rs:575:5
#9 0x7f2ab5ba58f2 in core::panicking::panic_fmt::h2de7a7938f816de8 /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/core/src/panicking.rs:64:14
#10 0x7f2ab5ba5a60 in core::panicking::panic_display::h20dbb78c57df5693 /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/core/src/panicking.rs:147:5
#11 0x7f2ab5ba5a0a in core::panicking::panic_str::hb46d5710e4ab412a /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/core/src/panicking.rs:131:5
#12 0x7f2ab5ba5675 in core::option::expect_failed::h0b5d04c30548770b /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/core/src/option.rs:1924:5
#13 0x7f2ab47ee1a7 in core::option::Option$LT$T$GT$::expect::hcadac57ce78c427f /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/core/src/option.rs:786:21
#14 0x7f2ab47ee1a7 in webrender::picture::PicturePrimitive::take_context::hc8d86ab6c364b7e8 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/picture.rs:4910:42
#15 0x7f2ab47bf038 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::he0301b7ccc7cd5be /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:420:72
#16 0x7f2ab47bf038 in webrender::frame_builder::FrameBuilder::build::h1d0c2d619b6a6f87 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:535:9
#17 0x7f2ab481c62e in webrender::render_backend::Document::build_frame::hcacf006fe90aacc2 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:515:25
#18 0x7f2ab4833f01 in webrender::render_backend::RenderBackend::update_document::h47ba0d729e761a5b /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1429:41
#19 0x7f2ab482abd9 in webrender::render_backend::RenderBackend::prepare_transactions::h067e54d147cc0291 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1273:28
#20 0x7f2ab482abd9 in webrender::render_backend::RenderBackend::process_api_msg::h6426e9fe3f6b63d4 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1126:17
#21 0x7f2ab45fe79e in webrender::render_backend::RenderBackend::run::he4a91418d33e839c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:777:21
#22 0x7f2ab45fe79e in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::h841b7002e4120fe5 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:685:9
#23 0x7f2ab45fe79e in std::sys_common::backtrace::__rust_begin_short_backtrace::h8940177951f673ae /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/std/src/sys_common/backtrace.rs:121:18
#24 0x7f2ab46101fb in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h6d5e5a359b052ed0 /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/std/src/thread/mod.rs:558:17
#25 0x7f2ab46101fb in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h56dfb651361a2c1e /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/core/src/panic/unwind_safe.rs:271:9
#26 0x7f2ab46101fb in std::panicking::try::do_call::h89157861a96aa77f /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/std/src/panicking.rs:483:40
#27 0x7f2ab46101fb in std::panicking::try::h193a217eb2939148 /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/std/src/panicking.rs:447:19
#28 0x7f2ab46101fb in std::panic::catch_unwind::hb1115075db185d6c /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/std/src/panic.rs:140:14
#29 0x7f2ab46101fb in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h26b4281a0a9275a5 /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/std/src/thread/mod.rs:557:30
#30 0x7f2ab46101fb in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h0faf86f1348b5850 /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/core/src/ops/function.rs:250:5
#31 0x7f2ab5b54662 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h1c0f3664d7ced314 /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/alloc/src/boxed.rs:1988:9
#32 0x7f2ab5b54662 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h67647c21c6c4968a /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/alloc/src/boxed.rs:1988:9
#33 0x7f2ab5b54662 in std::sys::unix::thread::Thread::new::thread_start::h355d348ba593a22c /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/std/src/sys/unix/thread.rs:108:17
#34 0x7f2ac0894b42 in start_thread nptl/pthread_create.c:442:8
#35 0x7f2ac09269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

Needed to zoom in. bp-75996955-95a1-4618-a9b0-4ca780230403 [@ core::option::expect_failed | webrender::picture::PicturePrimitive::take_context ]

Blocks: wr-stability
Crash Signature: [@ core::option::expect_failed | webrender::picture::PicturePrimitive::take_context ]
Keywords: crash

MOZ_DISABLE_CONTENT_SANDBOX=1 mozregression --good 2022-01-01 --bad 2023-04-01 -a https://bugzilla.mozilla.org/attachment.cgi?id=9326692

8:32.53 INFO: Last good revision: c2cd1e58dd94f78e6ed04798669635259a546964
8:32.53 INFO: First bad revision: aab73e3ffda7d438195148fdc898a610e33d4cec
8:32.53 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c2cd1e58dd94f78e6ed04798669635259a546964&tochange=aab73e3ffda7d438195148fdc898a610e33d4cec

aab73e3ffda7d438195148fdc898a610e33d4cec Glenn Watson — Bug 1578503 - Enable backdrop-filter by default r=gfx-reviewers,jrmuizel

mozregression --good 2022-03-30 --bad 2022-06-10 --pref layout.css.backdrop-filter.enabled:true -a https://bugzilla.mozilla.org/attachment.cgi?id=9326692

6:04.89 INFO: Last good revision: 622b05c843380695ad46c372020a5666baf5c54e
6:04.89 INFO: First bad revision: 79f4180c783b1e72fccb1e49fb8db086ea12ecca
6:04.89 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=622b05c843380695ad46c372020a5666baf5c54e&tochange=79f4180c783b1e72fccb1e49fb8db086ea12ecca

79f4180c783b1e72fccb1e49fb8db086ea12ecca Glenn Watson — Bug 1749625 - Fix up and re-enable backdrop-filter r=gfx-reviewers,lsalzman

Blocks: 1816630
status-firefox111: --- → wontfix
status-firefox112: --- → fix-optional
status-firefox-esr102: --- → disabled
Keywords: regression
Regressed by: 1578503, 1749625
Summary: Hit MOZ_CRASH(bug: no intersection with tile dirty rect) at gfx/wr/webrender/src/picture.rs:4910 → backdrop-filter: Hit MOZ_CRASH(bug: no intersection with tile dirty rect) at gfx/wr/webrender/src/picture.rs:4910

Glenn, could you set the severity? Thanks!

Flags: needinfo?(gwatson)

Verified bug as reproducible on mozilla-central 20230403215207-9a0019f8494d.
The bug appears to have been introduced in the following build range:

Start: 1e98fd258975d2e4bc9b7d9ed20d4d0a91f7cf9f (20220517231306)
End: 79f4180c783b1e72fccb1e49fb8db086ea12ecca (20220518033138)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1e98fd258975d2e4bc9b7d9ed20d4d0a91f7cf9f&tochange=79f4180c783b1e72fccb1e49fb8db086ea12ecca

Whiteboard: [bugmon:bisected,confirmed]
Severity: -- → S3
Flags: needinfo?(gwatson)

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Testcase crashes using the initial build (mozilla-central 20230610094613-463e881a627c) but not with tip (mozilla-central 20240608092932-decc37f392c2.)

The bug appears to have been fixed in the following build range:

Start: acd833efaac3bc26ae563a5da4f60f1bca9dcace (20240510081740)
End: 16c706919fcf22df1fae8499d4c05d7c88de5109 (20240510103258)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=acd833efaac3bc26ae563a5da4f60f1bca9dcace&tochange=16c706919fcf22df1fae8499d4c05d7c88de5109

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon

The only relevant change in that range is bug 1893205

Depends on: 1893205

I am also unable to reproduce the issue with any other fuzzer reported test cases.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED
Assignee: nobody → gwatson
status-firefox114: fix-optionalwontfix
status-firefox127: --- → fixed
status-firefox-esr115: --- → affected
Target Milestone: --- → 127 Branch
No longer blocks: 1816630
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: