Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at gfx/wr/webrender/src/prepare.rs:956
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | wontfix |
| firefox115 | --- | unaffected |
| firefox116 | --- | wontfix |
| firefox117 | --- | wontfix |
| firefox118 | --- | wontfix |
| firefox138 | --- | wontfix |
| firefox139 | --- | wontfix |
| firefox140 | --- | fixed |
People
(Reporter: tsmith, Assigned: gw)
References
(Blocks 2 open bugs, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(2 files)
Found while fuzzing m-c 20230722-847b0df134e4 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(called Option::unwrap() on a None value) at gfx/wr/webrender/src/prepare.rs:956
#0 0x7eff14b69145 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x7eff14b69145 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7eff14b690d6 in mozglue_static::panic_hook::ha6bfb9e7df0487c1 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96:9
#3 0x7eff14b68adb in core::ops::function::Fn::call::h32557a407c48d309 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/ops/function.rs:79:5
#4 0x7eff15a960dc in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h0be7fc2421582b49 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/alloc/src/boxed.rs:1999:9
#5 0x7eff15a960dc in std::panicking::rust_panic_with_hook::h82ebcd5d5ed2fad4 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:709:13
#6 0x7eff15a95e30 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h810bed8ecbe66f1a /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:595:13
#7 0x7eff15a932f5 in std::sys_common::backtrace::__rust_end_short_backtrace::h1410008071796261 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/sys_common/backtrace.rs:151:18
#8 0x7eff15a95bc1 in rust_begin_unwind /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:593:5
#9 0x7eff15aeec22 in core::panicking::panic_fmt::ha0a42a25e0cf258d /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/panicking.rs:67:14
#10 0x7eff15aeecb2 in core::panicking::panic::ha338a74a5d65bf6f /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/panicking.rs:117:5
#11 0x7eff144e2cdd in core::slice::sort::insert_tail::h008bef507d907db0 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/slice/sort.rs
#12 0x7eff144e2cdd in core::slice::sort::insertion_sort_shift_left::h4b9020ffc3119981 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/slice/sort.rs:163:13
#13 0x7eff146c2a12 in core::slice::sort::merge_sort::h01975060f521a17a /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/slice/sort.rs:1052:13
#14 0x7eff146c2a12 in alloc::slice::stable_sort::hcdff2df0dd8a2670 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/alloc/src/slice.rs:887:5
#15 0x7eff146c2a12 in alloc::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::sort_by::h942fc5ddc63ff7d5 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/alloc/src/slice.rs:267:9
#16 0x7eff146c2a12 in webrender::prepare::prepare_interned_prim_for_render::hc99e51600a4f0689 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:956:25
#17 0x7eff146ba647 in webrender::prepare::prepare_prim_for_render::h92c7d630b29be4a4 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:348:5
#18 0x7eff146ba647 in webrender::prepare::prepare_primitives::h261048d6d307e722 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:83:17
#19 0x7eff1467e9c8 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::ha8f807c2de2dc1ae /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:459:17
#20 0x7eff1467e9c8 in webrender::frame_builder::FrameBuilder::build::hf4ab871a4670b174 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:559:9
#21 0x7eff146debf4 in webrender::render_backend::Document::build_frame::h08524c53942135b0 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:515:25
#22 0x7eff146f65eb in webrender::render_backend::RenderBackend::update_document::h9d647b155a735830 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1429:41
#23 0x7eff146ecc20 in webrender::render_backend::RenderBackend::prepare_transactions::h0c7ac9b4c9c1a780 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1273:28
#24 0x7eff146ecc20 in webrender::render_backend::RenderBackend::process_api_msg::h3b6ac454f18b9d6b /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1126:17
#25 0x7eff144ae931 in webrender::render_backend::RenderBackend::run::h412e57a3aaa026c3 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:777:21
#26 0x7eff144ae931 in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::h54e33279b7082724 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:685:9
#27 0x7eff144ae931 in std::sys_common::backtrace::__rust_begin_short_backtrace::hc6f61f7f7460f566 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/sys_common/backtrace.rs:135:18
#28 0x7eff144bd292 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h7af6249b4722fd3d /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/thread/mod.rs:529:17
#29 0x7eff144bd292 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h28ed91331a732712 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/panic/unwind_safe.rs:271:9
#30 0x7eff144bd292 in std::panicking::try::do_call::h244d8373f833e2ed /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:500:40
#31 0x7eff144bd292 in std::panicking::try::heb646d7ca99bfac3 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:464:19
#32 0x7eff144bd292 in std::panic::catch_unwind::h6679809f86982d06 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panic.rs:142:14
#33 0x7eff144bd292 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::hd870008ce2f07f3f /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/thread/mod.rs:528:30
#34 0x7eff144bd292 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hbcc71270a0721734 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/ops/function.rs:250:5
#35 0x7eff15aa0604 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h9adfc2ae43657457 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/alloc/src/boxed.rs:1985:9
#36 0x7eff15aa0604 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h14fefbfa7b574396 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/alloc/src/boxed.rs:1985:9
#37 0x7eff15aa0604 in std::sys::unix::thread::Thread::new::thread_start::ha211bb47f6f5cedc /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/sys/unix/thread.rs:108:17
#38 0x7eff1ea94b42 in start_thread nptl/pthread_create.c:442:8
#39 0x7eff1eb269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
||
Comment 1•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20230724215726-12931a93e28c.
The bug appears to have been introduced in the following build range:
Start: 35ae138cfc1ef300fed273a6c93b14f8884588d7 (20230522211404)
End: c3108a8a5f3fb2f5f04e2cacdb25dc5fd6795ffe (20230522225914)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=35ae138cfc1ef300fed273a6c93b14f8884588d7&tochange=c3108a8a5f3fb2f5f04e2cacdb25dc5fd6795ffe
|
||
Comment 2•2 years ago
|
||
Set release status flags based on info from the regressing bug 1830588
:gw, since you are the author of the regressor, bug 1830588, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
Assignee | |
Comment 3•2 years ago
|
||
I haven't been able to repro this locally. From the reported source line, it looks like there is a NaN or similar getting in to the local coordinates array somehow.
|
||
Updated•2 years ago
|
|
Reporter | |
Updated•2 years ago
|
|
|
||
Comment 4•2 years ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
| Comment hidden (obsolete) |
|
||
Updated•2 years ago
|
|
|
||
Comment 7•2 years ago
|
||
The severity field is not set for this bug.
:gw, could you have a look please?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 8•1 year ago
•
|
||
I get a crash from the testcase: https://crash-stats.mozilla.org/report/index/e4a069f2-cbf5-4696-a58f-bf13f0240301
The trick seems to be to save the testcase to your local machine, close the browser completely, and then open the testcase.
I also got full browser crash from the testcase.
|
|
||
Comment 9•1 year ago
|
||
I can reproduce the bug on the latest Nightly, whereas I couldnt repro it when this bug was originally filed.
Bisection points to :
Bug 1866666 - Enable popover in nightly. r=emilio,smaug
Differential Revision: https://phabricator.services.mozilla.com/D194705
So then I did a second bisection with dom.element.popover.enabled = true. That gave the result:
Bug 1830588 - Fix clip on fractional composite prims r=gfx-reviewers,lsalzman
Differential Revision: https://phabricator.services.mozilla.com/D178614
:gw, ni? you as this testcase crashes on latest Nightly.
Also making this blocking on bug 1866666.
|
|
Assignee | |
Updated•1 year ago
|
|
|
||
Comment 10•25 days ago
|
||
Testcase crashes using the initial build (mozilla-central 20240419152244-7bb994599bd6) but not with tip (mozilla-central 20250419094613-7299a341126e.)
The bug appears to have been fixed in the following build range:
Start: c6ac35e2fa35adaac9047ed6123d616f6d3fdf5c (20250325081146)
End: d926f7fefc9dc9eab1d2e65a87ab2883c5ef5143 (20250325091625)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c6ac35e2fa35adaac9047ed6123d616f6d3fdf5c&tochange=d926f7fefc9dc9eab1d2e65a87ab2883c5ef5143
gw, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
Assignee | |
Comment 11•16 days ago
|
||
It's not clear to me that any of the patches in that bisection range would fix this. However, the most likely seem to be the ones from Emilio, perhaps they remove the item that was causing the problem?
|
||
Comment 12•15 days ago
|
||
Yeah this has a bunch of filter properties on the root element, probably bug 1955697 fixed it indeed.
|
|
||
Comment 13•15 days ago
|
||
|
||
Comment 14•9 days ago
|
||
|
||
Comment 16•9 days ago
|
||
| bugherder | ||
|
|
||
Updated•9 days ago
|
Description
•