Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at gfx/wr/webrender/src/prepare.rs:956
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox-esr115 | --- | unaffected |
| firefox115 | --- | unaffected |
| firefox116 | --- | wontfix |
| firefox117 | --- | fix-optional |
| firefox118 | --- | fix-optional |
People
(Reporter: tsmith, Assigned: gw)
References
(Blocks 2 open bugs, Regression)
Details
(5 keywords, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
527 bytes,
text/html
|
Details |
Found while fuzzing m-c 20230722-847b0df134e4 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(called Option::unwrap() on a None value) at gfx/wr/webrender/src/prepare.rs:956
#0 0x7eff14b69145 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x7eff14b69145 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7eff14b690d6 in mozglue_static::panic_hook::ha6bfb9e7df0487c1 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96:9
#3 0x7eff14b68adb in core::ops::function::Fn::call::h32557a407c48d309 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/ops/function.rs:79:5
#4 0x7eff15a960dc in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h0be7fc2421582b49 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/alloc/src/boxed.rs:1999:9
#5 0x7eff15a960dc in std::panicking::rust_panic_with_hook::h82ebcd5d5ed2fad4 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:709:13
#6 0x7eff15a95e30 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h810bed8ecbe66f1a /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:595:13
#7 0x7eff15a932f5 in std::sys_common::backtrace::__rust_end_short_backtrace::h1410008071796261 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/sys_common/backtrace.rs:151:18
#8 0x7eff15a95bc1 in rust_begin_unwind /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:593:5
#9 0x7eff15aeec22 in core::panicking::panic_fmt::ha0a42a25e0cf258d /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/panicking.rs:67:14
#10 0x7eff15aeecb2 in core::panicking::panic::ha338a74a5d65bf6f /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/panicking.rs:117:5
#11 0x7eff144e2cdd in core::slice::sort::insert_tail::h008bef507d907db0 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/slice/sort.rs
#12 0x7eff144e2cdd in core::slice::sort::insertion_sort_shift_left::h4b9020ffc3119981 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/slice/sort.rs:163:13
#13 0x7eff146c2a12 in core::slice::sort::merge_sort::h01975060f521a17a /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/slice/sort.rs:1052:13
#14 0x7eff146c2a12 in alloc::slice::stable_sort::hcdff2df0dd8a2670 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/alloc/src/slice.rs:887:5
#15 0x7eff146c2a12 in alloc::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::sort_by::h942fc5ddc63ff7d5 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/alloc/src/slice.rs:267:9
#16 0x7eff146c2a12 in webrender::prepare::prepare_interned_prim_for_render::hc99e51600a4f0689 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:956:25
#17 0x7eff146ba647 in webrender::prepare::prepare_prim_for_render::h92c7d630b29be4a4 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:348:5
#18 0x7eff146ba647 in webrender::prepare::prepare_primitives::h261048d6d307e722 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:83:17
#19 0x7eff1467e9c8 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::ha8f807c2de2dc1ae /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:459:17
#20 0x7eff1467e9c8 in webrender::frame_builder::FrameBuilder::build::hf4ab871a4670b174 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:559:9
#21 0x7eff146debf4 in webrender::render_backend::Document::build_frame::h08524c53942135b0 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:515:25
#22 0x7eff146f65eb in webrender::render_backend::RenderBackend::update_document::h9d647b155a735830 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1429:41
#23 0x7eff146ecc20 in webrender::render_backend::RenderBackend::prepare_transactions::h0c7ac9b4c9c1a780 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1273:28
#24 0x7eff146ecc20 in webrender::render_backend::RenderBackend::process_api_msg::h3b6ac454f18b9d6b /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1126:17
#25 0x7eff144ae931 in webrender::render_backend::RenderBackend::run::h412e57a3aaa026c3 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:777:21
#26 0x7eff144ae931 in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::h54e33279b7082724 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:685:9
#27 0x7eff144ae931 in std::sys_common::backtrace::__rust_begin_short_backtrace::hc6f61f7f7460f566 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/sys_common/backtrace.rs:135:18
#28 0x7eff144bd292 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h7af6249b4722fd3d /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/thread/mod.rs:529:17
#29 0x7eff144bd292 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h28ed91331a732712 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/panic/unwind_safe.rs:271:9
#30 0x7eff144bd292 in std::panicking::try::do_call::h244d8373f833e2ed /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:500:40
#31 0x7eff144bd292 in std::panicking::try::heb646d7ca99bfac3 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:464:19
#32 0x7eff144bd292 in std::panic::catch_unwind::h6679809f86982d06 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panic.rs:142:14
#33 0x7eff144bd292 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::hd870008ce2f07f3f /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/thread/mod.rs:528:30
#34 0x7eff144bd292 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hbcc71270a0721734 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/ops/function.rs:250:5
#35 0x7eff15aa0604 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h9adfc2ae43657457 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/alloc/src/boxed.rs:1985:9
#36 0x7eff15aa0604 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h14fefbfa7b574396 /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/alloc/src/boxed.rs:1985:9
#37 0x7eff15aa0604 in std::sys::unix::thread::Thread::new::thread_start::ha211bb47f6f5cedc /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/sys/unix/thread.rs:108:17
#38 0x7eff1ea94b42 in start_thread nptl/pthread_create.c:442:8
#39 0x7eff1eb269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
||
Comment 1•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230724215726-12931a93e28c.
The bug appears to have been introduced in the following build range:
Start: 35ae138cfc1ef300fed273a6c93b14f8884588d7 (20230522211404)
End: c3108a8a5f3fb2f5f04e2cacdb25dc5fd6795ffe (20230522225914)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=35ae138cfc1ef300fed273a6c93b14f8884588d7&tochange=c3108a8a5f3fb2f5f04e2cacdb25dc5fd6795ffe
|
||
Comment 2•1 year ago
|
||
Set release status flags based on info from the regressing bug 1830588
:gw, since you are the author of the regressor, bug 1830588, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
Assignee | |
Comment 3•1 year ago
|
||
I haven't been able to repro this locally. From the reported source line, it looks like there is a NaN or similar getting in to the local coordinates array somehow.
|
||
Updated•1 year ago
|
|
Reporter | |
Updated•1 year ago
|
|
|
||
Comment 4•1 year ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
| Comment hidden (obsolete) |
|
||
Updated•1 year ago
|
|
|
||
Comment 7•1 year ago
|
||
The severity field is not set for this bug.
:gw, could you have a look please?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Updated•1 year ago
|
|
||
Comment 8•7 months ago
•
|
||
I get a crash from the testcase: https://crash-stats.mozilla.org/report/index/e4a069f2-cbf5-4696-a58f-bf13f0240301
The trick seems to be to save the testcase to your local machine, close the browser completely, and then open the testcase.
I also got full browser crash from the testcase.
|
|
||
Comment 9•7 months ago
|
||
I can reproduce the bug on the latest Nightly, whereas I couldnt repro it when this bug was originally filed.
Bisection points to :
Bug 1866666 - Enable popover in nightly. r=emilio,smaug
Differential Revision: https://phabricator.services.mozilla.com/D194705
So then I did a second bisection with dom.element.popover.enabled = true. That gave the result:
Bug 1830588 - Fix clip on fractional composite prims r=gfx-reviewers,lsalzman
Differential Revision: https://phabricator.services.mozilla.com/D178614
:gw, ni? you as this testcase crashes on latest Nightly.
Also making this blocking on bug 1866666.
|
|
Assignee | |
Updated•7 months ago
|
Description
•