Open
Bug 1849645
Opened 2 years ago
Updated 11 months ago
firefox: src/rasterize.h:1375: int clip_side(int, Point3D *, Interpolants *, Point3D *, Interpolants *, int &) [AXIS = glsl::Y]: Assertion `false' failed.
Categories
(Core :: Graphics: WebRender, defect)
Core
Graphics: WebRender
Tracking
()
NEW
People
(Reporter: tsmith, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, pernosco, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
421 bytes,
text/html
|
Details |
Found while fuzzing m-c 20230629-c93a9e0ad90d (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
I'm not sure if this is actually just a duplicate of bug 1704943, but this test case is reliable.
firefox: src/rasterize.h:1375: int clip_side(int, Point3D *, Interpolants *, Point3D *, Interpolants *, int &) [AXIS = glsl::Y]: Assertion `false' failed.
#0 0x7f5a37696a7c in __pthread_kill_implementation nptl/pthread_kill.c:44:76
#1 0x7f5a37696a7c in __pthread_kill_internal nptl/pthread_kill.c:78:10
#2 0x7f5a37696a7c in pthread_kill nptl/pthread_kill.c:89:10
#3 0x7f5a37642475 in gsignal signal/../sysdeps/posix/raise.c:26:13
#4 0x7f5a376287f2 in abort stdlib/abort.c:79:7
#5 0x7f5a3762871a in __assert_fail_base assert/assert.c:92:3
#6 0x7f5a37639e95 in __assert_fail assert/assert.c:101:3
#7 0x7f5a2c77892b in clip_side<(glsl::XYZW)1> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1375:11
#8 0x7f5a2c77892b in draw_perspective /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1527:16
#9 0x7f5a2c77892b in draw_quad(int, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1559:5
#10 0x7f5a2c771861 in draw_elements<unsigned short> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1655:5
#11 0x7f5a2c771861 in DrawElementsInstanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2748:7
#12 0x7f5a2c39093b in _$LT$gleam..gl..ErrorReactingGl$LT$F$GT$$u20$as$u20$gleam..gl..Gl$GT$::draw_elements_instanced::h5f38d027461caf31 /builds/worker/checkouts/gecko/third_party/rust/gleam/src/gl.rs:98:26
#13 0x7f5a2c4d42fb in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::h63909cddd111990c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:3739:9
#14 0x7f5a2c5b02ad in webrender::renderer::Renderer::draw_instanced_batch::h41db3d555a1ee154 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2027:17
#15 0x7f5a2c5b4c50 in webrender::renderer::Renderer::draw_alpha_batch_container::h9a6500596ed51f79 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2890:17
#16 0x7f5a2c5c3812 in webrender::renderer::Renderer::draw_picture_cache_target::h2de9de92e6a9494b /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2677:17
#17 0x7f5a2c5c3812 in webrender::renderer::Renderer::draw_frame::h733d400304a588cd /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4684:21
#18 0x7f5a2c5a46cb in webrender::renderer::Renderer::render_impl::h856f3569bfd07d1d /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1523:17
#19 0x7f5a2c5a25ef in webrender::renderer::Renderer::render::hf07c1b5c42e7d138 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1240:30
#20 0x7f5a2c2aa917 in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:619:11
#21 0x7f5a23f537d2 in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:190:19
#22 0x7f5a23f52289 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:781:31
#23 0x7f5a23f5178c in mozilla::wr::RenderThread::HandleFrameOneDocInner(mozilla::wr::WrWindowId, bool, bool, mozilla::Maybe<mozilla::wr::FramePublishId>) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:624:3
#24 0x7f5a23f50db3 in HandleFrameOneDoc /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:573:3
#25 0x7f5a23f50db3 in mozilla::wr::RenderThread::WrNotifierEvent_HandleNewFrameReady(mozilla::wr::WrWindowId, bool, mozilla::wr::FramePublishId) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:534:3
#26 0x7f5a23f50902 in mozilla::wr::RenderThread::HandleWrNotifierEvents(mozilla::wr::WrWindowId) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:496:9
#27 0x7f5a23f5e1aa in operator()<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#28 0x7f5a23f5e1aa in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#29 0x7f5a23f5e1aa in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#30 0x7f5a23f5e1aa in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> > &, 0UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#31 0x7f5a23f5e1aa in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> > &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#32 0x7f5a23f5e1aa in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#33 0x7f5a23f5e1aa in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#34 0x7f5a2277f56d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#35 0x7f5a2278630d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#36 0x7f5a23432ab5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#37 0x7f5a2334b451 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#38 0x7f5a2334b451 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#39 0x7f5a2277abf6 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#40 0x7f5a379f89ef in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#41 0x7f5a37694b42 in start_thread nptl/pthread_create.c:442:8
#42 0x7f5a377269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?
|
||
Comment 1•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20230821213322-bc597f54f9cf.
Unable to bisect testcase (Testcase does not reproduce on end build!):
Start: 95412593f3f1a381b55ce360fdef6c59debec24c (20220823024657)
End: c93a9e0ad90d7eca1077e5b52a84b577549bc02e (20230629085424)
BuildFlags: BuildFlags(asan=None, tsan=None, debug=True, fuzzing=True, coverage=None, valgrind=None, no_opt=None, fuzzilli=None, nyx=None)
Whiteboard: [bugmon:bisected,confirmed]
|
||
Updated•1 years ago
|
Severity: -- → S3
|
|
||
Comment 2•1 years ago
|
||
Testcase crashes using the initial build (mozilla-central 20230629085424-c93a9e0ad90d) but not with tip (mozilla-central 20230902093900-99eed791079c.)
Unable to bisect testcase (End build crashes!):
Start: c93a9e0ad90d7eca1077e5b52a84b577549bc02e (20230629085424)
End: 99eed791079c7b72126fee110226a0f9c519a053 (20230902093900)
BuildFlags: BuildFlags(asan=None, tsan=None, debug=True, fuzzing=None, coverage=None, valgrind=None, no_opt=None, fuzzilli=None, nyx=None)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
Reporter | |
Comment 3•1 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/W5Nwf9BkZc4IMXyfhYCG3w/index.html
status-firefox119:
--- → affected
Keywords: pernosco
You need to log in
before you can comment on or make changes to this bug.
Description
•