Open Bug 1865713 Opened 11 months ago Updated 1 month ago

Assertion failure: false (Unhandled external image format), at /gfx/webrender_bindings/RenderTextureHostSWGL.cpp:77

Categories

(Core :: Graphics: WebGPU, defect, P2)

Product:
Core
Component:
Graphics: WebGPU
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 3 open bugs)

Details

(Keywords: testcase, Whiteboard: [bugmon:confirm])

Attachments

(2 files)

Detailed Crash Information
5.88 KB, text/plain
Details
Testcase
1.09 KB, text/plain
Details

Testcase found while fuzzing mozilla-central rev c3021f5ece18 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build c3021f5ece18 --debug --fuzzing  -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: false (Unhandled external image format), at /gfx/webrender_bindings/RenderTextureHostSWGL.cpp:77

    ==380503==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f781f47c6da bp 0x7f77ecd62b30 sp 0x7f77ecd62aa0 T380648)
    ==380503==The signal is caused by a WRITE memory access.
    ==380503==Hint: address points to the zero page.
        #0 0x7f781f47c6da in mozilla::wr::RenderTextureHostSWGL::UpdatePlanes(mozilla::wr::RenderCompositor*) /gfx/webrender_bindings/RenderTextureHostSWGL.cpp:77:9
        #1 0x7f781f47c972 in mozilla::wr::RenderTextureHostSWGL::LockSWGLCompositeSurface(void*, mozilla::wr::SWGLCompositeSurfaceInfo*) /gfx/webrender_bindings/RenderTextureHostSWGL.cpp:171:10
        #2 0x7f78279e8aa1 in webrender::compositor::sw_compositor::SwCompositor::try_lock_composite_surface::heed4ab85307b7772 /gfx/wr/webrender/src/compositor/sw_compositor.rs:1071:20
        #3 0x7f78279e8aa1 in _$LT$webrender..compositor..sw_compositor..SwCompositor$u20$as$u20$webrender..composite..Compositor$GT$::add_surface::ha78ff549b6721a53 /gfx/wr/webrender/src/compositor/sw_compositor.rs:1421:13
        #4 0x7f7827aeb81b in webrender::renderer::_$LT$impl$u20$webrender..composite..CompositeState$GT$::composite_native::h843e05eed23e1efd /gfx/wr/webrender/src/renderer/mod.rs:5951:13
        #5 0x7f7827aeb81b in webrender::renderer::Renderer::draw_frame::h6e40675d39f715a6 /gfx/wr/webrender/src/renderer/mod.rs:4565:17
        #6 0x7f7827ad3958 in webrender::renderer::Renderer::render_impl::h84946eaf3f2c5af2 /gfx/wr/webrender/src/renderer/mod.rs:1518:17
        #7 0x7f7827ad18d4 in webrender::renderer::Renderer::render::h2b933a92c47ecf73 /gfx/wr/webrender/src/renderer/mod.rs:1235:30
        #8 0x7f782777dfd7 in wr_renderer_render /gfx/webrender_bindings/src/bindings.rs:619:11
        #9 0x7f781f483ab2 in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*, mozilla::wr::RendererStats*) /gfx/webrender_bindings/RendererOGL.cpp:190:19
        #10 0x7f781f482573 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*) /gfx/webrender_bindings/RenderThread.cpp:783:31
        #11 0x7f781f481a55 in mozilla::wr::RenderThread::HandleFrameOneDocInner(mozilla::wr::WrWindowId, bool, bool, mozilla::Maybe<mozilla::wr::FramePublishId>) /gfx/webrender_bindings/RenderThread.cpp:624:3
        #12 0x7f781f481083 in HandleFrameOneDoc /gfx/webrender_bindings/RenderThread.cpp:573:3
        #13 0x7f781f481083 in mozilla::wr::RenderThread::WrNotifierEvent_HandleNewFrameReady(mozilla::wr::WrWindowId, bool, mozilla::wr::FramePublishId) /gfx/webrender_bindings/RenderThread.cpp:534:3
        #14 0x7f781f480c12 in mozilla::wr::RenderThread::HandleWrNotifierEvents(mozilla::wr::WrWindowId) /gfx/webrender_bindings/RenderThread.cpp:496:9
        #15 0x7f781f48e47a in operator()<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
        #16 0x7f781f48e47a in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
        #17 0x7f781f48e47a in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
        #18 0x7f781f48e47a in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> > &, 0UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
        #19 0x7f781f48e47a in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> > &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
        #20 0x7f781f48e47a in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #21 0x7f781f48e47a in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
        #22 0x7f781dca32ad in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1192:16
        #23 0x7f781dcaa23d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #24 0x7f781e9665a5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
        #25 0x7f781e87f281 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #26 0x7f781e87f281 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #27 0x7f781dc9e593 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:370:10
        #28 0x7f7831850d0f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #29 0x7f78320f1ac2 in start_thread nptl/pthread_create.c:442:8
        #30 0x7f7832183a3f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /gfx/webrender_bindings/RenderTextureHostSWGL.cpp:77:9 in mozilla::wr::RenderTextureHostSWGL::UpdatePlanes(mozilla::wr::RenderCompositor*)
    ==380503==ABORTING
Attached file Testcase
Flags: needinfo?(lsalzman)

Unable to reproduce bug 1865713 using build mozilla-central 20231119091854-c3021f5ece18. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

I'm not sure why bugmon was unable to reproduce this issue. I'll run the bisection locally.

This bisects back further than a year so we're unable to produce a bisection range for it.

Severity: -- → S2

WebGPU is unreleased tech, so I'm reducing the Severity to S3 to remove it from org tracking.

Severity: S2 → S3
Priority: -- → P1
Blocks: webgpu-triage
Flags: needinfo?(lsalzman)
Priority: P1 → P2
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: