Closed Bug 1872775 Opened 9 months ago Closed 6 months ago

Hit MOZ_CRASH(Unable to find a bin for 2304x0!) at gfx/wr/webrender/src/texture_pack/guillotine.rs:29

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
125 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox121 --- wontfix
firefox122 --- wontfix
firefox123 --- wontfix
firefox124 --- wontfix
firefox125 --- fixed

People

(Reporter: tsmith, Assigned: nical)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:confirmed,bisected])

Attachments

(1 file)

testcase.html
375 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20231122-ef0b50d89a7f (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid> --xvfb

Hit MOZ_CRASH(Unable to find a bin for 2304x0!) at gfx/wr/webrender/src/texture_pack/guillotine.rs:29

#0 0x7f8eef996c65 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x7f8eef996c65 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f8eef996551 in mozglue_static::panic_hook::hf0de6a265225e72e /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96:9
#3 0x7f8eef996551 in core::ops::function::Fn::call::h31b5c88f4841ffe2 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/core/src/ops/function.rs:79:5
#4 0x7f8ef0967d77 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h1f8f335eaa9cfaee /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/alloc/src/boxed.rs:2021:9
#5 0x7f8ef0967d77 in std::panicking::rust_panic_with_hook::h2b5517d590cab22e /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:783:13
#6 0x7f8ef0967acd in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h233112c06e0ef43e /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:657:13
#7 0x7f8ef0965085 in std::sys_common::backtrace::__rust_end_short_backtrace::h6e893f24d7ebbff8 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/sys_common/backtrace.rs:170:18
#8 0x7f8ef0967831 in rust_begin_unwind /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:645:5
#9 0x7f8ef09b40b4 in core::panicking::panic_fmt::hbf0e066aabfa482c /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/core/src/panicking.rs:72:14
#10 0x7f8eef5a0106 in webrender::texture_pack::guillotine::FreeListBin::for_size::_$u7b$$u7b$closure$u7d$$u7d$::hb09d8444e9c4bb3e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/texture_pack/guillotine.rs:29:32
#11 0x7f8eef5a0106 in core::option::Option$LT$T$GT$::unwrap_or_else::h2a61b3537d9cf119 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/core/src/option.rs:976:21
#12 0x7f8eef5a0106 in webrender::texture_pack::guillotine::FreeListBin::for_size::h811cd1d7b6b798d5 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/texture_pack/guillotine.rs:29:14
#13 0x7f8eef5a0106 in webrender::texture_pack::guillotine::GuillotineAllocator::push::heb86a1990ae11420 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/texture_pack/guillotine.rs:99:18
#14 0x7f8eef4e2c60 in webrender::texture_pack::guillotine::GuillotineAllocator::new::h9ae844a83c6a12bb /builds/worker/checkouts/gecko/gfx/wr/webrender/src/texture_pack/guillotine.rs:89:13
#15 0x7f8eef4e2c60 in webrender::render_task_graph::RenderTaskGraphBuilder::end_frame::h06059ae7a9dc3c73 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_task_graph.rs:462:44
#16 0x7f8eef45b04d in webrender::frame_builder::FrameBuilder::build::hc27bc8b202ac0153 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:590:28
#17 0x7f8eef4b9322 in webrender::render_backend::Document::build_frame::h267a87e60da17863 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:521:25
#18 0x7f8eef4cfb17 in webrender::render_backend::RenderBackend::update_document::ha41c57fb26341fdc /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1439:41
#19 0x7f8eef4c689e in webrender::render_backend::RenderBackend::prepare_transactions::hdfd5e4e03b39efc2 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1283:28
#20 0x7f8eef4c689e in webrender::render_backend::RenderBackend::process_api_msg::he5458ccf8d8cee51 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1136:17
#21 0x7f8eef24bc4a in webrender::render_backend::RenderBackend::run::hebcdba6ef3bbf834 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:787:21
#22 0x7f8eef24bc4a in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::h76b8cc35bf08955a /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:685:9
#23 0x7f8eef24bc4a in std::sys_common::backtrace::__rust_begin_short_backtrace::h2dba669fda889ad1 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/sys_common/backtrace.rs:154:18
#24 0x7f8eef255012 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h5eed655b4aa79cbf /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/thread/mod.rs:529:17
#25 0x7f8eef255012 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h76eb3a6caf611732 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/core/src/panic/unwind_safe.rs:272:9
#26 0x7f8eef255012 in std::panicking::try::do_call::he7cd77c1a377dc99 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:552:40
#27 0x7f8eef255012 in std::panicking::try::h00fc3c7b560d91d4 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:516:19
#28 0x7f8eef255012 in std::panic::catch_unwind::h5cbe330417fdc3c9 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panic.rs:142:14
#29 0x7f8eef255012 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::hd43e373160a18697 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/thread/mod.rs:528:30
#30 0x7f8eef255012 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h0ec8dffaf5515e23 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/core/src/ops/function.rs:250:5
#31 0x7f8ef0971c34 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hc7eafaff61e32df9 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/alloc/src/boxed.rs:2007:9
#32 0x7f8ef0971c34 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h6ba4a5de48dd2304 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/alloc/src/boxed.rs:2007:9
#33 0x7f8ef0971c34 in std::sys::unix::thread::Thread::new::thread_start::he469335aef763e45 /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/sys/unix/thread.rs:108:17
#34 0x7f8efa094ac2 in start_thread nptl/pthread_create.c:442:8
#35 0x7f8efa12665f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20240103050624-cc67c788cded.
The bug appears to have been introduced in the following build range:

Start: 6d877fdb9a1e892fe6528a26aab81b53cfae55c5 (20230807061947)
End: 2f07664dbc304adeae1029ead0f4ab014aaa02a8 (20230807091755)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6d877fdb9a1e892fe6528a26aab81b53cfae55c5&tochange=2f07664dbc304adeae1029ead0f4ab014aaa02a8

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

setting flags based on the regression range, but not sure the culprit here

status-firefox121: --- → wontfix
status-firefox122: --- → wontfix
status-firefox-esr115: --- → unaffected
Severity: -- → S3

Tyson, are we sure of the regression range? Thanks

Flags: needinfo?(twsmith)

I'm not sure if it is correct but we can try again and see if we get a different result.

Flags: needinfo?(twsmith)
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisect,confirmed]

The bug appears to have been introduced in the following build range:

Start: 6d877fdb9a1e892fe6528a26aab81b53cfae55c5 (20230807061947)
End: 2f07664dbc304adeae1029ead0f4ab014aaa02a8 (20230807091755)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6d877fdb9a1e892fe6528a26aab81b53cfae55c5&tochange=2f07664dbc304adeae1029ead0f4ab014aaa02a8

Whiteboard: [bugmon:bisect,confirmed] → [bugmon:confirmed,bisected]

Testcase crashes using the initial build (mozilla-central 20231122034940-ef0b50d89a7f) but not with tip (mozilla-central 20240329205904-33becba24b3c.)

The bug appears to have been fixed in the following build range:

Start: 54c13c0498731427f23aff4c7e87900a715761b0 (20240304084822)
End: 8a586af3529ef8d1a3c9cc2238ff643c5169122d (20240304104949)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=54c13c0498731427f23aff4c7e87900a715761b0&tochange=8a586af3529ef8d1a3c9cc2238ff643c5169122d

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon
Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Assignee: nobody → nical.bugzilla
status-firefox125: --- → fixed
Depends on: 1882526
Flags: needinfo?(twsmith)
Target Milestone: --- → 125 Branch

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:nical, if possible, could you fill the Regressed by field?

For more information, please visit BugBot documentation.

Flags: needinfo?(nical.bugzilla)

The regression range in comment 1 doesn't contain anything suspecious, I don't know what introduced the bug.

Flags: needinfo?(nical.bugzilla)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: