Open Bug 1879678 Opened 2 years ago Updated 10 months ago

Assertion failure: !mDrawTarget, at /builds/worker/checkouts/gecko/gfx/layers/PersistentBufferProvider.cpp:620

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- affected
firefox122 --- unaffected
firefox138 --- wontfix

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 2 open bugs, Regression,
URL
)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
254 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20240118-842adcf822fc (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: !mDrawTarget, at /builds/worker/checkouts/gecko/gfx/layers/PersistentBufferProvider.cpp:620

#0 0x7f913a5a4dd5 in mozilla::layers::PersistentBufferProviderShared::GetTextureClient() /builds/worker/checkouts/gecko/gfx/layers/PersistentBufferProvider.cpp:620:3
#1 0x7f913c531a9f in mozilla::dom::OffscreenCanvasDisplayHelper::CommitFrameToCompositor(nsICanvasRenderingContextInternal*, mozilla::layers::TextureType, mozilla::Maybe<mozilla::dom::OffscreenCanvasDisplayData> const&) /builds/worker/checkouts/gecko/dom/canvas/OffscreenCanvasDisplayHelper.cpp:220:29
#2 0x7f913c5d75c6 in mozilla::dom::OffscreenCanvas::DequeueCommitToCompositor() /builds/worker/checkouts/gecko/dom/canvas/OffscreenCanvas.cpp:324:13
#3 0x7f913c63d498 in operator() /builds/worker/checkouts/gecko/dom/canvas/OffscreenCanvas.cpp:316:37
#4 0x7f913c63d498 in already_AddRefed<mozilla::CancelableRunnable> NS_NewCancelableRunnableFunction<mozilla::dom::OffscreenCanvas::QueueCommitToCompositor()::$_0>(char const*, mozilla::dom::OffscreenCanvas::QueueCommitToCompositor()::$_0&&)::FuncCancelableRunnable::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:667:9
#5 0x7f91392d6437 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#6 0x7f91392cbba6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#7 0x7f91392ca387 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#8 0x7f91392ca805 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#9 0x7f91392da3d6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#10 0x7f91392da3d6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#11 0x7f91392ef742 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#12 0x7f91392f688d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#13 0x7f9139fcf505 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#14 0x7f9139ee97a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#15 0x7f9139ee97a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#16 0x7f913e82e388 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#17 0x7f913e8eb9c8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#18 0x7f91407092eb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#19 0x7f9139fd03e6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#20 0x7f9139ee97a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#21 0x7f9139ee97a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#22 0x7f9140708b52 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#23 0x56070ddf83b6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#24 0x56070ddf83b6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#25 0x7f914de29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#26 0x7f914de29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#27 0x56070ddce0e8 in _start (/home/user/workspace/browsers/m-c-20240209114116-fuzzing-debug/firefox-bin+0x590e8) (BuildId: 5f0f9685d1a526eaabb8fc1ef973c071d931d79e)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20240209214145-9c7562b79131.
The bug appears to have been introduced in the following build range:

Start: c38d482445a0c034ac7b8fc0219092fccdbc58b2 (20240118044751)
End: cf3ce7d3c82dcdac5f895ba5c5edb2f64f806e0e (20240118015756)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c38d482445a0c034ac7b8fc0219092fccdbc58b2&tochange=cf3ce7d3c82dcdac5f895ba5c5edb2f64f806e0e

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1870488

Set release status flags based on info from the regressing bug 1870488

:aosmond, since you are the author of the regressor, bug 1870488, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox122: --- → unaffected
status-firefox123: --- → affected
status-firefox-esr115: --- → unaffected
Flags: needinfo?(aosmond)

I expect this was fixed by bug 1877429. Are you able to confirm?

Flags: needinfo?(aosmond) → needinfo?(twsmith)

Lee, can we please get Priority/Severity set on this report?

Flags: needinfo?(lsalzman)
Severity: -- → S4
Flags: needinfo?(lsalzman)

(In reply to Andrew Osmond [:aosmond] (he/him) from comment #3)

I expect this was fixed by bug 1877429. Are you able to confirm?

This issue is reproducible with the latest available fuzzing build (20240211-13676fc9b0cd) and is also being reported by the fuzzers.

Flags: needinfo?(twsmith)

Set release status flags based on info from the regressing bug 1870488

status-firefox125: --- → affected

This has been reported by live site testing.

Blocks: site-scout
URL: https://plaid.com/products/identity-v...
status-firefox123: wontfix → ---
status-firefox124: wontfix → ---
status-firefox125: wontfix → ---
status-firefox138: --- → affected
status-firefox-esr128: --- → affected

A Pernosco session is available here: https://pernos.co/debug/_5Vj3slP8iRscoF6XuFdNg/index.html

Keywords: pernosco

Andrew, this looks like an issue with offscreen canvas?

Flags: needinfo?(aosmond)

:aosmond via Matrix:

I think it is a rare race which is unlikely to cause serious trouble
should be fixed but I wouldn't tracking it for a particular release

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: