Open Bug 1883738 Opened 7 months ago Updated 2 days ago

Assertion failure: d3d11.IsEnabled(), at /builds/worker/checkouts/gecko/gfx/thebes/DeviceManagerDx.cpp:81

Categories

(Core :: Audio/Video: Playback, defect, P2)

Unspecified
Windows
defect

Tracking

()

REOPENED
Tracking Status
firefox125 --- affected

People

(Reporter: jkratzer, Assigned: alwu)

References

(Blocks 3 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Testcase found while fuzzing mozilla-central rev 63e18d5ef9ec (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 63e18d5ef9ec --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
[@ mozilla::gfx::DeviceManagerDx::LoadD3D11]

    r10 = 0x00007ff8175d0000	r11 = 0x000000fc4febe0e0	r12 = 0x0000026796b688b0
    r13 = 0xaaaaaaaaaaaaaaaa	r14 = 0x000000fc4febee30	r15 = 0x0000000000000001
     r8 = 0x000000000000000e	 r9 = 0x00007ff81775ebf8	rax = 0x00007fffa39cbfaf
    rbp = 0x0000000000000000	rbx = 0x000002679a844160	rcx = 0x00007ff80111c198
    rdi = 0x0000026796b27200	rdx = 0x0000000000000000	rip = 0x00007fff9af494bd
    rsi = 0x000000fc4febec38	rsp = 0x000000fc4febeb30
    OS|Windows NT|10.0.22621
    CPU|amd64|family 6 model 186 stepping 2|6
    Crash|EXCEPTION_BREAKPOINT|0x00007fff9af494bd|14
    14|0|xul.dll|mozilla::gfx::DeviceManagerDx::LoadD3D11()|hg:hg.mozilla.org/mozilla-central:gfx/thebes/DeviceManagerDx.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|81|0x14d
    14|1|xul.dll|mozilla::gfx::DeviceManagerDx::CreateMediaEngineDevice()|hg:hg.mozilla.org/mozilla-central:gfx/thebes/DeviceManagerDx.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|1124|0x2f
    14|2|xul.dll|mozilla::MFMediaEngineParent::InitializeDXGIDeviceManager()|hg:hg.mozilla.org/mozilla-central:dom/media/ipc/MFMediaEngineParent.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|182|0x41
    14|3|xul.dll|mozilla::MFMediaEngineParent::CreateMediaEngine()|hg:hg.mozilla.org/mozilla-central:dom/media/ipc/MFMediaEngineParent.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|135|0x19a
    14|4|xul.dll|mozilla::MFMediaEngineParent::MFMediaEngineParent(mozilla::RemoteDecoderManagerParent*, nsISerialEventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/media/ipc/MFMediaEngineParent.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|83|0x2b9
    14|5|xul.dll|mozilla::PRemoteDecoderManagerParent::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:96d8262865988e1222df5a2f82eb94dc1fa40af81f2c389412de40c15bff2e582c79007c4c0176269dcaef1baec6416fc03ff26b0cb056335a265af8cff285f9/ipc/ipdl/PRemoteDecoderManagerParent.cpp:|345|0x2e0
    14|6|xul.dll|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|1812|0x14e
    14|7|xul.dll|mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message,mozilla::DefaultDelete<IPC::Message> >)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|1731|0x2a7
    14|8|xul.dll|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|1524|0x193
    14|9|xul.dll|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|1622|0xdd
    14|10|xul.dll|mozilla::TaskQueue::Runner::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskQueue.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|257|0x367
    14|11|xul.dll|nsThreadPool::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadPool.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|341|0x7df
    14|12|xul.dll|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|1193|0xa68
    14|13|xul.dll|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|480|0x44
    14|14|xul.dll|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|300|0xad
    14|15|xul.dll|MessageLoop::RunHandler()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:63e18d5ef9ecb56ee260694de696c442f0bd5670|363|0x4f
    14|16|xul.dll|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:63e18d5ef9ecb56ee260694de696c442f0bd5670|345|0x6e
    14|17|xul.dll|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|370|0x15a
    14|18|nss3.dll|_PR_NativeRunThread(void*)|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/threads/combined/pruthr.c:63e18d5ef9ecb56ee260694de696c442f0bd5670|399|0x120
    14|19|nss3.dll|pr_root(void*)|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/md/windows/w95thred.c:63e18d5ef9ecb56ee260694de696c442f0bd5670|139|0x10
    14|20|ucrtbase.dll||||
    14|21|KERNELBASE.dll||||
    14|22|kernel32.dll||||
    14|23|ucrtbase.dll||||
    14|24|mozglue.dll|patched_BaseThreadInitThunk(int, void*, void*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:63e18d5ef9ecb56ee260694de696c442f0bd5670|558|0x74
    14|25|ntdll.dll||||
    14|26|KERNELBASE.dll||||
Attached file Testcase
Whiteboard: [bugmon:confirm] → [bugmon:confirm][fuzzblocker]

This is also being reported by live sites testing.

Blocks: site-scout
Keywords: assertion
Hardware: x86_64 → Unspecified
Summary: Crash [@ mozilla::gfx::DeviceManagerDx::LoadD3D11] → Assertion failure: d3d11.IsEnabled(), at /builds/worker/checkouts/gecko/gfx/thebes/DeviceManagerDx.cpp:81

Testcase crashes using the initial build (mozilla-central 20240305094850-63e18d5ef9ec) but not with tip (mozilla-central 20240306095835-cf015b6f24b4.)

The bug appears to have been fixed in the following build range:

Start: 488c772c72746cdfbf99e927acee696c4d6a5aef (20240306025323)
End: cf015b6f24b494190f562b255147f96e8b8b4139 (20240306095835)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=488c772c72746cdfbf99e927acee696c4d6a5aef&tochange=cf015b6f24b494190f562b255147f96e8b8b4139

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(jkratzer)
Keywords: bugmon
Whiteboard: [bugmon:confirm][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker]
Blocks: gfx-triage

Although the URL given by bugmon doesn't show any commits, it appears that this was fixed via https://hg.mozilla.org/mozilla-central/rev/236a38c8865a.

Natalia, can you confirm?

Flags: needinfo?(jkratzer) → needinfo?(ncsoregi)
No longer blocks: gfx-triage
Component: Graphics → Audio/Video: Playback
Assignee: nobody → alwu
Blocks: mf-playback
Severity: -- → S3
Priority: -- → P2

(In reply to Jason Kratzer [:jkratzer] from comment #4)

Although the URL given by bugmon doesn't show any commits, it appears that this was fixed via https://hg.mozilla.org/mozilla-central/rev/236a38c8865a.

Natalia, can you confirm?

The backout was done for causing crash spikes in Bug 1824294 and also Microsoft::WRL::ComPtr<T>::InternalRelease crashes.

I'm not seeing any occurrences, so I suppose it was indeed fixed by the backout too.
:Aryx, could you please confirm, if you have a few minutes to check?
Thank you.

Flags: needinfo?(ncsoregi) → needinfo?(aryx.bugmail)

Yes, no crashes with [@ Microsoft::WRL::ComPtr<T>::InternalRelease] after the backout. No crash reports from users for [@ mozilla::gfx::DeviceManagerDx::LoadD3D11].

Flags: needinfo?(aryx.bugmail)

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:alwu, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Flags: needinfo?(alwu)
Flags: needinfo?(alwu)

This was last reported by fuzzers targeting m-c 20240306-099f52f30c39.

Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → WONTFIX

I'm not sure what happened with bugmon but the testcase from comment 0 still reproduces on the latest build (20240314-2333872b0f50). We've also started getting a new flood of reports related to this issue.

Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---

(In reply to Jason Kratzer [:jkratzer] from comment #9)

I'm not sure what happened with bugmon but the testcase from comment 0 still reproduces on the latest build (20240314-2333872b0f50). We've also started getting a new flood of reports related to this issue.

What do you mean by flood of reports? Did you post this to the wrong bug maybe? I see no reports in crashstats, and there's just one failure in Nightly in CI.

Flags: needinfo?(jkratzer)

(In reply to Jim Mathies [:jimm] from comment #11)

(In reply to Jason Kratzer [:jkratzer] from comment #9)

I'm not sure what happened with bugmon but the testcase from comment 0 still reproduces on the latest build (20240314-2333872b0f50). We've also started getting a new flood of reports related to this issue.

What do you mean by flood of reports? Did you post this to the wrong bug maybe? I see no reports in crashstats, and there's just one failure in Nightly in CI.

I meant specifically being reported by the fuzzers. It looks there were a few days where the testcase was no longer reproducible but starting around 2024/03/14 we started seeing new crashes with this signature.

Flags: needinfo?(jkratzer)

(In reply to Bugmon [:jkratzer for issues] from comment #3)

Testcase crashes using the initial build (mozilla-central 20240305094850-63e18d5ef9ec) but not with tip (mozilla-central 20240306095835-cf015b6f24b4.)

The bug appears to have been fixed in the following build range:

Start: 488c772c72746cdfbf99e927acee696c4d6a5aef (20240306025323)
End: cf015b6f24b494190f562b255147f96e8b8b4139 (20240306095835)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=488c772c72746cdfbf99e927acee696c4d6a5aef&tochange=cf015b6f24b494190f562b255147f96e8b8b4139

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Pushlog in autoland.
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=488c772c72746cdfbf99e927acee696c4d6a5aef&tochange=cf015b6f24b494190f562b255147f96e8b8b4139

Hello, Jason,
Considering this has a very low crash rate, should we remove this from fuzzy-blocker? Thanks.

Flags: needinfo?(jkratzer)

Alastor, I think that's fine. Though, just to be clear, the fuzzblocker tag is based on the crash volume seen by the fuzzers only. Looking at it today, we're getting around ~20 crashes a day matching this signature. That's low enough for us to remove it.

Flags: needinfo?(jkratzer)
Whiteboard: [bugmon:bisected,confirmed][fuzzblocker] → [bugmon:bisected,confirmed]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: