Open
Bug 1927586
Opened 3 months ago
Updated 2 months ago
Hit MOZ_CRASH(bug: this is an unexpected case - please open a bug and talk to #gfx team!) at gfx/wr/webrender/src/spatial_tree.rs:1038
Categories
(Core :: Graphics: WebRender, defect, P3)
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox135 | --- | affected |
People
(Reporter: truber, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 2c9f37ff7f0d (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 2c9f37ff7f0d --asan --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla --repeat 20 --relaunch 1 ./firefox/firefox 1927586
Hit MOZ_CRASH(bug: this is an unexpected case - please open a bug and talk to #gfx team!) at gfx/wr/webrender/src/spatial_tree.rs:1038
=================================================================
==3257511==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f887ecd8c67 bp 0x7f884b8b0130 sp 0x7f884b8b0120 T26)
==3257511==The signal is caused by a WRITE memory access.
==3257511==Hint: address points to the zero page.
#0 0x7f887ecd8c67 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
#1 0x7f887ecd8c67 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f887ecd74fe in mozglue_static::panic_hook::h2b7b0c7ab69696a9 /mozglue/static/rust/lib.rs:102:9
#3 0x7f887ecd74fe in core::ops::function::Fn::call::h397a2f6bd0d5fd2c /builds/worker/fetches/rust/library/core/src/ops/function.rs:79:5
#4 0x7f88820dc354 in std::panicking::rust_panic_with_hook::h0c15db9fe1a518fe std.4dd631fead81e61f-cgu.07
#5 0x7f887d58477d in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::ha27d71e1704ddcac /builds/worker/fetches/rust/library/std/src/panicking.rs:738:9
#6 0x7f887d57a505 in std::sys::backtrace::__rust_end_short_backtrace::h64eb775dfb43b60b /builds/worker/fetches/rust/library/std/src/sys/backtrace.rs:168:18
#7 0x7f887d584601 in std::panicking::begin_panic::h962b4c708ca0ec8b /builds/worker/fetches/rust/library/std/src/panicking.rs:737:5
#8 0x7f887db9263d in webrender::spatial_tree::SpatialTree::get_relative_transform_with_face::hc0704baf74fdae02 /gfx/wr/webrender/src/spatial_tree.rs:1038:9
#9 0x7f887db6c8a1 in webrender::space::SpaceMapper$LT$F$C$T$GT$::set_target_spatial_node::h61756b5be6b9848b /gfx/wr/webrender/src/space.rs:72:29
#10 0x7f887dcc9e4d in webrender::picture::PicturePrimitive::propagate_bounding_rect::h9ac0bdbb60d5e82c /gfx/wr/webrender/src/picture.rs:6875:13
#11 0x7f887dce0d40 in webrender::picture_graph::PictureGraph::propagate_bounding_rects::h916d920a15ef5009 /gfx/wr/webrender/src/picture_graph.rs:149:17
#12 0x7f887dc1be09 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::h8f4b0d8ce40d2632 /gfx/wr/webrender/src/frame_builder.rs:322:9
#13 0x7f887dc1be09 in webrender::frame_builder::FrameBuilder::build::h5c4d95ef0a1aadb2 /gfx/wr/webrender/src/frame_builder.rs:573:9
#14 0x7f887dd6d4bf in webrender::render_backend::Document::build_frame::h6ec2aa7e2a0134ea /gfx/wr/webrender/src/render_backend.rs:530:25
#15 0x7f887ddaddb4 in webrender::render_backend::RenderBackend::update_document::hfee6bca39b8610e8 /gfx/wr/webrender/src/render_backend.rs:1466:41
#16 0x7f887dd97c5b in webrender::render_backend::RenderBackend::prepare_transactions::h5d543b6d839f97a7 /gfx/wr/webrender/src/render_backend.rs:1306:28
#17 0x7f887dd97c5b in webrender::render_backend::RenderBackend::process_api_msg::h36de583fbe5237bd /gfx/wr/webrender/src/render_backend.rs:1153:17
#18 0x7f887d57f81d in webrender::render_backend::RenderBackend::run::h0e120a759b25a18e /gfx/wr/webrender/src/render_backend.rs:802:21
#19 0x7f887d57f81d in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::hc78ec6ad6e344411 /gfx/wr/webrender/src/renderer/init.rs:715:9
#20 0x7f887d57f81d in std::sys::backtrace::__rust_begin_short_backtrace::h7375a8628da1919d /builds/worker/fetches/rust/library/std/src/sys/backtrace.rs:152:18
#21 0x7f887d59408a in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h56bc8289e53f10ea /builds/worker/fetches/rust/library/std/src/thread/mod.rs:538:17
#22 0x7f887d59408a in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h2928193593fae6e6 /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:272:9
#23 0x7f887d59408a in std::panicking::try::do_call::he21920fae9d640e3 /builds/worker/fetches/rust/library/std/src/panicking.rs:557:40
#24 0x7f887d59408a in std::panicking::try::hed8ab6d33e869df0 /builds/worker/fetches/rust/library/std/src/panicking.rs:521:19
#25 0x7f887d59408a in std::panic::catch_unwind::h2d51e474fae8aed4 /builds/worker/fetches/rust/library/std/src/panic.rs:350:14
#26 0x7f887d59408a in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h2756b443fb11650e /builds/worker/fetches/rust/library/std/src/thread/mod.rs:537:30
#27 0x7f887d59408a in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h1c5ac6c0835839fb /builds/worker/fetches/rust/library/core/src/ops/function.rs:250:5
#28 0x7f88820eb1fa in std::sys::pal::unix::thread::Thread::new::thread_start::h51b652028646be50 std.4dd631fead81e61f-cgu.12
#29 0x55c0216552f8 in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
#30 0x7f888ec88143 in start_thread nptl/pthread_create.c:442:8
#31 0x7f888ed087db in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3 in MOZ_Crash
==3257511==ABORTING
|
Reporter | |
Comment 1•3 months ago
|
||
|
|
Reporter | |
Comment 2•3 months ago
|
||
|
|
Reporter | |
Updated•3 months ago
|
Attachment #9433758 -
Attachment mime type: text/plain → text/html
|
||
Comment 3•3 months ago
•
|
||
- The trick to repro this on Nightly is to serve it via a local http server and then press-and-hold the F5 key (i.e. refresh the page rapidly).
- I got this crash on Nightly: https://crash-stats.mozilla.org/report/index/549503ad-e56d-4ff5-8524-2ca220241028#tab-bugzilla
- Can repro on a build from Jan2022, so not a new regression.
- This testcase is easier to repro on older builds - just loading the testcase once (via local server) will flash the whole browser.
Crash Signature: [@ webrender::spatial_tree::SpatialTree::get_relative_transform_with_face ]
|
||
Comment 4•3 months ago
|
||
Verified bug as reproducible on mozilla-central 20241028212656-20aa234dca65.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: 9d87d8875f3012f1cb5e065b5861f41a29d1173c (20231031035148)
End: 2c9f37ff7f0d76a31beb333db9e00e3afc264e32 (20241028135919)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 5•3 months ago
|
||
Glenn, this crash is the case you noted in get_relative_transform_with_face. Can you reproduce?
Severity: -- → S3
Flags: needinfo?(gwatson)
Priority: -- → P3
|
||
Comment 6•3 months ago
|
||
Yes, it reproduces for me. Likely an issue with an invalid display list, but will need further investigation.
Flags: needinfo?(gwatson)
|
||
Updated•2 months ago
|
status-firefox135:
--- → affected
Keywords: assertion
You need to log in
before you can comment on or make changes to this bug.
Description
•