Closed Bug 1928736 Opened 3 months ago Closed 3 months ago

Hit MOZ_CRASH(Content-process DrawTargetRecording can't create requested clipped drawtarget) at /builds/worker/checkouts/gecko/gfx/2d/DrawTargetRecording.cpp:834

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
134 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox132 --- wontfix
firefox133 --- verified
firefox134 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Crash Data

Attachments

(2 files)

testcase.html
124 bytes, text/html
Details
Bug 1928736 - Avoid trying to create empty DrawTarget for painting range input shadow. r=#gfx-reviewers,#layout,spohl,mstange
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20240919-4174af79b987 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Content-process DrawTargetRecording can't create requested clipped drawtarget) at /builds/worker/checkouts/gecko/gfx/2d/DrawTargetRecording.cpp:834

#0 0x7ca96963e9a1 in mozilla::gfx::DrawTargetRecording::CreateSimilarDrawTargetForFilter(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, mozilla::gfx::FilterNode*, mozilla::gfx::FilterNode*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&) /builds/worker/checkouts/gecko/gfx/2d/DrawTargetRecording.cpp:832:5
#1 0x7ca96dd3624d in mozilla::widget::Theme::PaintCircleShadow(mozilla::gfx::DrawTarget&, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, float, mozilla::gfx::PointTyped<mozilla::CSSPixel, float> const&, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::gfx::ScaleFactor<mozilla::CSSPixel, mozilla::LayoutDevicePixel>) /builds/worker/checkouts/gecko/widget/Theme.cpp:674:46
#2 0x7ca96dd3b948 in void mozilla::widget::Theme::PaintRange<mozilla::gfx::DrawTarget>(nsIFrame*, mozilla::gfx::DrawTarget&, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::dom::ElementState const&, mozilla::widget::ThemeColors const&, mozilla::gfx::ScaleFactor<mozilla::CSSPixel, mozilla::LayoutDevicePixel>, bool) /builds/worker/checkouts/gecko/widget/Theme.cpp:964:5
#3 0x7ca96dd37281 in bool mozilla::widget::Theme::DoDrawWidgetBackground<mozilla::gfx::DrawTarget>(mozilla::gfx::DrawTarget&, nsIFrame*, mozilla::StyleAppearance, nsRect const&, nsITheme::DrawOverflow) /builds/worker/checkouts/gecko/widget/Theme.cpp:1278:7
#4 0x7ca96dd3751a in DrawWidgetBackground /builds/worker/checkouts/gecko/widget/Theme.cpp:1121:8
#5 0x7ca96dd3751a in non-virtual thunk to mozilla::widget::Theme::DrawWidgetBackground(gfxContext*, nsIFrame*, mozilla::StyleAppearance, nsRect const&, nsRect const&, nsITheme::DrawOverflow) /builds/worker/checkouts/gecko/widget/Theme.cpp
#6 0x7ca96e4f7117 in nsCSSRendering::PaintStyleImageLayerWithSC(nsCSSRendering::PaintBGParams const&, gfxContext&, mozilla::ComputedStyle const*, nsStyleBorder const&) /builds/worker/checkouts/gecko/layout/painting/nsCSSRendering.cpp:2501:14
#7 0x7ca96e42b44a in mozilla::PaintMaskSurface(mozilla::SVGIntegrationUtils::PaintFramesParams const&, mozilla::gfx::DrawTarget*, float, mozilla::ComputedStyle const*, nsTArray<mozilla::SVGMaskFrame*> const&, nsPoint const&) /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:487:35
#8 0x7ca96e42a777 in mozilla::SVGIntegrationUtils::PaintMask(mozilla::SVGIntegrationUtils::PaintFramesParams const&, bool&) /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:695:26
#9 0x7ca96e535f08 in mozilla::nsDisplayMasksAndClipPaths::PaintMask(mozilla::nsDisplayListBuilder*, gfxContext*, bool, bool*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7967:18
#10 0x7ca9699cee91 in mozilla::layers::WebRenderCommandBuilder::BuildWrMaskImage(mozilla::nsDisplayMasksAndClipPaths*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2806:38
#11 0x7ca96e536e50 in CreateWRClipPathAndMasks /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:8161:58
#12 0x7ca96e536e50 in mozilla::nsDisplayMasksAndClipPaths::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:8191:35
#13 0x7ca9699c73a4 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1859:41
#14 0x7ca9699c5ba3 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2115:7
#15 0x7ca96e5274d3 in CreateWebRenderCommandsNewClipListOption /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4605:30
#16 0x7ca96e5274d3 in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4942:12
#17 0x7ca96e5274d3 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5235:22
#18 0x7ca9699c73a4 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1859:41
#19 0x7ca9699c5ba3 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2115:7
#20 0x7ca9699c4328 in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1780:5
#21 0x7ca9699f9b0b in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:365:30
#22 0x7ca96e516421 in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2294:18
#23 0x7ca96e1aff82 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3194:9
#24 0x7ca96e120bf2 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6545:5
#25 0x7ca96dce115c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:406:18
#26 0x7ca96dce0bae in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:341:22
#27 0x7ca96dce21a0 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:888:5
#28 0x7ca96e0d8907 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2867:11
#29 0x7ca96e0e13a1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:13
#30 0x7ca96e0e13a1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:7
#31 0x7ca96e0e12a0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:362:5
#32 0x7ca96e0e113d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:948:5
#33 0x7ca96e0e046c in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:858:5
#34 0x7ca96e0df7f9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
#35 0x7ca96d52767b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#36 0x7ca96d7ba2e7 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:235:78
#37 0x7ca9690f3a7d in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5428:32
#38 0x7ca96908bfbf in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1726:25
#39 0x7ca969088f42 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1653:9
#40 0x7ca969089bc2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1444:3
#41 0x7ca96908ad0f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1544:14
#42 0x7ca9684ed747 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#43 0x7ca9684e2fa9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#44 0x7ca9684e19e7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#45 0x7ca9684e1e65 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#46 0x7ca9684f1126 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
#47 0x7ca9684f1126 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#48 0x7ca9685049db in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
#49 0x7ca96850b6bf in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#50 0x7ca969091b45 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#51 0x7ca968fe3f41 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#52 0x7ca968fe3f41 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#53 0x7ca96dd49e08 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#54 0x7ca96ddfb1d8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#55 0x7ca96ecd72ab in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:651:20
#56 0x7ca969092996 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#57 0x7ca968fe3f41 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#58 0x7ca968fe3f41 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#59 0x7ca96ecd66ca in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:586:34
#60 0x5b784f77be9e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22
Flags: in-testsuite?

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/2e080519-76ef-4d44-af8c-fd97a0241102

Crash Signature: [@ mozilla::gfx::DrawTargetRecording::CreateSimilarDrawTargetForFilter ]
See Also: → 1825255

Bisection:
Bug 1918838 - Make CSS zoom apply to themed widgets properly. r=dshin
Differential Revision: https://phabricator.services.mozilla.com/D222320

Keywords: regression
Regressed by: 1918838

Set release status flags based on info from the regressing bug 1918838

:emilio, since you are the author of the regressor, bug 1918838, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox132: --- → affected
status-firefox133: --- → affected
status-firefox-esr128: --- → unaffected
Flags: needinfo?(emilio)

Verified bug as reproducible on mozilla-central 20241103214544-c3c6d6835d49.
The bug appears to have been introduced in the following build range:

Start: 6503e8e0e009fa3fb9e91d2d1b10b7c454e284cc (20240919090626)
End: 474e1a3ab5f0aa8772343cf7188b246acc3e64bd (20240919110414)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6503e8e0e009fa3fb9e91d2d1b10b7c454e284cc&tochange=474e1a3ab5f0aa8772343cf7188b246acc3e64bd

Whiteboard: [bugmon:bisected,confirmed]
Keywords: pernosco-wanted

After bug 1918838 we can get a way smaller DPIRatio which ends up with a
zero-sized draw target. I don't think we care much about not drawing the
shadow in that case.

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/dd1e7d287b66 Avoid trying to create empty DrawTarget for painting range input shadow. r=gfx-reviewers,bradwerth
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/48986 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

https://hg.mozilla.org/mozilla-central/rev/dd1e7d287b66

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
status-firefox134: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 134 Branch
Upstream PR merged by moz-wptsync-bot
Upstream PR merged by moz-wptsync-bot

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox133 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(emilio)

Comment on attachment 9435526 [details]
Bug 1928736 - Avoid trying to create empty DrawTarget for painting range input shadow. r=#gfx-reviewers,#layout,spohl,mstange

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency: Crash
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: comment 0
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Trivial fix.
  • String changes made/needed: none
  • Is Android affected?: Yes
Flags: needinfo?(emilio)
Attachment #9435526 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9435526 [details]
Bug 1928736 - Avoid trying to create empty DrawTarget for painting range input shadow. r=#gfx-reviewers,#layout,spohl,mstange

Approved for 133.0b6

Attachment #9435526 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

I was able to reproduce the tab crash on Firefox 133.0b5, using Windows 11, with the test case attached in Comment 0.
Verified as fixed on Firefox 133.0b6 (treeherder build from Comment 14) and on Firefox Nightly 134.0a1 (2024-11-06), using Windows 11, macOS 14.7 and Ubuntu 22.04.
The tab is no longer crashing when opening the test case.
@emilio, I've noticed that on an unaffected build, a slider is displayed on the page when opening the test case, but on the fixed builds, the page is empty. Is this expected? Thank you in advance!

Status: RESOLVED → VERIFIED
status-firefox133: fixedverified
status-firefox134: fixedverified
Flags: needinfo?(emilio)

Yes, that's expected due to the zoom declaration there.

Flags: needinfo?(emilio)

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco

A pernosco session for this bug can be found here.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: