Closed Bug 1963368 Opened 19 days ago Closed 13 days ago

Hit MOZ_CRASH(bug: texture not allocated) at gfx/wr/webrender/src/renderer/mod.rs:659

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Platform:
x86_64
Linux
Type:
defect
Points:
2

Tracking

()

Status:
VERIFIED FIXED
Milestone:
140 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox138 --- unaffected
firefox139 --- disabled
firefox140 --- verified

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed] [viewtransitions:m2], [wptsync upstream])

Crash Data

Attachments

(3 files)

Testcase
326 bytes, text/html
Details
Bug 1963368 - Assert that an image key is not used by multiple snapshotted stacking contexts. r=emilio
48 bytes, text/x-phabricator-request
Details | Review
Bug 1963368 - Avoid sending two snapshots for the root. r=#vt,nical
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev dfac0166a72d (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build dfac0166a72d --asan --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(bug: texture not allocated) at gfx/wr/webrender/src/renderer/mod.rs:659

    =================================================================
    ==2970269==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7dc660093183 bp 0x7dc5f6bd5170 sp 0x7dc5f6bd5160 T54)
    ==2970269==The signal is caused by a WRITE memory access.
    ==2970269==Hint: address points to the zero page.
        #0 0x7dc660093183 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
        #1 0x7dc660093183 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:381:3
        #2 0x7dc660093183 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #3 0x7dc660091a07 in mozglue_static::panic_hook::h09282e0b6e3eeff1 /mozglue/static/rust/lib.rs:99:9
        #4 0x7dc660091a07 in core::ops::function::Fn::call::h72133a82d99c257d /builds/worker/fetches/rust/library/core/src/ops/function.rs:79:5
        #5 0x7dc663b4c259 in std::panicking::rust_panic_with_hook::h089cf39f00799133 std.b0550a264f4b45a7-cgu.13
        #6 0x7dc663b406e6 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hf02865fc1697377b std.b0550a264f4b45a7-cgu.10
        #7 0x7dc663b401f8 in std::sys::backtrace::__rust_end_short_backtrace::h92bc9e113a7f691d std.b0550a264f4b45a7-cgu.10
        #8 0x7dc663b4bc63 in rust_begin_unwind std.b0550a264f4b45a7-cgu.13
        #9 0x7dc663b79cb2 in core::panicking::panic_fmt::he169818ca2499665 core.2e3d2901cc719945-cgu.15
        #10 0x7dc663b73eba in core::option::expect_failed::h0188040e629432ab core.2e3d2901cc719945-cgu.09
        #11 0x7dc65f0e1815 in core::option::Option$LT$T$GT$::expect::h83c6b4e76d43c23d /builds/worker/fetches/rust/library/core/src/option.rs:928:21
        #12 0x7dc65f0e1815 in webrender::renderer::TextureResolver::get_cache_texture_mut::h8ca840905d34a194 /gfx/wr/webrender/src/renderer/mod.rs:659:14
        #13 0x7dc65f0e1815 in webrender::renderer::Renderer::draw_render_target::he2e56f36c6bcd832 /gfx/wr/webrender/src/renderer/mod.rs:4017:23
        #14 0x7dc65f1234e2 in webrender::renderer::Renderer::draw_frame::h192bdcc3258fe66d /gfx/wr/webrender/src/renderer/mod.rs:4935:21
        #15 0x7dc65f07fda1 in webrender::renderer::Renderer::render_impl::hc39334f0a1a0973e /gfx/wr/webrender/src/renderer/mod.rs:1599:17
        #16 0x7dc65f079d5c in webrender::renderer::Renderer::render::h6aea3d0408998115 /gfx/wr/webrender/src/renderer/mod.rs:1283:30
        #17 0x7dc65e3e6f3e in wr_renderer_render /gfx/webrender_bindings/src/bindings.rs:649:11
        #18 0x7dc65074973f in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*, mozilla::wr::FrameReadyParams const&, mozilla::wr::RendererStats*) /gfx/webrender_bindings/RendererOGL.cpp:220:19
        #19 0x7dc65074794b in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::wr::FrameReadyParams const&, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, mozilla::wr::RendererStats*, bool*) /gfx/webrender_bindings/RenderThread.cpp:853:31
        #20 0x7dc650746403 in mozilla::wr::RenderThread::HandleFrameOneDocInner(mozilla::wr::WrWindowId, mozilla::wr::FrameReadyParams const&, bool, mozilla::Maybe<mozilla::wr::FramePublishId>) /gfx/webrender_bindings/RenderThread.cpp:667:3
        #21 0x7dc650744a2a in HandleFrameOneDoc /gfx/webrender_bindings/RenderThread.cpp:614:3
        #22 0x7dc650744a2a in WrNotifierEvent_HandleNewFrameReady /gfx/webrender_bindings/RenderThread.cpp:575:3
        #23 0x7dc650744a2a in mozilla::wr::RenderThread::HandleWrNotifierEvents(mozilla::wr::WrWindowId) /gfx/webrender_bindings/RenderThread.cpp:536:9
        #24 0x7dc64d8f2797 in operator()<StoreRefPtrPassByPtr<mozilla::net::ConnectionData> &> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
        #25 0x7dc64d8f2797 in __invoke_impl<nsresult, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), StoreRefPtrPassByPtr<mozilla::net::ConnectionData> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
        #26 0x7dc64d8f2797 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), StoreRefPtrPassByPtr<mozilla::net::ConnectionData> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
        #27 0x7dc64d8f2797 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<StoreRefPtrPassByPtr<mozilla::net::ConnectionData> > &, 0UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
        #28 0x7dc64d8f2797 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<StoreRefPtrPassByPtr<mozilla::net::ConnectionData> > &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
        #29 0x7dc64d8f2797 in apply<mozilla::net::Dashboard, nsresult (mozilla::net::Dashboard::*)(mozilla::net::ConnectionData *)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
        #30 0x7dc64d8f2797 in mozilla::detail::RunnableMethodImpl<mozilla::ChildProfilerController*, void (mozilla::ChildProfilerController::*)(mozilla::ProfileAndAdditionalInformation*), true, (mozilla::RunnableKind)0, mozilla::ProfileAndAdditionalInformation*>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
        #31 0x7dc64d5f235c in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1153:16
        #32 0x7dc64d5fc938 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #33 0x7dc64ec4abfc in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:329:5
        #34 0x7dc64eb2fb94 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #35 0x7dc64eb2fb94 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #36 0x7dc64eb2fb94 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #37 0x7dc64d5eb1a0 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:366:10
        #38 0x7dc6705eb74b in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:191:3
        #39 0x600df9645036 in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
        #40 0x7dc670cf3aa3 in start_thread nptl/pthread_create.c:447:8
        #41 0x7dc670d80c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
    
    ==2970269==Register values:
    rax = 0x0000000000000293  rbx = 0x0000000000000293  rcx = 0x0000000000000001  rdx = 0x0000000000000000  
    rdi = 0x0000600df97ef6d0  rsi = 0x00007dc5f6bd5118  rbp = 0x00007dc5f6bd5170  rsp = 0x00007dc5f6bd5160  
     r8 = 0x0000000000000000   r9 = 0x0000000000000000  r10 = 0xffffff0000000000  r11 = 0x4000000000000000  
    r12 = 0x00000fb93ebc3b00  r13 = 0x0000000000000293  r14 = 0x00007dc5f5e5dab4  r15 = 0x00007dc5f5e5d824  
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3 in MOZ_CrashSequence
    Thread T54 created by T0 here:
        #0 0x600df962e611 in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:250:3
        #1 0x7dc6705dc2b9 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:429:10
        #2 0x7dc6705ca4fe in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:496:10
        #3 0x7dc64d5edba1 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:615:20
        #4 0x7dc64d5fb206 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /xpcom/threads/nsThreadManager.cpp:619:22
        #5 0x7dc64d605b29 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /xpcom/threads/nsThreadUtils.cpp:176:57
        #6 0x7dc65073ff2f in NS_NewNamedThread<9UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:76:10
        #7 0x7dc65073ff2f in mozilla::wr::RenderThread::Start(unsigned int) /gfx/webrender_bindings/RenderThread.cpp:141:17
        #8 0x7dc6503e10d9 in gfxPlatform::InitLayersIPC() /gfx/thebes/gfxPlatform.cpp:1344:7
        #9 0x7dc6503db4b2 in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:973:3
        #10 0x7dc657b27c74 in GetPlatform /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:184:7
        #11 0x7dc657b27c74 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /widget/GfxInfoBase.cpp:1809:25
        #12 0x7dc64d63b03d in NS_InvokeByIndex /xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
        #13 0x7dc64ef08294 in Invoke /js/xpconnect/src/XPCWrappedNative.cpp:1620:10
        #14 0x7dc64ef08294 in Call /js/xpconnect/src/XPCWrappedNative.cpp:1174:19
        #15 0x7dc64ef08294 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /js/xpconnect/src/XPCWrappedNative.cpp:1120:23
        #16 0x7dc64ef0cede in GetAttribute /js/xpconnect/src/xpcprivate.h:1451:12
        #17 0x7dc64ef0cede in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1006:10
        #18 0x7dc659da2837 in CallJSNative /js/src/vm/Interpreter.cpp:494:13
        #19 0x7dc659da2837 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:590:12
        #20 0x7dc659da46b1 in InternalCall /js/src/vm/Interpreter.cpp:657:10
        #21 0x7dc659da46b1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:689:8
        #22 0x7dc659da63da in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:811:10
        #23 0x7dc65a10bf5a in CallGetter(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, js::PropertyInfoBase<unsigned int>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2092:12
        #24 0x7dc65a0e21ed in GetExistingProperty<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2120:12
        #25 0x7dc65a0e21ed in NativeGetPropertyInline<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2273:14
        #26 0x7dc65a0e21ed in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2303:10
        #27 0x7dc65ae557ee in GetProperty /js/src/vm/ObjectOperations-inl.h:113:10
        #28 0x7dc65ae557ee in GetObjectElementOperation /js/src/vm/Interpreter-inl.h:390:10
        #29 0x7dc65ae557ee in GetElementOperationWithStackIndex /js/src/vm/Interpreter-inl.h:473:10
        #30 0x7dc65ae557ee in GetElementOperation /js/src/vm/Interpreter-inl.h:481:10
        #31 0x7dc65ae557ee in js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:733:8
        #32 0x21020149cb13  ([anon:js-executable-memory]+0x2b13)
        #33 0x2102017236cd  ([anon:js-executable-memory]+0x96cd)
        #34 0x21020149a4e5  ([anon:js-executable-memory]+0x4e5)
        #35 0x7dc65b8830b4 in EnterJit /js/src/jit/Jit.cpp:114:5
        #36 0x7dc65b8830b4 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /js/src/jit/Jit.cpp:260:10
        #37 0x7dc659da1361 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:454:32
        #38 0x7dc659da29ad in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:622:13
        #39 0x7dc65ae6a379 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1705:10
        #40 0x21020149c963  ([anon:js-executable-memory]+0x2963)
        #41 0x2102014a22c5  ([anon:js-executable-memory]+0x82c5)
        #42 0x210201722ce3  ([anon:js-executable-memory]+0x8ce3)
        #43 0x21020149a4e5  ([anon:js-executable-memory]+0x4e5)
        #44 0x7dc65b8830b4 in EnterJit /js/src/jit/Jit.cpp:114:5
        #45 0x7dc65b8830b4 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /js/src/jit/Jit.cpp:260:10
        #46 0x7dc659da1361 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:454:32
        #47 0x7dc659da29ad in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:622:13
        #48 0x7dc65ae6a379 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1705:10
        #49 0x21020149c963  ([anon:js-executable-memory]+0x2963)
        #50 0x2102014a22c5  ([anon:js-executable-memory]+0x82c5)
        #51 0x210201749575  ([anon:js-executable-memory]+0xf575)
        #52 0x21020149a4e5  ([anon:js-executable-memory]+0x4e5)
        #53 0x7dc65b8830b4 in EnterJit /js/src/jit/Jit.cpp:114:5
        #54 0x7dc65b8830b4 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /js/src/jit/Jit.cpp:260:10
        #55 0x7dc659da1361 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:454:32
        #56 0x7dc659da29ad in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:622:13
        #57 0x7dc65ae6a379 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1705:10
        #58 0x21020149c963  ([anon:js-executable-memory]+0x2963)
        #59 0x2102014a22c5  ([anon:js-executable-memory]+0x82c5)
        #60 0x21020174757b  ([anon:js-executable-memory]+0xd57b)
        #61 0x21020149a4e5  ([anon:js-executable-memory]+0x4e5)
        #62 0x7dc65b8830b4 in EnterJit /js/src/jit/Jit.cpp:114:5
        #63 0x7dc65b8830b4 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /js/src/jit/Jit.cpp:260:10
        #64 0x7dc659da1361 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:454:32
        #65 0x7dc659da29ad in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:622:13
        #66 0x7dc659da4f0e in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:721:10
        #67 0x7dc65ae69f77 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1684:10
        #68 0x21020149c963  ([anon:js-executable-memory]+0x2963)
        #69 0x2102014a2338  ([anon:js-executable-memory]+0x8338)
        #70 0x210201746db0  ([anon:js-executable-memory]+0xcdb0)
        #71 0x21020149a4e5  ([anon:js-executable-memory]+0x4e5)
        #72 0x7dc65b8830b4 in EnterJit /js/src/jit/Jit.cpp:114:5
        #73 0x7dc65b8830b4 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /js/src/jit/Jit.cpp:260:10
        #74 0x7dc659da1361 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:454:32
        #75 0x7dc659da29ad in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:622:13
        #76 0x7dc65ae6a379 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1705:10
        #77 0x21020149c963  ([anon:js-executable-memory]+0x2963)
        #78 0x2102014a22c5  ([anon:js-executable-memory]+0x82c5)
        #79 0x210201746c1a  ([anon:js-executable-memory]+0xcc1a)
        #80 0x21020149a4e5  ([anon:js-executable-memory]+0x4e5)
        #81 0x7dc65b8830b4 in EnterJit /js/src/jit/Jit.cpp:114:5
        #82 0x7dc65b8830b4 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /js/src/jit/Jit.cpp:260:10
        #83 0x7dc659da1361 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:454:32
        #84 0x7dc659da29ad in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:622:13
        #85 0x7dc659da46b1 in InternalCall /js/src/vm/Interpreter.cpp:657:10
        #86 0x7dc659da46b1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:689:8
        #87 0x7dc659da63da in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:811:10
        #88 0x7dc65a10bf5a in CallGetter(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, js::PropertyInfoBase<unsigned int>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2092:12
        #89 0x7dc65a0e21ed in GetExistingProperty<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2120:12
        #90 0x7dc65a0e21ed in NativeGetPropertyInline<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2273:14
        #91 0x7dc65a0e21ed in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2303:10
        #92 0x7dc659dda211 in GetProperty /js/src/vm/ObjectOperations-inl.h:113:10
        #93 0x7dc659dda211 in GetProperty /js/src/vm/ObjectOperations-inl.h:120:10
        #94 0x7dc659dda211 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4630:10
        #95 0x7dc65ae6408f in js::jit::DoGetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1326:8
        #96 0x21020149ccef  ([anon:js-executable-memory]+0x2cef)
        #97 0x21020171dca1  ([anon:js-executable-memory]+0x3ca1)
        #98 0x21020149a4e5  ([anon:js-executable-memory]+0x4e5)
        #99 0x7dc65b8830b4 in EnterJit /js/src/jit/Jit.cpp:114:5
        #100 0x7dc65b8830b4 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /js/src/jit/Jit.cpp:260:10
        #101 0x7dc659da1361 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:454:32
        #102 0x7dc659da29ad in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:622:13
        #103 0x7dc65ae6a379 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1705:10
        #104 0x21020149c963  ([anon:js-executable-memory]+0x2963)
        #105 0x2102014a22c5  ([anon:js-executable-memory]+0x82c5)
        #106 0x21020170473f  ([anon:js-executable-memory]+0xa73f)
        #107 0x21020149a4e5  ([anon:js-executable-memory]+0x4e5)
        #108 0x7dc65b8830b4 in EnterJit /js/src/jit/Jit.cpp:114:5
        #109 0x7dc65b8830b4 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /js/src/jit/Jit.cpp:260:10
        #110 0x7dc659da1361 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:454:32
        #111 0x7dc659da29ad in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:622:13
        #112 0x7dc659da46b1 in InternalCall /js/src/vm/Interpreter.cpp:657:10
        #113 0x7dc659da46b1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:689:8
        #114 0x7dc659ececa6 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:55:10
        #115 0x7dc64eefbf3e in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
        #116 0x7dc64d63c8b9 in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
        #117 0x7dc64d63b76e in SharedStub xptcstubs_x86_64_linux.cpp
        #118 0x7dc64d590c9e in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:680:19
        #119 0x7dc659affb3c in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:653:11
        #120 0x7dc659adf21c in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5668:18
        #121 0x7dc659ae10ab in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:6136:8
        #122 0x7dc659ae2143 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:6209:21
        #123 0x600df968bb04 in do_main /browser/app/nsBrowserApp.cpp:232:22
        #124 0x600df968bb04 in main /browser/app/nsBrowserApp.cpp:464:16
        #125 0x7dc670c811c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #126 0x7dc670c8128a in __libc_start_main csu/../csu/libc-start.c:360:3
        #127 0x600df95ab4d8 in _start (/home/jkratzer/builds/m-c-20250429034554-fuzzing-asan-opt/firefox+0xd64d8) (BuildId: 96054bab32998afe74c12ca8e3b393e3e70d8dd3)
    
    ==2970269==ABORTING
Attached file Testcase
Attachment #9484286 - Attachment filename: testcase.html.undefined → testcase.html
Attachment #9484286 - Attachment mime type: text/plain → text/html

Hmm, preserve-3d and view transitions, fun. Nical?

Blocks: css-view-transitions-1
Severity: -- → S3
Flags: needinfo?(nical.bugzilla)
Priority: -- → P3

Got this crash: https://crash-stats.mozilla.org/report/index/b219cf34-53b1-4133-b474-0b2560250429

Crash Signature: [@ core::option::expect_failed | webrender::renderer::TextureResolver::get_cache_texture_mut ]
Keywords: crash

Verified bug as reproducible on mozilla-central 20250429095232-c606c4205607.
The bug appears to have been introduced in the following build range:

Start: 32f5cd049a9c791a74a146f5286a537282c82d58 (20250425091026)
End: ecdd0e6ee8560e550f35c4d4a9aba8cfb36ec457 (20250425100853)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=32f5cd049a9c791a74a146f5286a537282c82d58&tochange=ecdd0e6ee8560e550f35c4d4a9aba8cfb36ec457

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Duplicate of this bug: 1963504

Based on comment #4, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:emilio, :standard8 and :sergesanspaille, since you are the authors of the changes in the range, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(standard8)
Flags: needinfo?(sguelton)
Flags: needinfo?(emilio)

Technically bug 1950759 (but that's just a pref flip which is why I didn't tag it).

Flags: needinfo?(standard8)
Flags: needinfo?(sguelton)
Flags: needinfo?(emilio)
Regressed by: 1950759

Set release status flags based on info from the regressing bug 1950759

status-firefox138: --- → unaffected
status-firefox139: --- → affected
status-firefox140: --- → affected
status-firefox-esr128: --- → unaffected
Assignee: nobody → nical.bugzilla
Status: NEW → ASSIGNED

This test cases causes a display list to contain two snapshotted stacking contexts with the same image key. I've put up a patch that detects that and makes it crash in scene building with a descriptive message instead of somewhere deep in the rendering rendering code.
We don't necessarily have to land this patch, it could be just used to help debug this, although the overhead should be negligible since there are zero snapshots most of the time and just a few occasionally.

Assignee: nical.bugzilla → nobody
Status: ASSIGNED → NEW
Flags: needinfo?(nical.bugzilla)

Bouncing the ni? back to you Emilio (sorry!), since the root cause appears to be in displaylist building and I'm going to be unavailable for a couple of weeks.

Flags: needinfo?(emilio)
Assignee: nobody → nical.bugzilla
Status: NEW → ASSIGNED

Is it? I only see one image key for the old and one for the new sent to WR... Is preserve-3d transform handling in WR doing something weird?

[Child 297906: Main Thread]: D/ViewTransitions GetViewTransitionImageKey(ImageFrame(div)(0)@7f22e6a1f098) = { mNamespace={ mHandle=4 }, mHandle=1 }
[Child 297906: Main Thread]: D/ViewTransitions GetViewTransitionImageKey(ImageFrame(div)(1)@7f22e6a1f220) = { mNamespace={ mHandle=4 }, mHandle=2 }
Flags: needinfo?(emilio) → needinfo?(nical.bugzilla)

(In reply to Emilio Cobos Álvarez (:emilio) from comment #12)

Is it? I only see one image key for the old and one for the new sent to WR... Is preserve-3d transform handling in WR doing something weird?

It looks this way. If I log snapshotted stacking contexts in the content process I get:

wr_state_new PipelineId(1, 9)
PipelineId(1, 9) wr_dp_push_stacking(snapshot = SnapshotImageKey(ImageKey(IdNamespace(6), 1)))
PipelineId(1, 9) wr_dp_push_stacking(snapshot = SnapshotImageKey(ImageKey(IdNamespace(6), 1)))
[39157] Hit MOZ_CRASH(The DisplayList contains multiple snapshotted stacking contexts using the same image key) at gfx/wr/webrender/src/scene_building.rs:1001
Flags: needinfo?(nical.bugzilla)

Ohh, so it's not two snapshots getting rendered with the same key. It's two stacking contexts getting snapshotted with the same key!

We should handle the root only in ScrollContainerFrame. We don't hit
this code-path more often because the root primary frame is usually not
a stacking context.

Assignee: nical.bugzilla → emilio
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed] [viewtransitions:m2]
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b959aedec5b9 Avoid sending two snapshots for the root. r=view-transitions-reviewers,boris
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/52327 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] [viewtransitions:m2] → [bugmon:bisected,confirmed] [viewtransitions:m2], [wptsync upstream]
Pushed by ctuns@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e03b81c3e8b1 Remove usage of live capture pref that I forgot to remove.

https://hg.mozilla.org/mozilla-central/rev/b959aedec5b9
https://hg.mozilla.org/mozilla-central/rev/e03b81c3e8b1

Status: ASSIGNED → RESOLVED
Closed: 13 days ago
status-firefox140: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 140 Branch
Upstream PR merged by moz-wptsync-bot

Verified bug as fixed on rev mozilla-central 20250505214727-a6117fd7a8ce.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox140: fixedverified
Keywords: bugmon
Points: --- → 2
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: