Closed Bug 1971296 Opened 6 months ago Closed 5 months ago

Crash in [@ mozilla::layers::NativeLayerMacSurfaceHandler::HandlePartialUpdate<T>] when usong two fingers to zoom while the page is scrolling on https://worlds-highest-website.com

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Platform:
Desktop
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
142 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- wontfix
firefox-esr140 --- verified
firefox139 --- wontfix
firefox140 --- wontfix
firefox141 --- wontfix
firefox142 --- verified

People

(Reporter: atrif, Assigned: bradwerth)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1971296: Make WebRender clip dirty rects and display rects to surface sizes.
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr140+
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/3ca9f210-ebe8-413c-b6cf-2ccfe0250610

MOZ_CRASH Reason:

MOZ_RELEASE_ASSERT(IntRect({}, mSize).Contains(aUpdateRegion.GetBounds())) (The update region should be within the surface bounds.)

Top 10 frames:

0  XUL  MOZ_CrashSequence(void*, long)  mfbt/Assertions.h:253
0  XUL  mozilla::layers::NativeLayerMacSurfaceHandler::HandlePartialUpdate<mozilla::l...  gfx/layers/NativeLayerMacSurfaceHandler.mm:103
0  XUL  mozilla::layers::NativeLayerMacSurfaceHandler::NextSurfaceAsFramebuffer(mozil...  gfx/layers/NativeLayerMacSurfaceHandler.mm:220
0  XUL  mozilla::layers::NativeLayerCA::NextSurfaceAsFramebuffer(mozilla::gfx::IntRec...  gfx/layers/NativeLayerCA.mm:1325
1  XUL  mozilla::wr::RenderCompositorNativeOGL::Bind(mozilla::wr::NativeTileId, mozil...  gfx/webrender_bindings/RenderCompositorNative.cpp:581
2  XUL  <webrender_bindings::bindings::WrCompositor as webrender::composite::Composit...  gfx/webrender_bindings/src/bindings.rs:1415
3  XUL  webrender::renderer::Renderer::draw_frame  gfx/wr/webrender/src/renderer/mod.rs:4966
4  XUL  webrender::renderer::Renderer::render_impl  gfx/wr/webrender/src/renderer/mod.rs:1594
5  XUL  webrender::renderer::Renderer::render  gfx/wr/webrender/src/renderer/mod.rs:1283
6  XUL  wr_renderer_render  gfx/webrender_bindings/src/bindings.rs:650

Found in*

  • 140.0b7

Affected versions

  • 140.0b7
  • 141.0a1 (2025-06-09)
  • 139.0.4

Tested platforms

  • Affected platforms: macOS 14 aarch
  • Unaffected platforms: Ubuntu 24, Windows 10

Steps to reproduce

  1. Open https://worlds-highest-website.com
  2. Click on the take the elevator link.
  3. While the scroll is ongoing, use two fingers to zoom.

Expected result

  • No crash.

Actual result

  • Firefox crashes.

Regression range

QA Whiteboard: [qa-found-in-b140]
Component: Widget: Cocoa → Graphics: WebRender

Hi :gwatson - apologies for the late notice, but we're tracking this for Fx 140 and would like to figure out how big a problem this is soon. Could someone take a look?

Flags: needinfo?(gwatson)

Markus, Brad, any ideas?

Flags: needinfo?(mstange.moz)
Flags: needinfo?(gwatson)
Flags: needinfo?(bwerth)

(In reply to Glenn Watson [:gw] from comment #2)

Markus, Brad, any ideas?

Huh, I thought we had taken all those asserts out in an earlier Bug. I will put up a patch that removes the assert and see what Markus thinks in review.

Assignee: nobody → bwerth
Flags: needinfo?(bwerth)

Since we have a testcase, I'd prefer changing things on the WebRender side so that the assert passes, unless that's really hard for some reason.

Flags: needinfo?(mstange.moz)

(In reply to Markus Stange [:mstange] from comment #4)

Since we have a testcase, I'd prefer changing things on the WebRender side so that the assert passes, unless that's really hard for some reason.

Yeah, now that I've set the two-finger zoom gesture on in macOS System Preferences, I can replicate. I'll find a proper fix.

See Also: → 1972517

When I try to replicate in a debug build, I hit this assert before the crash. So there's some confusion in WebRender that we need to root out.

See Also: 1972517
See Also: → 1932156

This patch has two changes and introduces one problem. The first change
is to remove the asserts in take_context which require offsets
multiplied by a scaling factor to have a rounding error no greater than
0.15 of a pixel. This works for normal values, but fails when tiles
have large offset values (for example, on a very tall page) and small
scaling factors (zooming in some amount). It seems very arbitrary to
increase the 0.15 fudge factor to a larger value. At some point, we hit
precision limits and the value of this assert is lost.

The second change is to clamp dirty rects and display rects to surface
sizes. This prevents native compositors -- specifically macOS -- from
panicking that one or both of the rects is larger than the surface
itself.

Now the problem: on very tall pages, at some zoom levels, gaps appear
between the tile surfaces. Obviously not acceptable, but I want to get
the patch posted so reviewers can help spot the troublesome math.

Attachment #9496407 - Attachment description: WIP: Bug 1971296: Make WebRender clip dirty rects and display rects to surface sizes. → Bug 1971296: Make WebRender clip dirty rects and display rects to surface sizes.
Blocks: 1973818

https://hg.mozilla.org/mozilla-central/rev/328b05cadf84

Status: NEW → RESOLVED
Closed: 5 months ago
status-firefox142: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 142 Branch

The patch landed in nightly and beta is affected.
:bradwerth, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(bwerth)

Verified fixed with Firefox 142.0a1 (2025-06-26) on macOS 14 aarch. Firefox no longer crashes after using the take the elevator option and then using pinch to zoom.

QA Whiteboard: [qa-found-in-b140] → [qa-found-in-b140] [qa-ver-done-c142/b141]
status-firefox142: fixedverified
status-firefox141: affectedwontfix
Flags: needinfo?(bwerth)

Please nominate this for ESR140 uplift when you get a chance.

status-firefox-esr128: affectedwontfix
Flags: needinfo?(bwerth)

Comment on attachment 9496407 [details]
Bug 1971296: Make WebRender clip dirty rects and display rects to surface sizes.

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: A fairly frequent crash on macOS.
  • User impact if declined: Users who use a two-finger zoom on some web content, will crash the browser.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just clamping some values deep in the rendering pipeline.
Flags: needinfo?(bwerth)
Attachment #9496407 - Flags: approval-mozilla-esr128?
Attachment #9496407 - Flags: approval-mozilla-esr128? → approval-mozilla-esr140?

Comment on attachment 9496407 [details]
Bug 1971296: Make WebRender clip dirty rects and display rects to surface sizes.

Approved for 140.2esr.

Attachment #9496407 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+

Verified fixed with Firefox 140.2.0esr on macOS 14 aarch and macOS 12. Firefox no longer crashes after using the take the elevator option and then using pinch to zoom.

Status: RESOLVED → VERIFIED
status-firefox-esr140: fixedverified
Duplicate of this bug: 1982270
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: