Open Bug 1982053 Opened 3 months ago Updated 2 months ago

Hit MOZ_CRASH(assertion failed: info.ignore_missing_pipeline) at gfx/wr/webrender/src/scene_building.rs:1277

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
REOPENED
Milestone:
144 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox-esr140 --- unaffected
firefox141 --- wontfix
firefox142 --- wontfix
firefox143 --- wontfix
firefox144 --- wontfix

People

(Reporter: jkratzer, Assigned: nical, NeedInfo)

References

(Blocks 2 open bugs, Regression,
URL
)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase
14.90 KB, application/octet-stream
Details
Bug 1982053 - Don't remove pipelines in offscreen transactions. r=emilio
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev d1eb95caca71 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build d1eb95caca71 --asan --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(assertion failed: info.ignore_missing_pipeline) at gfx/wr/webrender/src/scene_building.rs:1277

    ==105302==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7bf433079f9a bp 0x7bf3789fa890 sp 0x7bf3789fa880 T105468)
    ==105302==The signal is caused by a WRITE memory access.
    ==105302==Hint: address points to the zero page.
        #0 0x7bf433079f9a in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
        #1 0x7bf433079f9a in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:381:3
        #2 0x7bf433079f9a in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #3 0x7bf433079b14 in mozglue_static::panic_hook::h5f4b35e78c0ae6e7 /mozglue/static/rust/lib.rs:99:9
        #4 0x7bf4330795cb in core::ops::function::Fn::call::h0acd679343c1f968 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:79:5
        #5 0x7bf4347b42c2 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h7c356b28a03897d7 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/alloc/src/boxed.rs:1990:9
        #6 0x7bf4347b42c2 in std::panicking::rust_panic_with_hook::h541791bcc774ef34 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/std/src/panicking.rs:839:13
        #7 0x7bf4347b3f45 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h6479a2f0137c7d19 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/std/src/panicking.rs:697:13
        #8 0x7bf4347b2f78 in std::sys::backtrace::__rust_end_short_backtrace::ha04e7c0fc61ded91 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/std/src/sys/backtrace.rs:168:18
        #9 0x7bf4347b3c0c in rust_begin_unwind /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/std/src/panicking.rs:695:5
        #10 0x7bf4347dcd7f in core::panicking::panic_fmt::h5764ee7030b7a73d /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/core/src/panicking.rs:75:14
        #11 0x7bf4347dce0b in core::panicking::panic::had768957450a0f86 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/core/src/panicking.rs:145:5
        #12 0x7bf432b26a82 in webrender::scene_building::SceneBuilder::push_iframe::hac1e5d1d0b49f00d /gfx/wr/webrender/src/scene_building.rs:1277:17
        #13 0x7bf432b26a82 in webrender::scene_building::SceneBuilder::build_all::h2435e2c41de28d56 /gfx/wr/webrender/src/scene_building.rs:1059:50
        #14 0x7bf432b26a82 in webrender::scene_building::SceneBuilder::build::hbc0a8b615d944876 /gfx/wr/webrender/src/scene_building.rs:639:9
        #15 0x7bf432b16bec in webrender::scene_builder_thread::SceneBuilderThread::process_transaction::h2d6184226b422b19 /gfx/wr/webrender/src/scene_builder_thread.rs:647:25
        #16 0x7bf432b16bec in webrender::scene_builder_thread::SceneBuilderThread::run::_$u7b$$u7b$closure$u7d$$u7d$::h9bd9b1abfe692aa7 /gfx/wr/webrender/src/scene_builder_thread.rs:334:36
        #17 0x7bf432b16bec in core::iter::adapters::map::map_try_fold::_$u7b$$u7b$closure$u7d$$u7d$::ha000ff3565c80539 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/adapters/map.rs:95:28
        #18 0x7bf432b16bec in _$LT$alloc..vec..into_iter..IntoIter$LT$T$C$A$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::hbe3294162e09ddea /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec/into_iter.rs:346:25
        #19 0x7bf432b16bec in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h67e5a1d30226d667 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/adapters/map.rs:121:9
        #20 0x7bf432b16bec in _$LT$I$u20$as$u20$alloc..vec..in_place_collect..SpecInPlaceCollect$LT$T$C$I$GT$$GT$::collect_in_place::hf7d10c162c7e20c1 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec/in_place_collect.rs:380:13
        #21 0x7bf432b16bec in alloc::vec::in_place_collect::from_iter_in_place::ha6b54dec171e63c8 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec/in_place_collect.rs:271:9
        #22 0x7bf432b16bec in alloc::vec::in_place_collect::from_iter_in_place$u7b$$u7b$reify.shim$u7d$$u7d$::h8cca7e2b3988003d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec/in_place_collect.rs:251:1
        #23 0x7bf432b16bec in alloc::vec::in_place_collect::_$LT$impl$u20$alloc..vec..spec_from_iter..SpecFromIter$LT$T$C$I$GT$$u20$for$u20$alloc..vec..Vec$LT$T$GT$$GT$::from_iter::he6f27c50611e1031 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec/in_place_collect.rs:246:9
        #24 0x7bf432b16bec in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$core..iter..traits..collect..FromIterator$LT$T$GT$$GT$::from_iter::hdb6072a47405ba44 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:3424:9
        #25 0x7bf432b16bec in core::iter::traits::iterator::Iterator::collect::h163a0036b01638e3 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/traits/iterator.rs:1971:9
        #26 0x7bf432b16bec in webrender::scene_builder_thread::SceneBuilderThread::run::h54eaa78cea07a75a /gfx/wr/webrender/src/scene_builder_thread.rs:335:26
        #27 0x7bf432687b82 in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::h96f98463293bd22d /gfx/wr/webrender/src/renderer/init.rs:637:9
        #28 0x7bf432687b82 in std::sys::backtrace::__rust_begin_short_backtrace::h250944e1cf384216 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys/backtrace.rs:152:18
        #29 0x7bf432696500 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hfa133e3a43c7a876 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:559:17
        #30 0x7bf432696500 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h451089b33f5dc745 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/panic/unwind_safe.rs:272:9
        #31 0x7bf432696500 in std::panicking::try::do_call::h134075a85d80c2bd /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:587:40
        #32 0x7bf432696500 in std::panicking::try::h2255f983dbfe23a4 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:550:19
        #33 0x7bf432696500 in std::panic::catch_unwind::h15f7207a6ed8c0d4 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:358:14
        #34 0x7bf432696500 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h2676ff01732bf10a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:557:30
        #35 0x7bf432696500 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h48b6db5f8ecb89fb /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5
        #36 0x7bf4347b796a in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h292d1663b0785fda /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/alloc/src/boxed.rs:1976:9
        #37 0x7bf4347b796a in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h9d4af7b531852d72 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/alloc/src/boxed.rs:1976:9
        #38 0x7bf4347b796a in std::sys::pal::unix::thread::Thread::new::thread_start::hcc5ed016d554f327 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/std/src/sys/pal/unix/thread.rs:106:17
        #39 0x7bf43e692aa3 in start_thread nptl/pthread_create.c:447:8
        #40 0x7bf43e71fc3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
    
    ==105302==Register values:
    rax = 0x00000000000004fd  rbx = 0x00007bf3789faab0  rcx = 0x0000000000000000  rdx = 0x00007bf43e7fa563  
    rdi = 0x00007bf43e7fb700  rsi = 0x0000000000000000  rbp = 0x00007bf3789fa890  rsp = 0x00007bf3789fa880  
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293  
    r12 = 0x0000000000000000  r13 = 0x0000000000000000  r14 = 0x00000000000004fd  r15 = 0x00007bf3789faab0  
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3 in MOZ_CrashSequence
    ==105302==ABORTING
Attached file Testcase
Attachment #9506057 - Attachment filename: testcase.zip.undefined → testcase.zip

Verified bug as reproducible on mozilla-central 20250808162236-7925b8e5ef36.
The bug appears to have been introduced in the following build range:

Start: 6a74d418a15cb8f17a189c4f85524c15fb7d0115 (20250610073955)
End: ab387de85e9add282d147823b9542a0f8867abbb (20250610083853)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6a74d418a15cb8f17a189c4f85524c15fb7d0115&tochange=ab387de85e9add282d147823b9542a0f8867abbb

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Regressed by: 1923846

Set release status flags based on info from the regressing bug 1923846

:nical, since you are the author of the regressor, bug 1923846, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox141: --- → affected
status-firefox142: --- → affected
status-firefox143: --- → affected
status-firefox-esr128: --- → unaffected
status-firefox-esr140: --- → unaffected
Flags: needinfo?(nical.bugzilla)
Assignee: nobody → nical.bugzilla
Flags: needinfo?(nical.bugzilla)

When the async pipeline of a video is removed or swapped, we change the
display list that references it and remove the video's pipeline.
Unfortunately when we are dealing with an offscreen transaction, the
later can race ahead and cause the pipeline to be removed before it is
un-referenced from the main display list. If anthing triggers a scene
build between the offscreen transaction and the next main transaction,
we get a missing pipeline crash.

This patch fixes it by only pusing destroy operations to the transaction
if it isn't offscreen.

Pushed by amarc@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/0f2cd61949b7 https://hg.mozilla.org/integration/autoland/rev/876ee68e20be Revert "Bug 1982053 - Don't remove pipelines in offscreen transactions. r=emilio" for causing mochitest crashes @ mozilla::ipc::FatalError

Backed out for causing mochitest crashes

Flags: needinfo?(nical.bugzilla)
Flags: needinfo?(nical.bugzilla)

https://hg.mozilla.org/mozilla-central/rev/39db5e3e614b

Status: NEW → RESOLVED
Closed: 3 months ago
status-firefox144: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 144 Branch

Bug marked as FIXED but still reproduces on mozilla-central 20250819160651-664497321e4c. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.

Status: RESOLVED → REOPENED
status-firefox144: fixedaffected
Resolution: FIXED → ---
Flags: needinfo?(nical.bugzilla)

That's odd, I can no longer reproduce the bug locally on central. Would it be possible to make a pernosco trace of the issue?

Flags: needinfo?(nical.bugzilla)
Keywords: pernosco-wanted

This issue has also been detected via live site testing.

Blocks: site-scout
URL: http://trueclassictees.com/

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco

A pernosco session for this bug can be found here.

The severity field is not set for this bug.
:gw, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(mozilla)
Severity: -- → S3
Flags: needinfo?(mozilla)

:nical, is there any user facing problem here?
Wondering if we should look for a fix in time for Fx144

status-firefox143: fix-optionalwontfix
Flags: needinfo?(nical.bugzilla)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: