Closed Bug 1423311 Opened 7 years ago Closed 5 years ago

blob-images: thread 'WRRenderBackend#1' panicked at 'called `Option::unwrap()` on a `None` value' in [@ webrender::resource_cache::ResourceCache::request_image]

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox57 --- disabled
firefox58 --- disabled
firefox59 --- disabled
firefox60 --- disabled
firefox61 --- disabled
firefox62 --- disabled

People

(Reporter: truber, Unassigned)

References

(Blocks 4 open bugs)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [wr-mvp] [triage])

Crash Data

Attachments

(1 file)

testcase.html
(deleted), text/html
Details
Attached file testcase.html (deleted) —
The attached testcase caused a panic while fuzzing m-c rev 20171205-b4cef8d1dff0 with these prefs: user_pref("layers.acceleration.force-enabled", true); user_pref("gfx.webrender.enabled", true); user_pref("gfx.webrender.blob-images", true); thread 'WRRenderBackend#1' panicked at 'called `Option::unwrap()` on a `None` value', /checkout/src/libcore/option.rs:335:20 stack backtrace: 0: 0x7f45b10abda3 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::h8ed7485deb8ab958 at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49 1: 0x7f45b10aa43c - std::panicking::default_hook::{{closure}}::h0088fe51b67c687c at /checkout/src/libstd/sys_common/backtrace.rs:69 at /checkout/src/libstd/sys_common/backtrace.rs:58 at /checkout/src/libstd/panicking.rs:381 2: 0x7f45b10a9e6d - std::panicking::default_hook::hf425c768c5ffbbad at /checkout/src/libstd/panicking.rs:397 3: 0x7f45b10a9941 - std::panicking::rust_panic_with_hook::h25b934bb4484e9e0 at /checkout/src/libstd/panicking.rs:577 4: 0x7f45b10a982b - std::panicking::begin_panic::h59483e27e93d7bc6 at /checkout/src/libstd/panicking.rs:538 5: 0x7f45b10a97b9 - std::panicking::begin_panic_fmt::h5f221297e8a3dbdb at /checkout/src/libstd/panicking.rs:522 6: 0x7f45b10b9662 - core::panicking::panic_fmt::h4d1ab9bae1f32475 at /checkout/src/libstd/panicking.rs:498 7: 0x7f45b10bb226 - core::panicking::panic::h8ce57b1f932a0889 at /checkout/src/libcore/panicking.rs:51 8: 0x7f45b0d477ad - webrender::resource_cache::ResourceCache::request_image::h5a2149daef161431 at /checkout/src/libcore/macros.rs:20 at /builds/worker/workspace/build/src/gfx/webrender/src/resource_cache.rs:561 9: 0x7f45b0d45d3d - webrender::clip::ClipSources::update::h2232fd80dfbbd1d4 at /builds/worker/workspace/build/src/gfx/webrender/src/clip.rs:240 10: 0x7f45b0d4ef63 - webrender::clip_scroll_node::ClipScrollNode::update::h18c220158e01d49d at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_node.rs:349 at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_node.rs:286 11: 0x7f45b0d28a46 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0 at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:400 12: 0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0 at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414 13: 0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0 at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414 14: 0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0 at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414 15: 0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0 at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414 16: 0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0 at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414 17: 0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0 at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414 18: 0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0 at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414 19: 0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0 at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414 20: 0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0 at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414 21: 0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0 at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414 22: 0x7f45b0d22d5a - webrender::render_backend::Document::render::hbca4070b23c51ce7 at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:368 at /builds/worker/workspace/build/src/gfx/webrender/src/frame_builder.rs:1702 at /builds/worker/workspace/build/src/gfx/webrender/src/frame.rs:1182 at /builds/worker/workspace/build/src/gfx/webrender/src/render_backend.rs:117 23: 0x7f45b0d16340 - webrender::render_backend::RenderBackend::process_document::hcc8ad1271fe1f961 at /builds/worker/workspace/build/src/gfx/webrender/src/render_backend.rs:419 24: 0x7f45b0d07345 - webrender::render_backend::RenderBackend::run::ha1b0869f3e969d22 at /builds/worker/workspace/build/src/gfx/webrender/src/render_backend.rs:491 25: 0x7f45b0d05957 - std::sys_common::backtrace::__rust_begin_short_backtrace::h0aa9d3d182377cab at /builds/worker/workspace/build/src/gfx/webrender/src/renderer.rs:1988 at /checkout/src/libstd/sys_common/backtrace.rs:134 26: 0x7f45b0d04f66 - <F as alloc::boxed::FnBox<A>>::call_box::hab3e6d66a857965e at /checkout/src/libstd/thread/mod.rs:400 at /checkout/src/libstd/panic.rs:296 at /checkout/src/libstd/panicking.rs:480 at /checkout/src/libpanic_abort/lib.rs:38 at /checkout/src/libstd/panic.rs:361 at /checkout/src/libstd/thread/mod.rs:399 at /checkout/src/liballoc/boxed.rs:726 27: 0x7f45b10b6ab3 - std::sys::imp::thread::Thread::new::thread_start::hbaf1b5aa1ca8e3ea at /checkout/src/liballoc/boxed.rs:736 at /checkout/src/libstd/sys_common/thread.rs:24 at /checkout/src/libstd/sys/unix/thread.rs:90 28: 0x7f45c2663089 - start_thread 29: 0x7f45c16a447e - __clone 30: 0x0 - <unknown>
Flags: in-testsuite?
Blocks: wr-stability
status-firefox57: --- → unaffected
status-firefox58: --- → unaffected
status-firefox-esr52: --- → unaffected
Whiteboard: [wr-mvp] [triage]
https://bugzilla.mozilla.org/attachment.cgi?id=8934650 (main profile) Meldungs-ID Sendedatum bp-59969c38-b8bb-4eb6-8aab-a69170171205 05.12.17 20:45 [@ @0x408388 ] > called `Option::unwrap()` on a `None` value bp-b6e23d93-f6ed-4b5d-9a90-5c2ff0171205 05.12.17 20:45 [@ nsObserverService::RemoveObserver ] > MOZ_CRASH(Using observer service off the main thread!) bp-9af04407-a0a0-482c-ae1b-ceeec0171205 05.12.17 20:45 [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ] > called `Option::unwrap()` on a `None` value bp-41709944-c799-497c-bb08-5fde10171205 05.12.17 20:45 [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ] > called `Option::unwrap()` on a `None` value
Crash Signature: [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ] [@ @0x408388 ]
Does the testcase reliably reproduce the crash for you? What platform did you see this on? Did your build have anything special in the mozconfig (or did you use a stock build from treeherder)?
Flags: needinfo?(jschwartzentruber)
Yes, it is 100% reliable for me. This reproduces on the latest linux x86-64 builds (asan-opt & debug) and macosx64 builds (opt & debug) from taskcluster. It did not reproduce for me on windows 10.
Flags: needinfo?(jschwartzentruber)
I could reproduce the crash.
On debug build on linux, I saw the following log. It seems like a similar problem to Bug 1391255 Comment 13. > [GFX3-]: Surface size too large (exceeds extent limit)!
(In reply to Sotaro Ikeda [:sotaro] from comment #4) > I could reproduce the crash. When gfx.webrender.blob-images was not true, I did not saw the crash.
Crash Signature: [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ] [@ @0x408388 ] → [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ] [@ @0x408388 ] [@ mozalloc_abort | abort | webrender::resource_cache::{{impl}}::request_image ]
https://bug1423311.bmoattachments.org/attachment.cgi?id=8934650 bp-6769afc9-a998-4606-9c12-d0c610180425 bp-93392446-67e7-41c4-ac59-307360180425 bp-76972dfe-f63c-4d5a-8d71-1a6a60180425 layers.acceleration.force-enabled;true gfx.webrender.enabled;true gfx.webrender.blob-images;TRUE gfx.webrender.hit-test;true gfx.webrender.blob.invalidation;false gfx.webrender.async-scene-build;0 -> bp-3ee67036-9482-4f26-961a-ed1c50180425 layers.acceleration.force-enabled;true gfx.webrender.enabled;true gfx.webrender.blob-images;FALSE gfx.webrender.hit-test;true gfx.webrender.blob.invalidation;false gfx.webrender.async-scene-build;0 -> does not crash without blob-images bug 1455743 comment 3 has the same crash signature, but is only reproducible if gfx.webrender.async-scene-build is enabled.
Severity: normal → critical
Has STR: --- → yes
status-firefox57: unaffecteddisabled
status-firefox58: unaffecteddisabled
status-firefox59: affecteddisabled
status-firefox60: --- → disabled
status-firefox61: --- → disabled
status-firefox-esr60: --- → unaffected
OS: Unspecified → All
See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=1455743
Summary: thread 'WRRenderBackend#1' panicked at 'called `Option::unwrap()` on a `None` value' in [@ webrender::resource_cache::ResourceCache::request_image] → blob-images: thread 'WRRenderBackend#1' panicked at 'called `Option::unwrap()` on a `None` value' in [@ webrender::resource_cache::ResourceCache::request_image]
Crash Signature: [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ] [@ @0x408388 ] [@ mozalloc_abort | abort | webrender::resource_cache::{{impl}}::request_image ] → [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ] [@ @0x408388 ] [@ mozalloc_abort | abort | webrender::resource_cache::{{impl}}::request_image ] [@ static void webrender::resource_cache::ResourceCache::request_image…
status-firefox62: --- → disabled
Crash Signature: webrender::resource_cache::ResourceCache::request_image ] → webrender::resource_cache::ResourceCache::request_image ] [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image::ha39c875c886d8c35 ]
Crash Signature: webrender::resource_cache::ResourceCache::request_image ] [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image::ha39c875c886d8c35 ] → webrender::resource_cache::ResourceCache::request_image ] [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image::ha39c875c886d8c35 ] [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image::hb69…
Looks like the symbols aren't getting demangled, and so the step that's supposed to filter out the rust panic boilerplate stack frames out of the signature isn't getting triggered.
Blocks: wr-fuzz
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
My god. (In reply to Jesse Schwartzentruber (:truber) from comment #0) > Created attachment 8934650 [details] > testcase.html bp-e153490b-b6bd-4170-bdc0-3824a0181001 > called `Option::unwrap()` on a `None` value
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---

The fuzzers last hit this issue in November 2018. Can we close this?

Not a problem anymore.

Status: REOPENED → RESOLVED
Closed: 6 years ago5 years ago
Resolution: --- → FIXED

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: