Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at third_party/rust/euclid/src/point.rs:393
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox76 | --- | unaffected |
| firefox77 | --- | unaffected |
| firefox78 | --- | verified |
| firefox79 | --- | verified |
People
(Reporter: tsmith, Assigned: cbrewster)
References
(Blocks 2 open bugs, Regression)
Details
(4 keywords)
Crash Data
Attachments
(2 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details |
Reduced with m-c 20200601-fca693218e52
Hit MOZ_CRASH(called Option::unwrap() on a None value) at /builds/worker/checkouts/gecko/third_party/rust/euclid/src/point.rs:393
18|0|libxul.so|RustMozCrash|hg:hg.mozilla.org/mozilla-central:mozglue/static/rust/wrappers.cpp:fca693218e528ad68e3437f8b4d58299a7d0e34a|17|0x15
18|1|libxul.so|mozglue_static::panic_hook|hg:hg.mozilla.org/mozilla-central:mozglue/static/rust/lib.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|89|0x9
18|2|libxul.so|core::ops::function::Fn::call|git:github.com/rust-lang/rust:src/libcore/ops/function.rs:4fb7144ed159f94491249e86d5bbd033b5d60550|72|0xc
18|3|libxul.so|std::panicking::rust_panic_with_hook|git:github.com/rust-lang/rust:src/libstd/panicking.rs:4fb7144ed159f94491249e86d5bbd033b5d60550|474|0x7
18|4|libxul.so|rust_begin_unwind|git:github.com/rust-lang/rust:src/libstd/panicking.rs:4fb7144ed159f94491249e86d5bbd033b5d60550|378|0x2f
18|5|libxul.so|core::panicking::panic_fmt|git:github.com/rust-lang/rust:src/libcore/panicking.rs:4fb7144ed159f94491249e86d5bbd033b5d60550|85|0x6
18|6|libxul.so|core::panicking::panic|git:github.com/rust-lang/rust:src/libcore/panicking.rs:4fb7144ed159f94491249e86d5bbd033b5d60550|52|0x49
18|7|libxul.so|webrender::prim_store::get_raster_rects|hg:hg.mozilla.org/mozilla-central:third_party/rust/euclid/src/rect.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|0|0xb
18|8|libxul.so|webrender::picture::PicturePrimitive::take_context|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/picture.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|4856|0x8
18|9|libxul.so|webrender::prim_store::PrimitiveStore::prepare_prim_for_render|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/prim_store/mod.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|2667|0x21
18|10|libxul.so|webrender::prim_store::PrimitiveStore::prepare_primitives|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/prim_store/mod.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|2831|0x2a
18|11|libxul.so|webrender::prim_store::PrimitiveStore::prepare_prim_for_render|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/prim_store/mod.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|2712|0x2d
18|12|libxul.so|webrender::prim_store::PrimitiveStore::prepare_primitives|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/prim_store/mod.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|2831|0x2a
18|13|libxul.so|webrender::frame_builder::FrameBuilder::build|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/frame_builder.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|475|0x3c
18|14|libxul.so|webrender::render_backend::Document::build_frame|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/render_backend.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|615|0x22
18|15|libxul.so|webrender::render_backend::RenderBackend::update_document|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/render_backend.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|1522|0x1c
18|16|libxul.so|webrender::render_backend::RenderBackend::process_api_msg|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/render_backend.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|1300|0x199
|
||
Comment 1•4 years ago
|
||
|
Reporter | |
Comment 2•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/1T3L8yInKYieJ-of7QB-Hg/index.html
|
|
||
Comment 3•4 years ago
|
||
good: mostly black page, depends on zoom level. (In Chrome, it's completely black with 25% zoom, otherwise completely white.)
bad: grey page > fallback to basic (you might need to switch tabs multiple times) > white page
mozregression --good 2020-04-28 --bad 2020-05-31 --pref gfx.webrender.all:true security.sandbox.content.level:0 -a https://bugzilla.mozilla.org/attachment.cgi?id=9153207 -a about:support
9:43.26 INFO: Last good revision: 6e5ab322dc4d0a68833dbd73e55a4657d0c219c2
9:43.26 INFO: First bad revision: a94271c84318acba14a63c52ba98afe512b071f7
9:43.26 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6e5ab322dc4d0a68833dbd73e55a4657d0c219c2&tochange=a94271c84318acba14a63c52ba98afe512b071f7
a94271c84318acba14a63c52ba98afe512b071f7 cbrewster — Bug 1559861: WR - Scale picture tasks based on their surface to parent transform scale factors r=gw,Bert
mozregression --repo autoland --launch a94271c84318acba14a63c52ba98afe512b071f7 --pref gfx.webrender.all:true -a https://bugzilla.mozilla.org/attachment.cgi?id=9153207 -B debug
0:41.83 INFO: b'Hit MOZ_CRASH(called
Option::unwrap()on aNonevalue) at /builds/worker/checkouts/gecko/third_party/rust/euclid/src/point.rs:393'
|
Assignee | |
Comment 4•4 years ago
|
||
It looks like this is hitting a case where the surface scale factor is large enough that when we try to compute the raster rects, we hit an integer oveflow when casting the float rect to a DeviceIntRect.
Normally very large scaling factors get scaled down by our 4096x4096 max rect check, but that check occurs after we cast to DeviceIntRect.
A quick solution would be to put a maximum value on the scaling factor for a surface, but I don't really think this is the most elegant approach, and the maximum value would be somewhat arbitrary.
Maybe it would make sense to do a max surface size check & scale before attempting to cast to a DeviceIntRect?
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
||
Comment 5•4 years ago
|
||
Your suggested solution sounds reasonable to me: we can construct arbitrary test cases to get arbitrary overflows, so clamping to the largest value we can support (float max) seems like good defensive programming.
|
||
Comment 6•4 years ago
|
||
S1 or S2 bugs need an assignee - could you find someone for this bug?
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 8•4 years ago
|
||
|
||
Comment 10•4 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 11•4 years ago
|
||
Comment on attachment 9154636 [details]
Bug 1642440: Wait to cast picture device rects to i32 until ensuring it won't overflow r=gw,Bert
Beta/Release Uplift Approval Request
- User impact if declined: WebRender panics on the provided test case.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: Open original test-case. Before this patch, WebRender panics.
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This is a small patch which ensures we don't accidentally overflow i32 rects when casting from f32 rects. If this causes any breakage, it is easy to back out.
- String changes made/needed: none
|
|
Assignee | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Comment 12•4 years ago
|
||
This issue is verified as fixed in our latest Nightly build 79.0a1 (2020-06-09) on windows 10.
|
||
Comment 13•4 years ago
|
||
Comment on attachment 9154636 [details]
Bug 1642440: Wait to cast picture device rects to i32 until ensuring it won't overflow r=gw,Bert
approved for 78.0b6
|
|
||
Comment 14•4 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 15•4 years ago
|
||
This issue is Verified as fixed in our latest Beta 78.0b6 on Windows 10.
Description
•