Hit MOZ_CRASH(attempt to subtract with overflow) at gfx/webrender_bindings/src/swgl_bindings.rs:1207

#0 0x7f6dd1cd0e75 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
#1 0x7f6dd1cd0e75 in RustMozCrash src/mozglue/static/rust/wrappers.cpp:17:3
#2 0x7f6dd1cd0e24 in mozglue_static::panic_hook::h6e70bafc479dc06d src/mozglue/static/rust/lib.rs:89:9
#3 0x7f6dd1cd074b in core::ops::function::Fn::call::h01fce3a141895069 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
#4 0x7f6dd2c96ea7 in std::panicking::rust_panic_with_hook::haa1ed36ada4ffb03 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/panicking.rs:573:17
#5 0x7f6dd2c96a58 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h7001af1bb21aeaeb /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/panicking.rs:476:9
#6 0x7f6dd2c91ecb in std::sys_common::backtrace::__rust_end_short_backtrace::h39910f557f5f2367 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/sys_common/backtrace.rs:153:18
#7 0x7f6dd2c96a18 in rust_begin_unwind /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/panicking.rs:475:5
#8 0x7f6dd2cfcdc0 in core::panicking::panic_fmt::h4e2659771ebc78eb /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/core/src/panicking.rs:85:14
#9 0x7f6dd2cfcd0c in core::panicking::panic::h4b079e3c35cc1b09 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/core/src/panicking.rs:50:5
#10 0x7f6dd14f7714 in webrender_bindings::swgl_bindings::SwCompositor::flush_composites::h280b545189b3c9cc src/third_party/rust/euclid/src/point.rs
#11 0x7f6dd14f999f in _$LT$webrender_bindings..swgl_bindings..SwCompositor$u20$as$u20$webrender..composite..Compositor$GT$::unbind::h8f4f8c1bc4f944eb src/gfx/webrender_bindings/src/swgl_bindings.rs
#12 0x7f6dd17a9018 in webrender::renderer::Renderer::draw_frame::hc1c13f2343c96251 src/gfx/wr/webrender/src/renderer.rs:6371:33
#13 0x7f6dd1782c33 in webrender::renderer::Renderer::render_impl::he83997d099c56357 src/gfx/wr/webrender/src/renderer.rs:3663:17
#14 0x7f6dd177ff0a in webrender::renderer::Renderer::render::he364f654a8330632 src/gfx/wr/webrender/src/renderer.rs:3414:30
#15 0x7f6dd14d830c in wr_renderer_render src/gfx/webrender_bindings/src/bindings.rs:614:11
#16 0x7f6dcb5f3b6e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) src/gfx/webrender_bindings/RendererOGL.cpp:193:8
#17 0x7f6dcb5f2944 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) src/gfx/webrender_bindings/RenderThread.cpp:488:31
#18 0x7f6dcb5f23bf in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) src/gfx/webrender_bindings/RenderThread.cpp:325:3
#19 0x7f6dcb5fb4de in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1096:12
#20 0x7f6dcb5fb4de in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1102:12
#21 0x7f6dcb5fb4de in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:13
#22 0x7f6dca599acf in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) src/ipc/chromium/src/base/message_loop.cc:465:9
#23 0x7f6dca59a615 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) src/ipc/chromium/src/base/message_loop.cc:473:5
#24 0x7f6dca59a8ba in MessageLoop::DoWork() src/ipc/chromium/src/base/message_loop.cc:548:13
#25 0x7f6dca59b2a0 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) src/ipc/chromium/src/base/message_pump_default.cc:35:31
#26 0x7f6dca599793 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#27 0x7f6dca5996ad in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#28 0x7f6dca5996ad in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#29 0x7f6dca5a7937 in base::Thread::ThreadMain() src/ipc/chromium/src/base/thread.cc:191:16
#30 0x7f6dca5a2ea9 in ThreadFunc(void*) src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#31 0x7f6de65386da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#32 0x7f6de5516a3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Looks like this occurs in the swl_bindings code - from a quick look at the fn, I suspect there is an underflow that occurs in [1]?

Matt, Lee, does the test case repro for you?

[1] https://searchfox.org/mozilla-central/source/gfx/webrender_bindings/src/swgl_bindings.rs#1542

I am not able to reproduce this.

A Pernosco session is available here: https://pernos.co/debug/chJXPwOJDCx2sOcsia2heQ/index.html

In rare cases, WR can invalidate a tile, but still compute a dirty rect that doesn't intersect that tile.
flush_composites expects all updated tiles to have recorded at least one overlap (for itself), so we set this manually (as we in the normal path after the early return).

https://hg.mozilla.org/mozilla-central/rev/253cd914d2fb