Closed
Bug 1695782
Opened 4 years ago
Closed 4 years ago
fpe in [@ linear_row_yuv]
Categories
(Core :: Graphics: WebRender, defect)
Core
Graphics: WebRender
Tracking
()
VERIFIED
FIXED
88 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox86 | --- | unaffected |
| firefox87 | --- | disabled |
| firefox88 | --- | verified |
People
(Reporter: tsmith, Assigned: lsalzman)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
First seen fuzzing with m-c 20210228-f875a4ffd653
==28247==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x556e8ee8e95a bp 0x7f7c576a6270 sp 0x7f7c576a6260 T39)
==28247==The signal is caused by a WRITE memory access.
==28247==Hint: address points to the zero page.
#0 0x556e8ee8e95a in mozalloc_abort /gecko/memory/mozalloc/mozalloc_abort.cpp:33:3
#1 0x7f7c7946b685 in NS_DebugBreak /gecko/xpcom/base/nsDebugImpl.cpp
#2 0x7f7c84b0970b in fpehandler(int, siginfo_t*, void*) /gecko/toolkit/xre/nsSigHandlers.cpp:148:5
#3 0x7f7c99ae93bf (/lib/x86_64-linux-gnu/libpthread.so.0+0x153bf)
#4 0x7f7c8b793299 in void linear_row_yuv<true>(unsigned int*, int, glsl::sampler2DRect_impl*, glsl::vec2_scalar const&, float, glsl::sampler2DRect_impl*, glsl::sampler2DRect_impl*, glsl::vec2_scalar const&, float, int, YUVMatrix const&) (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x17149299)
#5 0x7f7c8b7778e5 in int blendYUV<true>(unsigned int*, int, glsl::sampler2DRect_impl*, glsl::vec2, glsl::vec4_scalar const&, float, glsl::sampler2DRect_impl*, glsl::vec2, glsl::vec4_scalar const&, float, glsl::sampler2DRect_impl*, glsl::vec2, glsl::vec4_scalar const&, float, int, int, NoColor) (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x1712d8e5)
#6 0x7f7c8b777095 in brush_yuv_image_ALPHA_PASS_TEXTURE_RECT_YUV_frag::swgl_drawSpanRGBA8() (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x1712d095)
#7 0x7f7c8b774b30 in brush_yuv_image_ALPHA_PASS_TEXTURE_RECT_YUV_frag::draw_span_RGBA8(brush_yuv_image_ALPHA_PASS_TEXTURE_RECT_YUV_frag*) (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x1712ab30)
#8 0x7f7c8b80b035 in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned short, glsl::vec3*, Texture&, int, Texture&, ClipRect const&) (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x171c1035)
#9 0x7f7c8b615cec in draw_quad(int, Texture&, int, Texture&) (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x16fcbcec)
#10 0x7f7c8b6131c1 in DrawElementsInstanced (/home/worker/builds/m-c-20210228215216-fuzzing-asan-opt/libxul.so+0x16fc91c1)
#11 0x7f7c8abf7c8f in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::hda2820da10b4b037 /gecko/gfx/wr/webrender/src/device/gl.rs:3620:9
#12 0x7f7c8abf7c8f in webrender::renderer::Renderer::draw_instanced_batch::h0634b4e954891942 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2505:17
#13 0x7f7c8abe49e0 in webrender::renderer::Renderer::draw_alpha_batch_container::h5abbcaab9f4e50e3 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2987:17
#14 0x7f7c8abbccb4 in webrender::renderer::Renderer::draw_picture_cache_target::h614fcefeecf01064 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2812:9
#15 0x7f7c8abbccb4 in webrender::renderer::Renderer::draw_frame::hb5968c690245d0b2 /gecko/gfx/wr/webrender/src/renderer/mod.rs:4447:21
#16 0x7f7c8ac1afb8 in webrender::renderer::Renderer::render_impl::haaab4f61b5bcc954 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2150:17
#17 0x7f7c8ac3be44 in webrender::renderer::Renderer::render::h845e2e42e61a5df0 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1886:30
#18 0x7f7c8aea972e in wr_renderer_render /gecko/gfx/webrender_bindings/src/bindings.rs:637:11
#19 0x7f7c7c586d3e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
#20 0x7f7c7c585482 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /gecko/gfx/webrender_bindings/RenderThread.cpp:482:31
#21 0x7f7c7c58461e in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /gecko/gfx/webrender_bindings/RenderThread.cpp:337:3
#22 0x7f7c7c59d296 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#23 0x7f7c7c59d296 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#24 0x7f7c7c59d296 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#25 0x7f7c7a7c2797 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /gecko/ipc/chromium/src/base/message_loop.cc:468:11
#26 0x7f7c7a7c34fe in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /gecko/ipc/chromium/src/base/message_loop.cc:477:5
#27 0x7f7c7a7c3d9b in MessageLoop::DoWork() /gecko/ipc/chromium/src/base/message_loop.cc:552:13
#28 0x7f7c7a7c5096 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
#29 0x7f7c7a7c2341 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
#30 0x7f7c7a7c2341 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
#31 0x7f7c7a7c2341 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
#32 0x7f7c7a7e0648 in base::Thread::ThreadMain() /gecko/ipc/chromium/src/base/thread.cc:191:16
#33 0x7f7c7a7d423c in ThreadFunc(void*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#34 0x7f7c99add608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#35 0x7f7c996a6292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
|
Reporter | |
Comment 1•4 years ago
|
||
|
|
Reporter | |
Comment 2•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/H1y5QZpqfMgX9z36If_cbg/index.html
|
||
Updated•4 years ago
|
Blocks: gfx-triage
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 3•4 years ago
|
||
|
||
Updated•4 years ago
|
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2590d04ff745
Verify that YUV texture step is non-zero. r=jrmuizel
|
||
Comment 5•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
|
||
Comment 6•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210312153235-8fdbcaa80217.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•4 years ago
|
Crash Signature: [@ CompositeYUV]
[@ linear_row_yuv<T>]
|
||
Updated•4 years ago
|
Crash Signature: [@ CompositeYUV]
[@ linear_row_yuv<T>] → [@ CompositeYUV]
[@ linear_row_yuv<T>]
status-firefox86:
--- → unaffected
status-firefox87:
--- → disabled
status-firefox-esr78:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
Regressed by: sw-wr-perf-linear
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Updated•3 years ago
|
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•