firefox: src/rasterize.h:1343: int clip_side(int, Point3D *, glsl::Interpolants *, Point3D *, glsl::Interpolants *, int &) [AXIS = glsl::X]: Assertion `false' failed.
Categories
(Core :: Graphics: WebRender, defect, P3)
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
First found while fuzzing m-c 20210216-fc74eb2c7b84 (--enable-debug --enable-fuzzing)
firefox: src/rasterize.h:1343: int clip_side(int, Point3D *, glsl::Interpolants *, Point3D *, glsl::Interpolants *, int &) [AXIS = glsl::X]: Assertion `false' failed.
==187360==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x03e80002dbe0 (pc 0x7f020d1ad18b bp 0x7f020d322588 sp 0x7f01b0ab7e90 T187408)
#0 0x7f020d1ad18b in raise /build/glibc-eX1tMB/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1
#1 0x7f020d18c858 in abort /build/glibc-eX1tMB/glibc-2.31/stdlib/abort.c:79:7
#2 0x7f020d18c728 in __assert_fail_base /build/glibc-eX1tMB/glibc-2.31/assert/assert.c:92:3
#3 0x7f020d19df35 in __assert_fail /build/glibc-eX1tMB/glibc-2.31/assert/assert.c:101:3
#4 0x7f020037cd82 in clip_side<glsl::X> src/gfx/wr/swgl/src/rasterize.h:1343:11
#5 0x7f020037cd82 in draw_perspective src/gfx/wr/swgl/src/rasterize.h:1491:16
#6 0x7f020037cd82 in draw_quad(int, Texture&, Texture&) src/gfx/wr/swgl/src/rasterize.h:1526:5
#7 0x7f0200375ee6 in draw_elements<unsigned short> src/gfx/wr/swgl/src/rasterize.h:1622:5
#8 0x7f0200375ee6 in DrawElementsInstanced src/gfx/wr/swgl/src/gl.cc:2699:7
#9 0x7f01fff69845 in _$LT$gleam..gl..ErrorReactingGl$LT$F$GT$$u20$as$u20$gleam..gl..Gl$GT$::draw_elements_instanced::heeba7349de2f14cf src/third_party/rust/gleam/src/gl.rs:98:26
#10 0x7f02000778db in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::h9bf7c2efe2d5cea3 src/gfx/wr/webrender/src/device/gl.rs:3534:9
#11 0x7f020017b99e in webrender::renderer::Renderer::draw_instanced_batch::hc138b850acd4003b src/gfx/wr/webrender/src/renderer/mod.rs:2561:17
#12 0x7f020017efd2 in webrender::renderer::Renderer::draw_alpha_batch_container::h2320f9481b68afb6 src/gfx/wr/webrender/src/renderer/mod.rs:3045:17
#13 0x7f020018f27b in webrender::renderer::Renderer::draw_picture_cache_target::h7d34420ea975fa1d src/gfx/wr/webrender/src/renderer/mod.rs:2868:9
#14 0x7f020018f27b in webrender::renderer::Renderer::draw_frame::hd4aff8ff85728c27 src/gfx/wr/webrender/src/renderer/mod.rs:4683:21
#15 0x7f02001713c9 in webrender::renderer::Renderer::render_impl::he89da960a6292918 src/gfx/wr/webrender/src/renderer/mod.rs:2159:17
#16 0x7f020016f7a8 in webrender::renderer::Renderer::render::h5352f645692b502d src/gfx/wr/webrender/src/renderer/mod.rs:1894:30
#17 0x7f01ffe8b847 in wr_renderer_render src/gfx/webrender_bindings/src/bindings.rs:637:11
#18 0x7f01f9b52dea in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) src/gfx/webrender_bindings/RendererOGL.cpp:186:8
#19 0x7f01f9b51d34 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) src/gfx/webrender_bindings/RenderThread.cpp:486:31
#20 0x7f01f9b516b2 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) src/gfx/webrender_bindings/RenderThread.cpp:341:3
#21 0x7f01f9b5b92e in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#22 0x7f01f9b5b92e in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#23 0x7f01f9b5b92e in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#24 0x7f01f8b0a8bc in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) src/ipc/chromium/src/base/message_loop.cc:468:11
#25 0x7f01f8b0b425 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) src/ipc/chromium/src/base/message_loop.cc:477:5
#26 0x7f01f8b0b6ca in MessageLoop::DoWork() src/ipc/chromium/src/base/message_loop.cc:552:13
#27 0x7f01f8b0c0b0 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) src/ipc/chromium/src/base/message_pump_default.cc:35:31
#28 0x7f01f8b0a523 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#29 0x7f01f8b0a43d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#30 0x7f01f8b0a43d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#31 0x7f01f8b18387 in base::Thread::ThreadMain() src/ipc/chromium/src/base/thread.cc:191:16
#32 0x7f01f8b138d9 in ThreadFunc(void*) src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#33 0x7f020d6c0608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#34 0x7f020d289292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Reporter | ||
Comment 1•4 years ago
|
||
Reporter | ||
Comment 2•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/hNRdTvzsuXHF9tvz3ng9QQ/index.html
Comment 3•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210413214314-aa432f04a7da.
The bug appears to have been introduced in the following build range:
Start: f0ed5585b6adac269e39dc3241fba9c4f52aa4c4 (20200720215427)
End: f0ed5585b6adac269e39dc3241fba9c4f52aa4c4 (20200721032334)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=f0ed5585b6adac269e39dc3241fba9c4f52aa4c4&tochange=f0ed5585b6adac269e39dc3241fba9c4f52aa4c4
Updated•4 years ago
|
Reporter | ||
Updated•3 years ago
|
Reporter | ||
Updated•2 years ago
|
Comment 5•1 years ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 6•1 year ago
|
||
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.
Reporter | ||
Updated•1 year ago
|
Comment 7•1 year ago
|
||
Testcase crashes using the initial build (mozilla-central 20220820094621-b1f99e866232) but not with tip (mozilla-central 20230818212320-e2305368eaae.)
The bug appears to have been fixed in the following build range:
Start: b5a2c9e3703b740b3dd3859a2083f66866f798ce (20230814150504)
End: 5b1987d52ae19ebe1b311fec0f664563b5bf198d (20230814165404)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b5a2c9e3703b740b3dd3859a2083f66866f798ce&tochange=5b1987d52ae19ebe1b311fec0f664563b5bf198d
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Reporter | ||
Comment 8•1 year ago
|
||
I can't reproduce this issue with the attached test case and I don't have a test case that will reproduce this exact assertion. However I did just open bug 1849645 and I'm not sure if it is just a duplicate.
Description
•