Found while fuzzing m-c 20220420-a33cd50e2f73 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(assertion failed: (left == right) left: 1, right: 0) at gfx/wr/webrender/src/picture.rs:3280

#0 0x7fa6d5a018a5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7fa6d5a018a5 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fa6d5a01704 in mozglue_static::panic_hook::h773f18c382903796 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7fa6d5a0126b in core::ops::function::Fn::call::ha1de6d8c8d2b790f /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/ops/function.rs:70:5
#4 0x7fa6d67feaa4 in std::panicking::rust_panic_with_hook::h1a5ea2d6c23051aa /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:610:17
#5 0x7fa6d67fe79f in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h07f549390938b73f /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:502:13
#6 0x7fa6d67fa683 in std::sys_common::backtrace::__rust_end_short_backtrace::h5ec3758a92cfb00d /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys_common/backtrace.rs:139:18
#7 0x7fa6d67fe4d8 in rust_begin_unwind /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:498:5
#8 0x7fa6cc0f8050 in core::panicking::panic_fmt::h3a79a6a99affe1d5 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panicking.rs:116:14
#9 0x7fa6d6857c17 in core::panicking::assert_failed_inner::h07aa75cd18bc760d /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panicking.rs
#10 0x7fa6cc07c516 in core::panicking::assert_failed::h76b95c3e1279097c /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panicking.rs:154:5
#11 0x7fa6d5370087 in webrender::picture::TileCacheInstance::update_prim_dependencies::hd28689b26543d3f3 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/picture.rs:3280:17
#12 0x7fa6d54d563f in webrender::visibility::update_prim_visibility::h36ec8889a3eaedb1 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/visibility.rs:346:13
#13 0x7fa6d54d503e in webrender::visibility::update_prim_visibility::h36ec8889a3eaedb1 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/visibility.rs:254:17
#14 0x7fa6d54d4f80 in webrender::visibility::update_prim_visibility::h36ec8889a3eaedb1 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/visibility.rs:254:17
#15 0x7fa6d54d503e in webrender::visibility::update_prim_visibility::h36ec8889a3eaedb1 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/visibility.rs:254:17
#16 0x7fa6d54d503e in webrender::visibility::update_prim_visibility::h36ec8889a3eaedb1 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/visibility.rs:254:17
#17 0x7fa6d54d4f80 in webrender::visibility::update_prim_visibility::h36ec8889a3eaedb1 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/visibility.rs:254:17
#18 0x7fa6d533841a in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::h44d1b4f6b36043a4 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:355:25
#19 0x7fa6d533841a in webrender::frame_builder::FrameBuilder::build::h076609bb315e0366 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:529:9
#20 0x7fa6d53c32a6 in webrender::render_backend::Document::build_frame::h694c3313288b3b9e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:493:25
#21 0x7fa6d53d9a54 in webrender::render_backend::RenderBackend::update_document::hcb9bc5a3077534dc /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1385:41
#22 0x7fa6d53ce6d0 in webrender::render_backend::RenderBackend::prepare_transactions::haac316334858be9c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1234:28
#23 0x7fa6d53ce6d0 in webrender::render_backend::RenderBackend::process_api_msg::h27c5d855b2993bad /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1087:17
#24 0x7fa6d53fe1e9 in webrender::render_backend::RenderBackend::run::h0a6b4a73a6e5a387 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:751:21
#25 0x7fa6d53fe1e9 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::hfbf04e217e1d3d6c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1337:13
#26 0x7fa6d53fe1e9 in std::sys_common::backtrace::__rust_begin_short_backtrace::hc6a9c2797d2653d3 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys_common/backtrace.rs:123:18
#27 0x7fa6d5189b6e in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hdc55e27c476aea97 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/thread/mod.rs:477:17
#28 0x7fa6d5189b6e in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h6a8f2c1dfde158b5 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panic/unwind_safe.rs:271:9
#29 0x7fa6d5189b6e in std::panicking::try::do_call::h1494d628554843f1 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:406:40
#30 0x7fa6d5189b6e in std::panicking::try::h33cf1f2438548d2e /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:370:19
#31 0x7fa6d5189b6e in std::panic::catch_unwind::h15f185d175afb5a3 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panic.rs:133:14
#32 0x7fa6d5189b6e in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h8d59db1fc35bb0c4 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/thread/mod.rs:476:30
#33 0x7fa6d5189b6e in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h371324dd0dc3f8f2 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/ops/function.rs:227:5
#34 0x7fa6d680a6f2 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h49b6c7c5155a2296 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/alloc/src/boxed.rs:1854:9
#35 0x7fa6d680a6f2 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::ha8b5234bfeb15105 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/alloc/src/boxed.rs:1854:9
#36 0x7fa6d680a6f2 in std::sys::unix::thread::Thread::new::thread_start::h6f207dd842d64859 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys/unix/thread.rs:108:17
#37 0x7fa6e4c5a608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
#38 0x7fa6e4821162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

A Pernosco session is available here: https://pernos.co/debug/p3ELLb0UP9uwSw0gbu7-pg/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220421152318-c95859201259.
The bug appears to have been introduced in the following build range:

Start: f78fb89b9c2f6255da18795f55dd420dcb1be6b2 (20220420033948)
End: 849fefd14eb18d73b04252d40e2807e894c6c2f5 (20220420055531)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f78fb89b9c2f6255da18795f55dd420dcb1be6b2&tochange=849fefd14eb18d73b04252d40e2807e894c6c2f5

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220420215300-a33cd50e2f73) but not with tip (mozilla-central 20220429215525-6921abcd7429.)
The bug appears to have been fixed in the following build range:

Start: e400d29510fdc3cfa0686aac82e33d7123529a76 (20220427230157)
End: c2e4848ac8d7ee468b883258a1c4c686cf8e9e51 (20220428021452)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e400d29510fdc3cfa0686aac82e33d7123529a76&tochange=c2e4848ac8d7ee468b883258a1c4c686cf8e9e51
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Set release status flags based on info from the regressing bug 1764005

The severity field is not set for this bug.
:gw, could you have a look please?

For more information, please visit auto_nag documentation.

Updated test case.

Bugmon Analysis
Unable to reproduce bug 1765867 using build mozilla-central 20220420215300-a33cd50e2f73. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

I wasn't able to reproduce this, but I assume that the updated test case in comment 6 means it was reproducible recently?

(In reply to Glenn Watson [:gw] from comment #8)

I wasn't able to reproduce this, but I assume that the updated test case in comment 6 means it was reproducible recently?

Yes I can reproduce the issue. I can get an updated Pernosco session if you like?

I haven't had much luck with pernosco having reliable rust debug info last few times I tried it, but we can try it again. It's probably going to be easier to diagnose if I can repro locally and experiment with changing the test case.

(In reply to Glenn Watson [:gw] from comment #10)

I haven't had much luck with pernosco having reliable rust debug info last few times I tried it, but we can try it again.

A new Pernosco session is available here: https://pernos.co/debug/6wgxLj2wAGikVxg0qx5uIg/index.html

Please let me know of any issues that come up and I will work to get them addressed. Previous issues were fixed quickly by the Pernosco folks.

It's probably going to be easier to diagnose if I can repro locally and experiment with changing the test case.

Please try updating Grizzly and let me know if there are still problems reproducing locally. Grizzly should not be required, Grizzly Replay just pops up a web server and points the browser at the testcase (and handles prefs and environment if needed). You can also try with and without --xvfb sometimes this makes graphics and layout bugs more reliable.

Glenn is this something you plan on fixing in 103?
It doesn't have a priority set, or will it be fixed later?

In general, backdrop-filter can only exist on sub-slice 0 within
a picture cache, as we disable compositor surfaces when we encounter
a backdrop filter (to ensure that we include the video pixels in
the source for the backdrop-filter input).

However, there is one case where this is not necessary. If the
backdrop-filter is contained within a wrapping stacking context
(has WRAPS_BACKDROP_FILTER) then that surface forms a backdrop
root. In this case, we don't need to make the slice atomic, so
compositor surfaces can exist without breaking the backdrop
filter. In these cases, the filter may exist on sub-slice > 0.

https://hg.mozilla.org/mozilla-central/rev/e37ddb3aa508