Testcase found while fuzzing mozilla-central rev cbbf6a7e34a3 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build cbbf6a7e34a3 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: owner->mLatestTextureHost->GetSize() == size, at /gfx/layers/RemoteTextureMap.cpp:348

    ==288513==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa2103e1711 bp 0x7fa1e41cae00 sp 0x7fa1e41cadb0 T288602)
    ==288513==The signal is caused by a WRITE memory access.
    ==288513==Hint: address points to the zero page.
        #0 0x7fa2103e1711 in mozilla::layers::RemoteTextureMap::GetRemoteTextureHost(mozilla::layers::RemoteTextureHostWrapper*) /gfx/layers/RemoteTextureMap.cpp:348:9
        #1 0x7fa210551e0e in mozilla::layers::RemoteTextureHostWrapper::CheckIsReadyForRendering() /gfx/layers/composite/RemoteTextureHostWrapper.cpp:172:30
        #2 0x7fa210651aff in mozilla::layers::WebRenderImageHost::UseRemoteTexture(mozilla::layers::RemoteTextureId, mozilla::layers::RemoteTextureOwnerId, int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::layers::TextureFlags) /gfx/layers/wr/WebRenderImageHost.cpp:125:11
        #3 0x7fa21056c5db in mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate(mozilla::layers::CompositableOperationDetail const&, mozilla::NotNull<mozilla::layers::CompositableHost*>, mozilla::layers::CompositableHandle const&) /gfx/layers/ipc/CompositableTransactionParent.cpp:90:22
        #4 0x7fa21056c01f in mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate(mozilla::layers::CompositableOperation const&) /gfx/layers/ipc/CompositableTransactionParent.cpp:38:10
        #5 0x7fa21062d0ac in mozilla::layers::WebRenderBridgeParent::ProcessWebRenderParentCommands(nsTArray<mozilla::layers::WebRenderParentCommand> const&, mozilla::wr::TransactionBuilder&) /gfx/layers/wr/WebRenderBridgeParent.cpp:1497:14
        #6 0x7fa21062e495 in mozilla::layers::WebRenderBridgeParent::ProcessEmptyTransactionUpdates(mozilla::layers::TransactionData&, bool*) /gfx/layers/wr/WebRenderBridgeParent.cpp:1286:15
        #7 0x7fa21062eac0 in mozilla::layers::WebRenderBridgeParent::RecvEmptyTransaction(mozilla::layers::FocusTarget const&, mozilla::Maybe<mozilla::layers::TransactionData>&&, nsTArray<mozilla::layers::OpDestroy>&&, unsigned long const&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType> const&, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTSubstring<char> const&, mozilla::TimeStamp const&, nsTArray<mozilla::layers::CompositionPayload>&&) /gfx/layers/wr/WebRenderBridgeParent.cpp:1368:9
        #8 0x7fa21045fa2e in mozilla::layers::PWebRenderBridgeParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebRenderBridgeParent.cpp:607:52
        #9 0x7fa210424f45 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:194:32
        #10 0x7fa20fe125c1 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1756:25
        #11 0x7fa20fe0f115 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1681:9
        #12 0x7fa20fe0fcb6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1481:3
        #13 0x7fa20fe11041 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1579:14
        #14 0x7fa20f2260a7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
        #15 0x7fa20f22c5ed in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #16 0x7fa20fe192c4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
        #17 0x7fa20fd3c187 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #18 0x7fa20fd3c092 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #19 0x7fa20fd3c092 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #20 0x7fa20f2213d6 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
        #21 0x7fa225665557 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #22 0x7fa225f1bb42 in start_thread nptl/./nptl/pthread_create.c:442:8
        #23 0x7fa225fad9ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /gfx/layers/RemoteTextureMap.cpp:348:9 in mozilla::layers::RemoteTextureMap::GetRemoteTextureHost(mozilla::layers::RemoteTextureHostWrapper*)
    ==288513==ABORTING

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221013154647-4563dd583110.
The bug appears to have been introduced in the following build range:

Start: 9dd268c4cf21f8bcbb1036af9572710623a33591 (20221011035404)
End: 5cbd3d92a78c54b324b6009a25d196adaa8a669b (20221011042303)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9dd268c4cf21f8bcbb1036af9572710623a33591&tochange=5cbd3d92a78c54b324b6009a25d196adaa8a669b

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:Jamie, since you are the author of the changes in the range, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

The same push log includes bug 1791693 which is related to WebGL and seems more likely to be the cause than my a11y dead code removal patch. Marking that as the regressing bug, but please adjust if appropriate.

:sotaro, since you are the author of the regressor, bug 1791693, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

Set release status flags based on info from the regressing bug 1791693

"RemoteTexture on WebGL" is enabled until early beta by Bug 1791693.

The following happened when the problem happened.

• [1] lost context by 'WEBGL_lose_context'extension
• [2] Canvas Dimension was updated during content lost
  • It did not update ClientWebGLContext::mRequestedSize and mResetLayer.
• [3] context restored by 'WEBGL_lose_context'extension
• [4] ClientWebGLContext::Event_webglcontextrestored() created HostContext
  • But it did not update ClientWebGLContext::mRequestedSize and mResetLayer.
• [5] ShareableCanvasRenderer continue to use old CanvasRenderer::mData

[4] caused size information mismatch.

ClientWebGLContext::UpdateWebRenderCanvasData() was called only when the canvas dimension was updated. Then we did not have a chance to update CanvasRenderer::mData.

Bugmon Analysis
Successfully recorded a pernosco session. A link to the pernosco-session will be added here shortly.

A pernosco session for this bug can be found here.

https://hg.mozilla.org/mozilla-central/rev/e1a4701a3104

Bug marked as FIXED but still reproduces on mozilla-central 20221101213659-f8dff2edfe1b. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.

There was still a timing that hit the assert. When ClientWebGLContext::Event_webglcontextrestored() was called just before ClientWebGLContext::UpdateWebRenderCanvasData() the assert was failed.

https://hg.mozilla.org/mozilla-central/rev/763f9eca2999

Verified bug as fixed on rev mozilla-central 20221105215350-063bef6f2545.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Bug 1791693(Enable RemoteTexture on WebGL with sync present) is enabled until early beta.

• https://hg.mozilla.org/mozilla-central/rev/5cbd3d92a78c#l1.18