Open Bug 1809309 Opened 2 years ago Updated 1 years ago

Hit MOZ_CRASH(no entry found for key) at gfx/wr/webrender/src/scene_building.rs:141

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox110 --- fix-optional

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file, 1 obsolete file)

testcase (s/msub/mrow/)
(deleted), text/html
Details
Attached file testcase.html (obsolete) (deleted) —

Found while fuzzing m-c 20221127-f49e8eca9e34 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

Hit MOZ_CRASH(no entry found for key) at gfx/wr/webrender/src/scene_building.rs:141

#0 0x7fdcbefca3f9 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7fdcbefca3f9 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fdcbefca2c0 in mozglue_static::panic_hook::h2528d155d73bb4bb /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7fdcbefc8fe5 in core::ops::function::Fn::call::hc91d87086350bb43 /builds/worker/fetches/rust/library/core/src/ops/function.rs:78:5
#4 0x7fdcc2d6900b in std::panicking::rust_panic_with_hook::hb95930056730415d (/home/user/workspace/browsers/m-c-20230109162059-fuzzing-asan-opt/libxul.so+0x27e5e00b) (BuildId: 6d9a393173a32f5d05e82cf8cdbe47b055bbd218)
#5 0x7fdcc2d8d496 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h251d4677403105eb std.82f3c14a-cgu.8
#6 0x7fdcc2d8d28b in std::sys_common::backtrace::__rust_end_short_backtrace::h4aa72274704f4358 std.82f3c14a-cgu.8
#7 0x7fdcc2d68b81 in rust_begin_unwind (/home/user/workspace/browsers/m-c-20230109162059-fuzzing-asan-opt/libxul.so+0x27e5db81) (BuildId: 6d9a393173a32f5d05e82cf8cdbe47b055bbd218)
#8 0x7fdcc2dd96b2 in core::panicking::panic_fmt::h8c57bd6922066c10 (/home/user/workspace/browsers/m-c-20230109162059-fuzzing-asan-opt/libxul.so+0x27ece6b2) (BuildId: 6d9a393173a32f5d05e82cf8cdbe47b055bbd218)
#9 0x7fdcc2dd08f0 in core::panicking::panic_display::hb307d970a692863b core.509e1a9a-cgu.15
#10 0x7fdcc2dd089a in core::panicking::panic_str::h844e3d6281227297 core.509e1a9a-cgu.15
#11 0x7fdcc2dd06d5 in core::option::expect_failed::h630f7be4efe18631 (/home/user/workspace/browsers/m-c-20230109162059-fuzzing-asan-opt/libxul.so+0x27ec56d5) (BuildId: 6d9a393173a32f5d05e82cf8cdbe47b055bbd218)
#12 0x7fdcbdf8d3a7 in core::option::Option$LT$T$GT$::expect::hd2b582fa73e75548 /builds/worker/fetches/rust/library/core/src/option.rs:741:21
#13 0x7fdcbdf8d3a7 in _$LT$std..collections..hash..map..HashMap$LT$K$C$V$C$S$GT$$u20$as$u20$core..ops..index..Index$LT$$RF$Q$GT$$GT$::index::h54b726a8489b1ba6 /builds/worker/fetches/rust/library/std/src/collections/hash/map.rs:1340:9
#14 0x7fdcbdf8d3a7 in webrender::scene_building::NodeIdToIndexMapper::get_spatial_node_index::h611f76b7aa0cc002 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/scene_building.rs:141:9
#15 0x7fdcbdf8d3a7 in webrender::scene_building::SceneBuilder::get_space::hc9d9d8678d8fd1ee /builds/worker/checkouts/gecko/gfx/wr/webrender/src/scene_building.rs:1166:9
#16 0x7fdcbdf92c90 in webrender::scene_building::SceneBuilder::build_item::hd3c107de9a4dcf7e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/scene_building.rs:1365:42
#17 0x7fdcbdf5fcb7 in webrender::scene_building::SceneBuilder::build_all::h3ea8e50cd8c6a2b8 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/scene_building.rs:885:25
#18 0x7fdcbdf5fcb7 in webrender::scene_building::SceneBuilder::build::h73a9a5ec3c8c3b20 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/scene_building.rs:592:9
#19 0x7fdcbdf41aa3 in webrender::scene_builder_thread::SceneBuilderThread::process_transaction::hb36fb89abaf29f71 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/scene_builder_thread.rs:597:25
#20 0x7fdcbdeff4cd in webrender::scene_builder_thread::SceneBuilderThread::run::_$u7b$$u7b$closure$u7d$$u7d$::hc9821c0cff77b3ff /builds/worker/checkouts/gecko/gfx/wr/webrender/src/scene_builder_thread.rs:314:36
#21 0x7fdcbdeff4cd in core::iter::adapters::map::map_try_fold::_$u7b$$u7b$closure$u7d$$u7d$::he827f541c9b9c79f /builds/worker/fetches/rust/library/core/src/iter/adapters/map.rs:91:28
#22 0x7fdcbdeff4cd in core::iter::traits::iterator::Iterator::try_fold::hc19df34b8ad388ec /builds/worker/fetches/rust/library/core/src/iter/traits/iterator.rs:2238:21
#23 0x7fdcbdeff4cd in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h339730f05871c97e /builds/worker/fetches/rust/library/core/src/iter/adapters/map.rs:117:9
#24 0x7fdcbdeff4cd in _$LT$I$u20$as$u20$alloc..vec..in_place_collect..SpecInPlaceCollect$LT$T$C$I$GT$$GT$::collect_in_place::h94f9d9bfa25110cb /builds/worker/fetches/rust/library/alloc/src/vec/in_place_collect.rs:257:13
#25 0x7fdcbdeff4cd in alloc::vec::in_place_collect::_$LT$impl$u20$alloc..vec..spec_from_iter..SpecFromIter$LT$T$C$I$GT$$u20$for$u20$alloc..vec..Vec$LT$T$GT$$GT$::from_iter::h90a46b5acb13d0b0 /builds/worker/fetches/rust/library/alloc/src/vec/in_place_collect.rs:181:19
#26 0x7fdcbdeff4cd in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$core..iter..traits..collect..FromIterator$LT$T$GT$$GT$::from_iter::h652eb07ae74d692b /builds/worker/fetches/rust/library/alloc/src/vec/mod.rs:2757:9
#27 0x7fdcbdeff4cd in core::iter::traits::iterator::Iterator::collect::h13b1ef7c1ecc0191 /builds/worker/fetches/rust/library/core/src/iter/traits/iterator.rs:1836:9
#28 0x7fdcbdeff4cd in webrender::scene_builder_thread::SceneBuilderThread::run::hcb320a3db8a199ba /builds/worker/checkouts/gecko/gfx/wr/webrender/src/scene_builder_thread.rs:313:67
#29 0x7fdcbd3133bc in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::h97f727203a56cbc3 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:590:9
#30 0x7fdcbd3133bc in std::sys_common::backtrace::__rust_begin_short_backtrace::hf91df755ed112be5 /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:121:18
#31 0x7fdcbd36fb64 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h97d7d6096729ab2d /builds/worker/fetches/rust/library/std/src/thread/mod.rs:551:17
#32 0x7fdcbd36fb64 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h39b2df182df0a8cf /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
#33 0x7fdcbd36fb64 in std::panicking::try::do_call::h7c23f48793e57d45 /builds/worker/fetches/rust/library/std/src/panicking.rs:483:40
#34 0x7fdcbd36fb64 in std::panicking::try::h247f9e05fab421a9 /builds/worker/fetches/rust/library/std/src/panicking.rs:447:19
#35 0x7fdcbd36fb64 in std::panic::catch_unwind::h5d30b680f2788c52 /builds/worker/fetches/rust/library/std/src/panic.rs:137:14
#36 0x7fdcbd36fb64 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::hfc0a7f8814e99f2a /builds/worker/fetches/rust/library/std/src/thread/mod.rs:550:30
#37 0x7fdcbd36fb64 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hfa821e453454aaa7 /builds/worker/fetches/rust/library/core/src/ops/function.rs:251:5
#38 0x7fdcc2d964f2 in std::sys::unix::thread::Thread::new::thread_start::h053bd8e54c50a3de std.82f3c14a-cgu.9
#39 0x7fdcce0b1b42 in start_thread nptl/pthread_create.c:442:8
#40 0x7fdcce1439ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/xfmQc8sNQYERihhUak8JXw/index.html

Verified bug as reproducible on mozilla-central 20230109212101-329b80a0d033.
The bug appears to have been introduced in the following build range:

Start: 5936168c80d1f6b8a55f7f528b0851e75e90660d (20220906092501)
End: d1b399bcd0474869d29804c13b2145a6a8b645da (20220906120315)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5936168c80d1f6b8a55f7f528b0851e75e90660d&tochange=d1b399bcd0474869d29804c13b2145a6a8b645da

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Attached file testcase (s/msub/mrow/) (deleted) —

mmh, it seems my comment was lost:

"I think this is an instance of the cases where the legacy MathML "invalid markup" message was hiding bugs found by fuzzers (this message was removed in https://hg.mozilla.org/integration/autoland/rev/69aab0d556424c65172360f3c2f02c2809e6522c but can be reactivated via the mathml.error_message_layout_for_invalid_markup.disabled pref)

Anyway, here is an alternative testcase with s/msub/mrow/ so that the missing child of the msub element does not cause an invalid markup message. It crashes for me at 1ff7828b2117371e1d2536dfb5ff9d7ca7e057be It would be a good idea to rebisect with that testcase instead..."

Attachment #9311448 - Attachment is obsolete: true

Alright, let's see what bugmon says now.

Whiteboard: [bugmon:bisected,confirmed]

Verified bug as reproducible on mozilla-central 20230110214526-9231302514fc.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: bb37e7d6382b8647a9567947d18dce1e61e670e6 (20220112035347)
End: f49e8eca9e344e5d8b9a5e67ff5859ba3afc3a4d (20221127212619)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

Triage - I am rating this S3 while discussion is ongoing in the bug, please NI me for a re-rating of the bug if concerns arise - as it stands this looks like an undesired but safe crash?

Severity: -- → S3

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: