Closed Bug 1924241 Opened 9 months ago Closed 3 months ago

Hit MOZ_CRASH(Bad SVGFENode render task size: 0x490) at gfx/wr/webrender/src/render_task.rs:1072

Categories

(Core :: Graphics: WebRender, defect, P1)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
139 Branch
Tracking Flags:
Tracking Status
relnote-firefox --- 138+
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox131 --- wontfix
firefox132 --- wontfix
firefox133 --- wontfix
firefox134 --- wontfix
firefox137 --- wontfix
firefox138 --- fixed
firefox139 --- verified

People

(Reporter: tsmith, Assigned: ahale)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(3 files)

testcase.html
165 bytes, text/html
Details
Bug 1924241 - Use a minimum task size for SVGFEDropShadow and SVGFEGaussianBlur filters to avoid panic r?gw,#gfx-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 1924241 - Use a minimum task size for SVGFEDropShadow and SVGFEGaussianBlur filters to avoid panic
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-release+
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20240816-0148988b85c8 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Bad SVGFENode render task size: 0x490) at gfx/wr/webrender/src/render_task.rs:1072

#0 0x783918393955 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
#1 0x783918393955 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x783918393649 in mozglue_static::panic_hook::h4c5eb0863d05a1de /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:102:9
#3 0x7839183930fb in core::ops::function::Fn::call::h90eb7b2caeac90e7 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/core/src/ops/function.rs:79:5
#4 0x7839195f598e in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::hce7569f4ca5d1b64 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/alloc/src/boxed.rs:2084:9
#5 0x7839195f598e in std::panicking::rust_panic_with_hook::hfe205f6954b2c97b /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/panicking.rs:808:13
#6 0x7839195f55b6 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h6cb44b3a50f28c44 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/panicking.rs:674:13
#7 0x7839195f43d8 in std::sys::backtrace::__rust_end_short_backtrace::hf1c1f2a92799bb0e /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/sys/backtrace.rs:168:18
#8 0x7839195f5243 in rust_begin_unwind /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/panicking.rs:665:5
#9 0x78391961c982 in core::panicking::panic_fmt::h3d8fc78294164da7 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/core/src/panicking.rs:74:14
#10 0x783917e8918f in webrender::render_task::RenderTask::new_dynamic::h3cf66044bd8f314d /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_task.rs:1072:9
#11 0x783917e8918f in webrender::render_task::RenderTask::new_svg_filter_graph::hfe17fbb31f4ebbc5 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_task.rs
#12 0x783917e084de in webrender::picture::PicturePrimitive::take_context::h73b104489860b4a4 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/picture.rs:6307:46
#13 0x783917e1821c in webrender::prepare::prepare_prim_for_render::h4f9be6fd6fb98ca9 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:167:15
#14 0x783917e1821c in webrender::prepare::prepare_primitives::hc1fd491e6c9caddc /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:81:17
#15 0x783917dd2ae9 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::h6c1a18d4b8bd9b1e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:465:17
#16 0x783917dd2ae9 in webrender::frame_builder::FrameBuilder::build::he9ee36383d5d9a25 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/frame_builder.rs:573:9
#17 0x783917e46589 in webrender::render_backend::Document::build_frame::h7856045984c7df5c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:530:25
#18 0x783917e57abf in webrender::render_backend::RenderBackend::update_document::h85fd66b81682374e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1466:41
#19 0x783917e4eea3 in webrender::render_backend::RenderBackend::prepare_transactions::h1176204ed5327e44 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1306:28
#20 0x783917e4eea3 in webrender::render_backend::RenderBackend::process_api_msg::h18921942fb1c68b1 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:1153:17
#21 0x783917b4b869 in webrender::render_backend::RenderBackend::run::hee270ef72d3e5e35 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_backend.rs:802:21
#22 0x783917b4b869 in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::h8f4371b861150adf /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:715:9
#23 0x783917b4b869 in std::sys::backtrace::__rust_begin_short_backtrace::h480b4f418208bad5 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/sys/backtrace.rs:152:18
#24 0x783917b55fac in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h90b35b19be1be14a /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/thread/mod.rs:538:17
#25 0x783917b55fac in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h9c386cf604f6de96 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/core/src/panic/unwind_safe.rs:272:9
#26 0x783917b55fac in std::panicking::try::do_call::h2efb273352e5406d /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/panicking.rs:557:40
#27 0x783917b55fac in std::panicking::try::ha4f93d6be129ac97 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/panicking.rs:521:19
#28 0x783917b55fac in std::panic::catch_unwind::h283e51df67f4ee9d /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/panic.rs:350:14
#29 0x783917b55fac in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h4612ce294af15d82 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/thread/mod.rs:537:30
#30 0x783917b55fac in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h0e32b9fb763240e1 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/core/src/ops/function.rs:250:5
#31 0x7839195f943a in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::ha1963004222e7822 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/alloc/src/boxed.rs:2070:9
#32 0x7839195f943a in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h1086ced1f7c494c2 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/alloc/src/boxed.rs:2070:9
#33 0x7839195f943a in std::sys::pal::unix::thread::Thread::new::thread_start::ha8af9c992ef0b208 /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/std/src/sys/pal/unix/thread.rs:108:17
#34 0x783922e94ac2 in start_thread nptl/pthread_create.c:442:8
#35 0x783922f2684f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

This is the crash I get on Nightly: https://crash-stats.mozilla.org/report/index/d6aca449-c069-4ea7-ad72-097540241012 , which also seems to occur for other crashes in WR... Is this a generic signature?
[@ webrender::render_task::RenderTask::new_dynamic ]

Verified bug as reproducible on mozilla-central 20241013211859-d0454173ade6.
The bug appears to have been introduced in the following build range:

Start: 95843bdcdd8fa073e31e95b1df791a9ee6f99f4f (20240624233246)
End: ca2fc5d1ccfc56263eaa2b7142ca23fc371db2d3 (20240625014641)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=95843bdcdd8fa073e31e95b1df791a9ee6f99f4f&tochange=ca2fc5d1ccfc56263eaa2b7142ca23fc371db2d3

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

:ahale, since you are the author of the regressor, bug 1896503, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(ahale)

Interesting. The stdDeviation is a clever way to trigger this when given a 0x0 input task, I can think of several ways to fix this. I'm not sure this is likely to occur on the web though, so I am marking it S3.

Severity: -- → S3
Flags: needinfo?(ahale)
Flags: needinfo?(ahale)

:ahale

I am currently experiencing this issue on the web. We are using a custom graphics program on the web. When we load specific SVGs into our program, the Firefox browser crashes with the error that is mentioned above.

I believe the severity should be changed to S2.

I am be able to find a way to reproduce this crash. I'm testing in VM, but users of our site experience same problem.

Summary:
It seems to be corrupted SVG image, because it rendered weird in other software, but OK in browser. Also it only crash when inlined in HTML and applied this CSS:

.test svg {
  height: 100%;
  width: 30px;
}

Deployed HTML page which cause crash: https://xr-paint.web.app

Environment:
Windows 11
Firefox 132.0.2
MozCrashReason: Bad SVGFENode render task size: 2x0

Crash report (first from real user):
https://crash-stats.mozilla.org/report/index/69872129-1a0d-430b-9d1a-606410241114
https://crash-stats.mozilla.org/report/index/7d523872-0276-4f82-b684-280bd0241119

(In reply to Mishchenko Misha from comment #6)

I am be able to find a way to reproduce this crash. I'm testing in VM, but users of our site experience same problem.

Summary:
It seems to be corrupted SVG image, because it rendered weird in other software, but OK in browser. Also it only crash when inlined in HTML and applied this CSS:

.test svg {
  height: 100%;
  width: 30px;
}

Deployed HTML page which cause crash: https://xr-paint.web.app

Environment:
Windows 11
Firefox 132.0.2
MozCrashReason: Bad SVGFENode render task size: 2x0

Crash report (first from real user):
https://crash-stats.mozilla.org/report/index/69872129-1a0d-430b-9d1a-606410241114
https://crash-stats.mozilla.org/report/index/7d523872-0276-4f82-b684-280bd0241119

I can repro crsah with opening the page and setting browser zoom to 30%. Repros only with SVG-filters enabled.

Crash Signature: [@ webrender::render_task::RenderTask::new_dynamic ]

Opening https://xr-paint.web.app crashed the parent process for me and I was unable to recover. I had to disable session restore.

status-firefox134: --- → affected
Keywords: crash

Should this bug be a S2 given that the crash can be reproduced on a website?

See Also: → 1941838

I'll fix this as part of bug 1918529

Flags: needinfo?(ahale)
Severity: S3 → S2
Flags: needinfo?(ahale)

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 5 desktop browser crashes on Mac on release

For more information, please visit BugBot documentation.

Keywords: topcrash

Looking at the crashes, this is definitely an S2 and occurs quite a few different places on the web.

Assignee: nobody → ahale

I got a user report who hit this in the wild, where the crash happened in release and Nightly, today:

The URL that they were visiting is https://app.powerbi.com/view?r=eyJrIjoiMDdjODBhMDgtZDExZS00YmE5LTk5YjItYjg1ZDI3YWNkMWE4IiwidCI6IjRiMWJkNWRiLTY3ODItNDY2YS1hMWM1LTRlOTc1NjQ4ZjhlNSIsImMiOjl9&pageName=ReportSection5c1f867ead4a04ab8c35 but after playing around on that page I am unable to reproduce.

The crash reason is: Bad SVGFENode render task size: 0x0

The test case from comment 6 is in the FilterGraphOp::SVGFEGaussianBlur branch, at https://hg.mozilla.org/releases/mozilla-release/file/60f8744af5044d16783c2c71ca09d27f3932afce/gfx/wr/webrender/src/render_task.rs#l2339

These two occurrences of new_svg_filter_graph were introduced in bug 1824502, which landed in Firefox 127. This differs from the originally detected regression range (which pointed to bug 1896503, landed in Firefox 129).

Regressed by: 1824502

Setting to P1 for internal tracking purposes.

Priority: -- → P1

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash

Flagging this report as stalled until we have the cycles to work it. Please remove the keyword when actively addressing it.

Keywords: stalled
Flags: needinfo?(ahale)
Keywords: stalled
Pushed by ahale@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7b5ad213cf68 Use a minimum task size for SVGFEDropShadow and SVGFEGaussianBlur filters to avoid panic r=gfx-reviewers,nical

https://hg.mozilla.org/mozilla-central/rev/7b5ad213cf68

Status: NEW → RESOLVED
Closed: 3 months ago
status-firefox139: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch

Verified bug as fixed on rev mozilla-central 20250411030525-fe8acb502b0c.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox139: fixedverified
Keywords: bugmon

The patch landed in nightly and beta is affected.
:ahale, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(ahale)

Comment on attachment 9477643 [details]
Bug 1924241 - Use a minimum task size for SVGFEDropShadow and SVGFEGaussianBlur filters to avoid panic r?gw,#gfx-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency: Relatively low crash volume but the GPU process will repeatedly crash when certain content is encountered, making the entire browser unusable (all white, including the UI) until the tab or window is closed blindly
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a narrow spot fix that only affects the cases that would otherwise crash, no behavior changes
  • String changes made/needed:
  • Is Android affected?: Yes
Flags: needinfo?(ahale)
Attachment #9477643 - Flags: approval-mozilla-beta?

Comment on attachment 9477643 [details]
Bug 1924241 - Use a minimum task size for SVGFEDropShadow and SVGFEGaussianBlur filters to avoid panic r?gw,#gfx-reviewers

There are no more betas left in the 138 cycle. Moving the request to release, and leaving this open for consideration into the 138 dot release.

Attachment #9477643 - Flags: approval-mozilla-beta? → approval-mozilla-release?

:ahale this will need a release patch

Flags: needinfo?(ahale)
Attachment #9486585 - Flags: approval-mozilla-release?

firefox-release Uplift Approval Request

  • User impact if declined: Relatively low crash volume but the GPU process will repeatedly crash when certain content is encountered, making the entire browser unusable (all white, including the UI) until the tab or window is closed blindly
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: N/A
  • Risk associated with taking this patch: Low
  • Explanation of risk level: This is a narrow spot fix that only affects the cases that would otherwise crash, no behavior changes
  • String changes made/needed: None
  • Is Android affected?: yes
Attachment #9477643 - Flags: approval-mozilla-release?
Flags: needinfo?(ahale)
Attachment #9486585 - Flags: approval-mozilla-release? → approval-mozilla-release+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: