Closed Bug 1509123 Opened 6 years ago Closed 6 years ago

Hit MOZ_CRASH(attempt to multiply with overflow) at gfx/webrender/src/resource_cache.rs:1084

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- unaffected
firefox65 --- wontfix
firefox66 --- fixed

People

(Reporter: tsmith, Assigned: kats)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

Crash Data

Attachments

(2 files)

testcase.html
158 bytes, text/html
Details
Bug 1509123 - Add crashtest. r?kvark
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html
Reduced with m-c: BuildID=20181120164749 SourceStamp=8eff0a4f5d8f4442ce233d492185a90c460846ef Hit MOZ_CRASH(attempt to multiply with overflow) at gfx/webrender/src/resource_cache.rs:1084 #0 MOZ_CrashOOL(char const*, int, char const*) src/obj-firefox/dist/include/mozilla/Assertions.h:311:3 #1 GeckoCrashOOL src/toolkit/xre/nsAppRunner.cpp:5350:3 #2 gkrust_shared::panic_hook::h656ed0b38bd6bc6d src/toolkit/library/rust/shared/lib.rs:234:8 #3 core::ops::function::Fn::call::h7805ce02ed763bba src/libcore/ops/function.rs:78:4 #4 std::panicking::rust_panic_with_hook::h0e12cb2fc86d00fa /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:481:16 #5 std::panicking::continue_panic_fmt::h141671b29fe0e27d /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:391:4 #6 rust_begin_unwind /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:326:4 #7 core::panicking::panic_fmt::h429a06507aba9228 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:77:13 #8 core::panicking::panic::haa57ffd51eb03b56 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:52:4 #9 webrender::resource_cache::ResourceCache::create_blob_scene_builder_requests::h109a143243ed5bdd src/gfx/webrender/src/resource_cache.rs:1084:22 #10 webrender::render_backend::RenderBackend::prepare_transaction::h30978dc788e61276 src/gfx/webrender/src/render_backend.rs:1079 #11 webrender::render_backend::RenderBackend::process_api_msg::h727535a692239dd9 src/gfx/webrender/src/render_backend.rs:1025 #12 webrender::render_backend::RenderBackend::run::hc7c3f13760f6d726 src/gfx/webrender/src/render_backend.rs:800:20 #13 webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h118322e7a5f57d4f src/gfx/webrender/src/renderer.rs:1951:12 #14 std::sys_common::backtrace::__rust_begin_short_backtrace::h4690b5b93940c612 src/libstd/sys_common/backtrace.rs:136 #15 std::thread::Builder::spawn::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h60b4a4c67de8111a src/libstd/thread/mod.rs:409:20 #16 _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h0a79177324334219 src/libstd/panic.rs:313 #17 std::panicking::try::do_call::hac5779da819c8173 src/libstd/panicking.rs:310 #18 __rust_maybe_catch_panic /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libpanic_abort/lib.rs:41:4
Flags: in-testsuite?
tiles.size is 490961×446328 so the multiply is overflowing. Looks like an easy fix.
Assignee: nobody → kats
So I can fix the overflow crash but it would really just be papering over a gecko-side problem where we're requesting a giant blob. The scale at [1] is massive, so the dtSize ends up massive. It might be that using ChooseScaleAndSetTransform will helper here by giving us more sane scale values, so let's wait until that's in. [1] https://searchfox.org/mozilla-central/rev/876022232b15425bb9efde189caf747823b39567/gfx/layers/wr/WebRenderCommandBuilder.cpp#1913
Assignee: kats → nobody
Depends on: 1415987
Priority: -- → P3
Blocks: wr-fuzz
Bug 1415987 didn't help here, this still crashes for me.
In non-debug builds we actually don't crash (because no overflow checks) but instead it tries to allocate all the memory and freezes the browser. I think this is worth fixing, and isn't particularly hard.
Assignee: nobody → kats
bp-293d33bf-89c7-457d-b950-340590181227
Crash Signature: [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | gkrust_shared::oom_hook::hook ]
status-firefox66: --- → affected
https://hg.mozilla.org/mozilla-central/rev/060057e8d0eb
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox66: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
status-firefox64: --- → unaffected
status-firefox65: affectedwontfix
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: