Closed Bug 1509123 Opened 1 year ago Closed 1 year ago

Hit MOZ_CRASH(attempt to multiply with overflow) at gfx/webrender/src/resource_cache.rs:1084

Categories

(Core :: Graphics: WebRender, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla66
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- unaffected
firefox65 --- wontfix
firefox66 --- fixed

People

(Reporter: tsmith, Assigned: kats)

References

(Blocks 3 open bugs)

Details

(Keywords: assertion, testcase)

Crash Data

Attachments

(2 files)

Attached file testcase.html
Reduced with m-c:
BuildID=20181120164749
SourceStamp=8eff0a4f5d8f4442ce233d492185a90c460846ef

Hit MOZ_CRASH(attempt to multiply with overflow) at gfx/webrender/src/resource_cache.rs:1084

#0 MOZ_CrashOOL(char const*, int, char const*) src/obj-firefox/dist/include/mozilla/Assertions.h:311:3
#1 GeckoCrashOOL src/toolkit/xre/nsAppRunner.cpp:5350:3
#2 gkrust_shared::panic_hook::h656ed0b38bd6bc6d src/toolkit/library/rust/shared/lib.rs:234:8
#3 core::ops::function::Fn::call::h7805ce02ed763bba src/libcore/ops/function.rs:78:4
#4 std::panicking::rust_panic_with_hook::h0e12cb2fc86d00fa /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:481:16
#5 std::panicking::continue_panic_fmt::h141671b29fe0e27d /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:391:4
#6 rust_begin_unwind /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:326:4
#7 core::panicking::panic_fmt::h429a06507aba9228 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:77:13
#8 core::panicking::panic::haa57ffd51eb03b56 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:52:4
#9 webrender::resource_cache::ResourceCache::create_blob_scene_builder_requests::h109a143243ed5bdd src/gfx/webrender/src/resource_cache.rs:1084:22
#10 webrender::render_backend::RenderBackend::prepare_transaction::h30978dc788e61276 src/gfx/webrender/src/render_backend.rs:1079
#11 webrender::render_backend::RenderBackend::process_api_msg::h727535a692239dd9 src/gfx/webrender/src/render_backend.rs:1025
#12 webrender::render_backend::RenderBackend::run::hc7c3f13760f6d726 src/gfx/webrender/src/render_backend.rs:800:20
#13 webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h118322e7a5f57d4f src/gfx/webrender/src/renderer.rs:1951:12
#14 std::sys_common::backtrace::__rust_begin_short_backtrace::h4690b5b93940c612 src/libstd/sys_common/backtrace.rs:136
#15 std::thread::Builder::spawn::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h60b4a4c67de8111a src/libstd/thread/mod.rs:409:20
#16 _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h0a79177324334219 src/libstd/panic.rs:313
#17 std::panicking::try::do_call::hac5779da819c8173 src/libstd/panicking.rs:310
#18 __rust_maybe_catch_panic /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libpanic_abort/lib.rs:41:4
Flags: in-testsuite?
tiles.size is 490961×446328 so the multiply is overflowing. Looks like an easy fix.
Assignee: nobody → kats
So I can fix the overflow crash but it would really just be papering over a gecko-side problem where we're requesting a giant blob. The scale at [1] is massive, so the dtSize ends up massive. It might be that using ChooseScaleAndSetTransform will helper here by giving us more sane scale values, so let's wait until that's in.

[1] https://searchfox.org/mozilla-central/rev/876022232b15425bb9efde189caf747823b39567/gfx/layers/wr/WebRenderCommandBuilder.cpp#1913
Assignee: kats → nobody
Depends on: 1415987
Priority: -- → P3
Bug 1415987 didn't help here, this still crashes for me.
In non-debug builds we actually don't crash (because no overflow checks) but instead it tries to allocate all the memory and freezes the browser. I think this is worth fixing, and isn't particularly hard.
Assignee: nobody → kats
bp-293d33bf-89c7-457d-b950-340590181227
Crash Signature: [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | gkrust_shared::oom_hook::hook ]
Depends on: 1516302
https://hg.mozilla.org/mozilla-central/rev/060057e8d0eb
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.