Closed Bug 1534090 Opened 5 years ago Closed 4 years ago

Invalid read crashes browser during window resize whilst loading 50 malformed images

Categories

(Core :: Graphics: WebRender, defect, P5)

Product:
Core
Component:
Graphics: WebRender
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox67 --- affected

People

(Reporter: geeknik, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: nightly-community)

Attachments

(1 file)

fuzz.zip
4.75 MB, application/zip
Details
Attached file fuzz.zip

Fedora 29, RTX 2070, Nvidia 418.43 drivers

ASan Nightly (Build ID 20190309215319) crashes while resizing the window with the attached html loaded.

  1. Unzip the zip file somewhere safe (it contains 10000 "images" and 1 html file).

  2. Load fuzz.html#5000

  3. Resize the window by dragging the border about until it crashes (wide, narrow, short, tall, all around)

  4. Warning, the images in the attached zip file COULD potentially trigger other bugs (I'm encountering an intermittent one I can't pin down yet)

==9983==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1268b3b858 (pc 0x7f14dad8ee39 bp 0x7f14ca1b70a0 sp 0x7f14ca1b7048 T24)
==9983==The signal is caused by a READ memory access.
#0 0x7f14dad8ee38 (/lib64/libnvidia-glcore.so.418.43+0xfdae38)
#1 0x7f14dad8ee77 (/lib64/libnvidia-glcore.so.418.43+0xfdae77)
#2 0x7f14dad82cf7 (/lib64/libnvidia-glcore.so.418.43+0xfcecf7)
#3 0x7f14dad83772 (/lib64/libnvidia-glcore.so.418.43+0xfcf772)
#4 0x7f14dad83fa6 (/lib64/libnvidia-glcore.so.418.43+0xfcffa6)
#5 0x7f14dacbe91e (/lib64/libnvidia-glcore.so.418.43+0xf0a91e)
#6 0x7f14dab79742 (/lib64/libnvidia-glcore.so.418.43+0xdc5742)
#7 0x7f14dac8968b (/lib64/libnvidia-glcore.so.418.43+0xed568b)
#8 0x7f14dad3c267 (/lib64/libnvidia-glcore.so.418.43+0xf88267)
#9 0x7f14da7e31ba (/lib64/libnvidia-glcore.so.418.43+0xa2f1ba)
#10 0x7f14da7ee820 (/lib64/libnvidia-glcore.so.418.43+0xa3a820)
#11 0x7f1503af80ac in gleam::ffi_gl::Gl::BlitFramebuffer::hbdb30013d0ab0dd0 /builds/worker/workspace/build/src/obj-firefox/x86_64-unknown-linux-gnu/release/build/gleam-b8d5162c0e18058b/out/gl_bindings.rs:3470:283
#12 0x7f1503af80ac in $LT$gleam..gl..GlFns$u20$as$u20$gleam..gl..Gl$GT$::blit_framebuffer::h5cdd46636288960f /builds/worker/workspace/build/src/third_party/rust/gleam/src/gl_fns.rs:1019
#13 0x7f1503936402 in webrender::device::gl::Device::blit_render_target_impl::h12a255fcf1bb6ccd /builds/worker/workspace/build/src/gfx/wr/webrender/src/device/gl.rs:2072:8
#14 0x7f1503936402 in webrender::device::gl::Device::blit_render_target::hb0db36a59b087a14 /builds/worker/workspace/build/src/gfx/wr/webrender/src/device/gl.rs:2146
#15 0x7f1503ad2f69 in webrender::device::gl::Device::blit_render_target_invert_y::hbd88bdc6f8c46d98 /builds/worker/workspace/build/src/gfx/wr/webrender/src/device/gl.rs:2167:8
#16 0x7f1503ad2f69 in webrender::renderer::Renderer::draw_color_target::h23d556c38ad65135 /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:3563
#17 0x7f1503ac86f7 in webrender::renderer::Renderer::draw_tile_frame::hf1c03ba507d9ea22 /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:4238:24
#18 0x7f1503abb4ef in webrender::renderer::Renderer::render_impl::$u7b$$u7b$closure$u7d$$u7d$::h51f9719817a17fa1 /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:2727:16
#19 0x7f1503abb4ef in webrender::profiler::TimeProfileCounter::profile::h6161a26dd531608a /builds/worker/workspace/build/src/gfx/wr/webrender/src/profiler.rs:282
#20 0x7f1503abb4ef in webrender::renderer::Renderer::render_impl::hf4f6fc23a87a5d02 /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:2677
#21 0x7f15038d6edc in webrender::renderer::Renderer::render::h445909340fdb6e7b /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:2602:21
#22 0x7f15038d6edc in wr_renderer_render /builds/worker/workspace/build/src/gfx/webrender_bindings/src/bindings.rs:644
#23 0x7f14f877f1a7 in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool, mozilla::wr::RendererStats*) /builds/worker/workspace/build/src/gfx/webrender_bindings/RendererOGL.cpp:121:8
#24 0x7f14f877d48b in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool) /builds/worker/workspace/build/src/gfx/webrender_bindings/RenderThread.cpp:369:26
#25 0x7f14f877cc5a in mozilla::wr::RenderThread::HandleFrame(mozilla::wr::WrWindowId, bool) /builds/worker/workspace/build/src/gfx/webrender_bindings/RenderThread.cpp:262:3
#26 0x7f14f879872b in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#27 0x7f14f879872b in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#28 0x7f14f879872b in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#29 0x7f14f67f2103 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:442:9
#30 0x7f14f67f2103 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:450
#31 0x7f14f67f2103 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:523
#32 0x7f14f67f41ed in base::MessagePumpDefault::Run(base::MessagePump::Delegate) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:35:31
#33 0x7f14f67ef6df in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#34 0x7f14f67ef6df in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#35 0x7f14f67ef6df in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#36 0x7f14f680acdd in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:192:16
#37 0x7f14f680086c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#38 0x7f150d8d658d in start_thread (/lib64/libpthread.so.0+0x858d)
#39 0x7f150d4bc6a2 in __GI___clone (/lib64/libc.so.6+0xfd6a2)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib64/libnvidia-glcore.so.418.43+0xfdae38)
Thread T24 (Renderer) created by T0 here:
#0 0x55ba0780c27d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7f14f67fe1bc in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:123:14
#2 0x7f14f67fe1bc in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:134
#3 0x7f14f680a3f3 in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:97:8
#4 0x7f14f877915a in mozilla::wr::RenderThread::Start() /builds/worker/workspace/build/src/gfx/webrender_bindings/RenderThread.cpp:65:16
#5 0x7f14f84a52a1 in gfxPlatform::InitLayersIPC() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:1252:7
#6 0x7f14f849f778 in gfxPlatform::Init() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:965:3
#7 0x7f14f849d42b in gfxPlatform::GetPlatform() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:480:5
#8 0x7f14fda8eb1a in nsWindow::Create(nsIWidget*, void*, mozilla::gfx::IntRectTyped<mozilla::LayoutDevicePixel> const&, nsWidgetInitData*) /builds/worker/workspace/build/src/widget/gtk/nsWindow.cpp:3304:17
#9 0x7f14fd9c6265 in nsIWidget::Create(nsIWidget*, void*, mozilla::gfx::IntRectTyped<mozilla::DesktopPixel> const&, nsWidgetInitData*) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIWidget.h:446:12
#10 0x7f1500c22219 in nsWebShellWindow::Initialize(nsIXULWindow*, nsIXULWindow*, nsIURI*, int, int, bool, nsITabParent*, mozIDOMWindowProxy*, nsWidgetInitData&) /builds/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:164:17
#11 0x7f1500c1d24b in nsAppShellService::JustCreateTopWindow(nsIXULWindow*, nsIURI*, unsigned int, int, int, bool, nsITabParent*, mozIDOMWindowProxy*, nsWebShellWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:677:25
#12 0x7f1500c1eb6d in nsAppShellService::CreateTopLevelWindow(nsIXULWindow*, nsIURI*, unsigned int, int, int, nsITabParent*, mozIDOMWindowProxy*, nsIXULWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:194:8
#13 0x7f150146cde5 in nsAppStartup::CreateChromeWindow2(nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, bool*, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:637:15
#14 0x7f1501626806 in nsWindowWatcher::CreateChromeWindow(nsTSubstring<char> const&, nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:411:33
#15 0x7f1501621adc in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:866:14
#16 0x7f150161e381 in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, char const*, char const*, char const*, nsISupports*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:290:10
#17 0x7f14f594cd91 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
#18 0x7f14f73dc924 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1630:10
#19 0x7f14f73dc924 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1178
#20 0x7f14f73dc924 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1144
#21 0x7f14f73e2963 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:941:10
#22 0x7f1501951857 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#23 0x7f1501951857 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#24 0x7f150193981b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:593:10
#25 0x7f150193981b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3075
#26 0x7f150191dd3f in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
#27 0x7f15019570a5 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:781:13
#28 0x7f1501a03077 in ExecuteInExtensibleLexicalEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:466:10
#29 0x7f1501a03d32 in js::ExecuteInJSMEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::AutoVector<JSObject*>&) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:575:10
#30 0x7f1501a03837 in js::ExecuteInJSMEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:528:10
#31 0x7f14f72c4fcc in mozJSComponentLoader::ObjectForLocation(ComponentLoaderInfo&, nsIFile*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/xpconnect/loader/mozJSComponentLoader.cpp:923:19
#32 0x7f14f72cdf44 in mozJSComponentLoader::Import(JSContext*, nsTSubstring<char> const&, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSObject*>, bool) /builds/worker/workspace/build/src/js/xpconnect/loader/mozJSComponentLoader.cpp:1332:12
#33 0x7f14f58bccd4 in mozilla::xpcom::ConstructJSMComponent(nsTSubstring<char> const&, char const*, nsISupports**) /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp:1582:3
#34 0x7f14f58aa79d in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp:10555:7
#35 0x7f14f58d7bf4 in CreateInstance /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:220:46
#36 0x7f14f58d7bf4 in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1400
#37 0x7f14f58cd03c in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1587:10
#38 0x7f14f58e02d5 in CallGetService /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:61:43
#39 0x7f14f58e02d5 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:253
#40 0x7f14f5752a2e in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:91:7
#41 0x7f15016d3562 in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:1037:5
#42 0x7f15016d3562 in nsAppStartupNotifier::NotifyObservers(char const*) /builds/worker/workspace/build/src/toolkit/xre/nsAppStartupNotifier.cpp:49
#43 0x7f15016c79e8 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4354:3
#44 0x7f15016ca999 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4677:8
#45 0x7f15016cbddc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4761:21
#46 0x55ba078561fc in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:214:22
#47 0x55ba078561fc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:293
#48 0x7f150d3e3412 in __libc_start_main (/lib64/libc.so.6+0x24412)

==9983==ABORTING

Is it possible to reproduce on an open source driver? Either nouveau or llvmpipe?

I can’t answer that as I don’t have an extra PC to test other drivers on at this time.

FWIW I'm not able to reproduce using the STR on a clean WR-enabled profile. I have an Intel graphics card using 3.0 Mesa 18.0.5.

I do however see a different problem where the tab crashes and the only relevant output is "AddressSanitizer:DEADLYSIGNAL".

/cc Arthur in case comment 0 indicates a bug in the Nvidia Linux driver.

Is there a crash without AddressSanitizer at all?

Priority: -- → P5

Machine learning guess is wrong

Keywords: regression

I'm unable to reproduce this. Testing conditions below.

Application Basics
------------------

Name: Firefox
Version: 76.0.1
Build ID: 20200507114007
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0
OS: Linux 5.6.0-2-amd64
Multiprocess Windows: 1/1 Enabled by default
Remote Processes: 11
Enterprise Policies: Inactive
Google Location Service Key: Found
Google Safebrowsing Key: Found
Mozilla Location Service Key: Found
Safe Mode: false

Graphics
--------

Features
Compositing: WebRender
Asynchronous Pan/Zoom: wheel input enabled; scrollbar drag enabled; keyboard enabled; autoscroll enabled
Window Protocol: x11
Desktop Environment: xfce
Off Main Thread Painting Enabled: true
Off Main Thread Painting Worker Count: 4
Target Frame Rate: 60
GPU #1
Active: Yes
Description: GeForce GTX 960/PCIe/SSE2
Vendor ID: 0x10de
Device ID: GeForce GTX 960/PCIe/SSE2
Driver Vendor: nvidia/unknown
Driver Version: 440.82.0.0
RAM: 0

Diagnostics
AzureCanvasBackend: skia
AzureCanvasBackend (UI Process): skia
AzureContentBackend: skia
AzureContentBackend (UI Process): skia
AzureFallbackCanvasBackend (UI Process): none
CairoUseXRender: 0
CMSOutputProfile: Empty profile data
Display0: 1920x1080 default
DisplayCount: 1
GPUProcessPid: 5872
Decision Log
WEBRENDER:
opt-in by default: WebRender is an opt-in feature
available by user: Force enabled by pref
WEBRENDER_QUALIFIED:
blacklisted by env: No qualified hardware
WEBRENDER_COMPOSITOR:
disabled by default: Disabled by default
WEBGPU:
disabled by default: Disabled by default
blocked by runtime: WebGPU can only be enabled in nightly

LOL, this bug is at least a year old and is no longer actionable.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: