1566877 - wrench --headless oom with empty input

Status: RESOLVED FIXED

(Core :: Graphics: WebRender, defect, P3)

Description

[Jesse Schwartzentruber (:truber)]

Attachment: 000.bin

I'm trying to run wrench show locally under AFL for fuzzing. I'm compiling it from m-c 29e9dde37bd231a94959394554154ede52670c652 using cargo build --release --features headless with stable rustc 1.36.0.

With a minimal binary input (well-formed 16 byte header only), wrench hangs. With --headless, it also ooms very quickly.

Running it like: ./scripts/headless.py show --play 000.bin
If I run under lldb for a few seconds, the backtrace looks like:

$ LD_LIBRARY_PATH=../target/release/build/osmesa-src-267fc7edb927c1d9/out/lib/gallium GALLIUM_DRIVER=softpipe lldb -- ../target/release/wrench --headless --no-scissor show --play 000.bin
(lldb) target create "../target/release/wrench"
Current executable set to '../target/release/wrench' (x86_64).
(lldb) settings set -- target.run-args  "--headless" "--no-scissor" "show" "--play" "000.bin"
(lldb) r
Process 13752 launched: '/home/truber/src/m/u/gfx/wr/target/release/wrench' (x86_64)
OpenGL version 3.3 (Core Profile) Mesa 19.1.2, softpipe
hidpi factor: 1 (native 1)
Shader override path: None
Warning: binary file ApiMsg type mismatch: expected 0x50f0af375edea9b1, found 0x8400a9d25f5405ff
Frame 0 offset: 16
Process 13752 stopped
* thread #1, name = 'wrench', stop reason = signal SIGSTOP
    frame #0: 0x0000555555b463bf wrench`std::sync::mpsc::shared::Packet$LT$T$GT$::send::haad429cc576321f0 [inlined] core::sync::atomic::atomic_store::hd40d754671732a00(dst=0x000055561c140830, val=93828326623344, order=Release) at atomic.rs:2112:19
(lldb) bt
error: need to add support for DW_TAG_base_type 'char' encoded with DW_ATE = 0x8, bit_size = 32
* thread #1, name = 'wrench', stop reason = signal SIGSTOP
  * frame #0: 0x0000555555b463bf wrench`std::sync::mpsc::shared::Packet$LT$T$GT$::send::haad429cc576321f0 [inlined] core::sync::atomic::atomic_store::hd40d754671732a00(dst=0x000055561c140830, val=93828326623344, order=Release) at atomic.rs:2112:19
    frame #1: 0x0000555555b463bf wrench`std::sync::mpsc::shared::Packet$LT$T$GT$::send::haad429cc576321f0 [inlined] core::sync::atomic::AtomicPtr$LT$T$GT$::store::h59f845f37c11cf7e(self=0x000055561c140830, ptr=0x000055561c140870, order=Release) at atomic.rs:921
    frame #2: 0x0000555555b463bf wrench`std::sync::mpsc::shared::Packet$LT$T$GT$::send::haad429cc576321f0 at mpsc_queue.rs:76
    frame #3: 0x0000555555b46364 wrench`std::sync::mpsc::shared::Packet$LT$T$GT$::send::haad429cc576321f0(self=0x00005555561ad960, t=<unavailable>) at shared.rs:166
    frame #4: 0x0000555555b448d4 wrench`std::sync::mpsc::Sender$LT$T$GT$::send::h78437805c18a1274(self=0x00007ffff75d2790, t=Sample @ 0x00007fffffff45e0) at mod.rs:837:44
    frame #5: 0x0000555555b48296 wrench`std::thread::local::LocalKey$LT$T$GT$::with::h3f671aa9266afa9e at lib.rs:66:12
    frame #6: 0x0000555555b48272 wrench`std::thread::local::LocalKey$LT$T$GT$::with::h3f671aa9266afa9e at lib.rs:166
    frame #7: 0x0000555555b481e8 wrench`std::thread::local::LocalKey$LT$T$GT$::with::h3f671aa9266afa9e at local.rs:299
    frame #8: 0x0000555555b4818f wrench`std::thread::local::LocalKey$LT$T$GT$::with::h3f671aa9266afa9e(self=0x0000555555f71508, f=<unavailable>) at local.rs:245
    frame #9: 0x0000555555b429aa wrench`_$LT$thread_profiler..internal..ProfileScope$u20$as$u20$core..ops..drop..Drop$GT$::drop::heb6031a2fa501b4e(self=<unavailable>) at lib.rs:163:12
    frame #10: 0x00005555557b5aff wrench`webrender::renderer::Renderer::update::ha9e2f33404c1eeef [inlined] core::ptr::real_drop_in_place::h7de7c22c369fa77e((null)=0x0000555555ddaf46) at ptr.rs:195
    frame #11: 0x00005555557b5af9 wrench`webrender::renderer::Renderer::update::ha9e2f33404c1eeef(self=<unavailable>) at renderer.rs:2466
    frame #12: 0x000055555566be0e wrench`wrench::render::_$u7b$$u7b$closure$u7d$$u7d$::h15281716a235a3a6 [inlined] wrench::wrench::Wrench::render::h385ae156bd3791ec(self=<unavailable>) at wrench.rs:570:8
    frame #13: 0x000055555566be05 wrench`wrench::render::_$u7b$$u7b$closure$u7d$$u7d$::h15281716a235a3a6(wrench=<unavailable>, events=<unavailable>) at main.rs:870
    frame #14: 0x000055555566a698 wrench`wrench::main::hdff97c32c71a4195 at main.rs:883:18
    frame #15: 0x000055555566a450 wrench`wrench::main::hdff97c32c71a4195 at main.rs:581
    frame #16: 0x000055555566cc33 wrench`std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::hf83182c8ba1cddc0 at rt.rs:64:33
    frame #17: 0x0000555555d98553 wrench`std::panicking::try::do_call::hc3d8373a0b215f51 [inlined] std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::h3a7adfabc7c47a5f at rt.rs:49:12
    frame #18: 0x0000555555d98547 wrench`std::panicking::try::do_call::hc3d8373a0b215f51 at panicking.rs:293
    frame #19: 0x0000555555d9e169 wrench`__rust_maybe_catch_panic at lib.rs:29:4
    frame #20: 0x0000555555d9911d wrench`std::rt::lang_start_internal::he5218c8b95d395f2 [inlined] std::panicking::try::hfb06c315006b63ac at panicking.rs:272:12
    frame #21: 0x0000555555d990df wrench`std::rt::lang_start_internal::he5218c8b95d395f2 [inlined] std::panic::catch_unwind::h6cd8469da971482b at panic.rs:394
    frame #22: 0x0000555555d990df wrench`std::rt::lang_start_internal::he5218c8b95d395f2 at rt.rs:48
    frame #23: 0x000055555566c118 wrench`main + 40
    frame #24: 0x00007ffff7c86ee3 libc.so.6`__libc_start_main + 243
    frame #25: 0x00005555555c31be wrench`_start + 46
(lldb)

Comment 1

[Jeff Muizelaar [:jrmuizel]]

What's happening here is basically that were failing to get any information from the recording and then we're semi rendering in a very tight loop. profile_scope!("render") and profile_scope!("update") are both pushing profiling samples into the profiler channel but nobody is reading from them and so we accumulate until oom.

Comment 2

[Glenn Watson [:gw]]

profile_scope no longer does anything unless specifically enabled.