Closed Bug 1652750 Opened 4 years ago Closed 4 years ago

Have WR not crash the browser when given deeply nested 3d transformed elements

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
81 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- disabled
firefox-esr78 --- disabled
firefox78 --- wontfix
firefox79 --- wontfix
firefox80 --- wontfix
firefox81 --- fixed

People

(Reporter: kats, Assigned: kvark)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-dos, testcase, Whiteboard: stack exhaustion?)

Attachments

(3 files)

Testcase (warning: crashes browser with WR)
510 bytes, text/html
Details
Unroll WR scene building recursion
47 bytes, text/x-phabricator-request
Details | Review
Add WR stack overflow test
47 bytes, text/x-phabricator-request
Details | Review

In trying to make a test case for bug 1629710 I ended up making a testcase that reliably kills the browser when loaded with WR enabled, possibly due to stack overflow. The testcase builds a 1000-deep set of nested divs, with a transform on each div, and preserve-3d on the body. When I run with lldb the point at which it gets interrupted the stack is 2134 frames deep, with many iterations of this:

    frame #2066: 0x000000010a538c20 XUL`webrender::scene_building::SceneBuilder::build_reference_frame::hd3d9fb77de0b0b4a(self=0x00007000067fdcb8, traversal=<unavailable>, pipeline_id=(__0 = 0, __1 = 14), parent_spatial_node=(__0 = 12), origin=(x = 0, y = 0, _unit = core::marker::PhantomData<webrender_api::units::LayoutPixel> @ 0x00007000067f33a8), reference_frame=0x00007000067f4098) at scene_building.rs:765:9 [opt]
    frame #2067: 0x000000010a538520 XUL`webrender::scene_building::SceneBuilder::build_items::h625e07851c83602b(self=0x00007000067fdcb8, traversal=0x00007000067f4048, pipeline_id=(__0 = 1, __1 = 14)) at scene_building.rs:621:21 [opt]
    frame #2068: 0x000000010a538e15 XUL`webrender::scene_building::SceneBuilder::build_stacking_context::h812ecb28532d112b(self=0x00007000067fdcb8, traversal=0x00007000067f4048, pipeline_id=(__0 = 1, __1 = 14), stacking_context=<unavailable>, spatial_node_index=(__0 = 12), origin=(x = 0, y = 0, _unit = core::marker::PhantomData<webrender_api::units::LayoutPixel> @ 0x00007000067f3c38), filters=ItemRange<webrender_api::display_item::FilterOp> @ 0x00007000067f3c38, filter_datas=&[webrender_api::display_list::TempFilterData] @ 0x00007f8d4f873c60, filter_primitives=ItemRange<webrender_api::display_item::FilterPrimitive> @ 0x00007000067f3c50, prim_flags=(bits = '\x01')) at scene_building.rs:813:9 [opt]
    frame #2069: 0x000000010a5385ea XUL`webrender::scene_building::SceneBuilder::build_items::h625e07851c83602b(self=0x00007000067fdcb8, traversal=0x00007000067f47f8, pipeline_id=(__0 = 1, __1 = 14)) at scene_building.rs:605:21 [opt]
    frame #2070: 0x000000010a538c20 XUL`webrender::scene_building::SceneBuilder::build_reference_frame::hd3d9fb77de0b0b4a(self=0x00007000067fdcb8, traversal=<unavailable>, pipeline_id=(__0 = 0, __1 = 14), parent_spatial_node=(__0 = 11), origin=(x = 0, y = 0, _unit = core::marker::PhantomData<webrender_api::units::LayoutPixel> @ 0x00007000067f4328), reference_frame=0x00007000067f5018) at scene_building.rs:765:9 [opt]

Testcase is attached. Marking this bug as security sensitive just in case there's some sort of stack-smashing vulnerability potential here.

Summary: Have WR not crash the browser when given many nested 3d transformed elements → Have WR not crash the browser when given deeply nested 3d transformed elements

Dzmitry, can you take a look at this?

Flags: needinfo?(dmalyshau)
Assignee: nobody → dmalyshau
Severity: -- → S2
Status: NEW → ASSIGNED
Flags: needinfo?(dmalyshau)
Group: core-security → gfx-core-security

Not sure this needs to be hidden, recursion is generally one known way to crash us. I thought one point of WR was that the browser could keep running if WR crashed, to help our stability story.

Group: gfx-core-security
Keywords: crash, csectype-dos, testcase
Whiteboard: stack exhaustion?

If there's a GPU process (i.e. running on Windows) then WR crashes won't take down the browser. Kats was running macOS which doesn't have a GPU process

Blocks: wr-81
Severity: S2 → S3
Blocks: wr-stability
status-firefox78: --- → wontfix
status-firefox79: --- → wontfix
status-firefox80: --- → fix-optional
status-firefox81: --- → affected
status-firefox-esr68: --- → disabled
status-firefox-esr78: --- → disabled
OS: Unspecified → All
Hardware: Unspecified → All

instead of using the stack for all the scene building containers,
we are making the stack explicitly, and doing all the work inside the
build_all function. This affects reference frames, iframes, and stacking
contexts.

Pushed by dmalyshau@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3d9324ca6510
Unroll WR scene building recursion r=gw

https://hg.mozilla.org/mozilla-central/rev/3d9324ca6510

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox81: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch

Might be a good idea to add the testcase as a crashtest?

Flags: needinfo?(dmalyshau)

Yes, agreed.

Status: RESOLVED → REOPENED
Flags: needinfo?(dmalyshau)
Resolution: FIXED → ---

adds the gfx crashtest that kats produced

https://hg.mozilla.org/mozilla-central/rev/262aea7f6809

Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: