Open Bug 1677221 Opened 4 years ago Updated 2 years ago

assertion failed: mem::size_of::<T>() <= slice.len()

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox83 --- disabled
firefox84 --- disabled

People

(Reporter: tnikkel, Unassigned)

References

(Depends on 1 open bug, Blocks 2 open bugs)

Details

(Keywords: crash)

Crash Data

https://crash-stats.mozilla.org/report/index/feefa1e3-4fc8-4059-a67b-30c9c0201113

I hit this when dragging a wealthsimple.com tab from a browser window on retina screen on my macbook pro to a window on an external screen that was not retina, while playing the platform meeting in the tab that was newly exposed on the retina screen.

I can not reproduce.

The stack doesn't make any sense. The url reported in the crash is: https://static.mozilla.com/moco/en-US/images/mozilla_eoy_2013_EN.svg

Yeah, the stack isn't great.

I did have https://static.mozilla.com/moco/en-US/images/mozilla_eoy_2013_EN.svg open in a background tab, but I hadn't switched to it in a while and I don't think it was anywhere near the location on the tabbar where I dropped the tab.

And this is on beta.

Depends on: 1677235

I know nothing, but I remember "Disable RecycleAllocator for RDD process" when using OpenGL on Mac and ask myself whether MacIOSurface is used for blob images as well, if it could have influenced things or if a pref has been manually enabled.
6 months ago, bug 1619882 comment 74 mentioned IOSurface UAF. That Linux DMABUF bug only occured under system load and flickering/out of order frames were described as UAF scenario.
bug 1665411 was filed one month after bug 1653409 merged.

https://crash-stats.mozilla.org/search/?moz_crash_reason=~assertion%20failed%3A%20mem%3A%3Asize_of%3A%3A%3CT%3E%28%29%20%3C%3D%20slice.len%28%29&address=%3D0x0&build_id=%3E20200501000000&product=Firefox&date=%3E%3D2020-08-14T02%3A37%3A00.000Z&date=%3C2020-11-14T02%3A37%3A00.000Z&_facets=signature&_sort=version&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports

If we focus on 0x0 crashes after 2020-05-01, build 20200818092452 is the first affected one after three months.
mozregression --good 2020-08-15 --bad 20200818092452

0:04.63 INFO: Last good revision: ffc01c0f13a841719e86d032ac27fe9dbc1fc5f7 (2020-08-15)
0:04.63 INFO: First bad revision: 483ef87aa6e85cb340d1c17b5b87bb7c217fb3b8 (2020-08-18 09:24:52)
0:04.63 INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ffc01c0f13a841719e86d032ac27fe9dbc1fc5f7&tochange=483ef87aa6e85cb340d1c17b5b87bb7c217fb3b8

These looked related to blob images:
SVG:

00fac1d4990f17a92ae47796c05c76710d136272 Boris Chiou — Bug 1639963 - Support aspect-ratio for svg frames. r=emilio
802185dc6fff8db8bc07026deb29f3657d6f2cd7 Boris Chiou — Bug 1639963 - Support aspect-ratio for svg object and iframe (i.e. nsSubDocumentFrame). r=emilio

Mac:

ae4adc3f423ccbb375e425891c09f5ace4629cf8 Lee Salzman — Bug 1657440 - avoid letting Skia query style information for Mac fonts. r=jfkthame

Texture cache:

8a1b47a902ab9997b4af0ee08d998fb494c08f6b Glenn Watson — Bug 1658182 - Fix texture cache items not being evicted. r=kvark
5b2ffcf4d6d831c662685f17cda7e335d5f60dcf Glenn Watson — Bug 1623792 - Pt 9 - Refactor how exceeding max cache slices works. r=kvark

Added "return nullptr":

9de80fbdf625b3a7d514328607bc212046957170 Miko Mynttinen — Bug 1627616 - Avoid wrapping SourceSurfaceOffset around uninitialized SourceSurface r=bas

Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.