Open Bug 1677533 Opened 11 months ago Updated 5 months ago

stack-overflow [@ webrender::spatial_tree::SpatialTree::get_relative_transform_with_face]

Categories

(Core :: Graphics: WebRender, defect)

defect

Tracking

()

Tracking Status
firefox85 --- affected

People

(Reporter: hdir.yassine, Assigned: gw)

References

(Depends on 1 open bug, Blocks 2 open bugs)

Details

(Keywords: crash, csectype-dos, testcase, Whiteboard: stack exhaustion: recursion too deep)

Attachments

(1 file)

Attached file stack_overflow.zip

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0

Steps to reproduce:

Bug found while fuzzing
The output below was generated using :
python3 -m grizzly.replay --any-crash

[2020-11-16 17:27:42] Starting Grizzly Replay
[2020-11-16 17:27:42] Ignoring: log-limit, timeout
[2020-11-16 17:27:42] Repeat: 1, Minimum crashes: 1, Relaunch 1
[2020-11-16 17:27:42] Using prefs.js from testcase
[2020-11-16 17:27:47] Performing replay (1/1)...
[2020-11-16 17:27:47] Running test (1/1)...
[2020-11-16 17:27:53] Result: AddressSanitizer: stack-overflow [@ webrender::spatial_tree::SpatialTree::get_relative_transform_with_face] (cd2822ed:4a417b7b)
[2020-11-16 17:27:53] Result successfully reproduced
[2020-11-16 17:27:53] Shutting down...
[2020-11-16 17:27:53] Done.

Actual results:

=================================================================
==7118==ERROR: AddressSanitizer: stack-overflow on address 0x7f7b60b6bf98 (pc 0x7f7bad9248fd bp 0x7f7b60b6c120 sp 0x7f7b60b6bf50 T109)
#0 0x7f7bad9248fd in webrender::spatial_tree::SpatialTree::get_relative_transform_with_face::h424546e0a8a3a0d9 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/spatial_tree.rs
#1 0x7f7bad923ccf in webrender::space::SpaceMapper$LT$F$C$T$GT$::set_target_spatial_node::h4ec7c4fd09088c57 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/space.rs:73:29
#2 0x7f7bad923ccf in webrender::space::SpaceMapper$LT$F$C$T$GT$::new_with_target::h5e425d46a02660b0 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/space.rs:48:9
#3 0x7f7badb442d9 in webrender::picture::PicturePrimitive::take_context::h34e8c9a60148aaf6 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/picture.rs:4739:32
#4 0x7f7badb50d03 in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:173:23
#5 0x7f7badb50d03 in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#6 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#7 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#8 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#9 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#10 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#11 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#12 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#13 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#14 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#15 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#16 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#17 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#18 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#19 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#20 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#21 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#22 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#23 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#24 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#25 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#26 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#27 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#28 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#29 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#30 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#31 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16
#32 0x7f7badb50ebd in webrender::prepare::prepare_prim_for_render::hf6a4531c8d40ee72 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:216:13
#33 0x7f7badb50ebd in webrender::prepare::prepare_primitives::he99f26bde36a182e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:117:16

Blocks: grizzly
Group: firefox-core-security → gfx-core-security
Component: Untriaged → Graphics: WebRender
Product: Firefox → Core
Version: other → unspecified

I'm fairly certain this is a duplicate of bug 1651258.

Group: gfx-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, testcase
Depends on: 1651258
Blocks: wr-stability
Severity: -- → S3
Assignee: nobody → gwatson
No longer blocks: gfx-triage

Could not reproduce, but I was not in a fuzzing build so I had to comment out the fuzzing specific calls in the js. Didn't hit any display list building asserts.

Flags: sec-bounty? → sec-bounty-
Keywords: csectype-dos
Whiteboard: stack exhaustion: recursion too deep
You need to log in before you can comment on or make changes to this bug.