1678217 - Hit MOZ_CRASH(assertion failed: bytes.len() >= finish as usize) at gfx/wr/webrender/src/texture_cache.rs:1788

Status: RESOLVED WORKSFORME

(Core :: Graphics: WebRender, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Hit MOZ_CRASH(assertion failed: bytes.len() >= finish as usize) at gfx/wr/webrender/src/texture_cache.rs:1788

#0 0x7f41ad9d5c25 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
#1 0x7f41ad9d5c25 in RustMozCrash src/mozglue/static/rust/wrappers.cpp:17:3
#2 0x7f41ad9d5bd4 in mozglue_static::panic_hook::h7671d193e2350493 src/mozglue/static/rust/lib.rs:89:9
#3 0x7f41ad9d54fb in core::ops::function::Fn::call::hf15ed8a14fddbc4d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
#4 0x7f41ae997db7 in std::panicking::rust_panic_with_hook::haa1ed36ada4ffb03 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/panicking.rs:573:17
#5 0x7f41ad26b2c5 in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::hc987815b05f9fa78 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:498:9
#6 0x7f41ad25d69f in std::sys_common::backtrace::__rust_end_short_backtrace::h8b1b44ebdc3ee421 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:153:18
#7 0x7f41ad26b28e in std::panicking::begin_panic::h3979ed6a848376c0 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:497:12
#8 0x7f41ad54b333 in webrender::texture_cache::_$LT$impl$u20$webrender..internal_types..TextureCacheUpdate$GT$::new_update::h4322fa8f1595e14b src/gfx/wr/webrender/src/texture_cache.rs:1788:17
#9 0x7f41ad54b333 in webrender::texture_cache::TextureCache::update::h4ea9f22474bc2b2a src/gfx/wr/webrender/src/texture_cache.rs:814:22
#10 0x7f41ad4e6616 in webrender::resource_cache::ResourceCache::update_texture_cache::h9e19ca3b08040c16 src/gfx/wr/webrender/src/resource_cache.rs:1289:17
#11 0x7f41ad4e6616 in webrender::resource_cache::ResourceCache::block_until_all_resources_added::h088fbde5cd4676b6 src/gfx/wr/webrender/src/resource_cache.rs:1189:9
#12 0x7f41ad3dcc27 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::ha75d35a2449868c3 src/gfx/wr/webrender/src/frame_builder.rs:469:13
#13 0x7f41ad3dcc27 in webrender::frame_builder::FrameBuilder::build::h1f9cdf7808fc11fe src/gfx/wr/webrender/src/frame_builder.rs:533:35
#14 0x7f41ad45b064 in webrender::render_backend::Document::build_frame::hc9217904b1927bb0 src/gfx/wr/webrender/src/render_backend.rs:622:25
#15 0x7f41ad46b981 in webrender::render_backend::RenderBackend::update_document::hc419a2d864e78305 src/gfx/wr/webrender/src/render_backend.rs:1501:41
#16 0x7f41ad4634a6 in webrender::render_backend::RenderBackend::prepare_transactions::hf5295b6986f8668c src/gfx/wr/webrender/src/render_backend.rs:1356:28
#17 0x7f41ad4634a6 in webrender::render_backend::RenderBackend::process_api_msg::he33f2df2e6574aaf src/gfx/wr/webrender/src/render_backend.rs:1216:17
#18 0x7f41ad25f883 in webrender::render_backend::RenderBackend::run::h899dec7cd4c18c62 src/gfx/wr/webrender/src/render_backend.rs:892:21
#19 0x7f41ad25f883 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h67c2b7846b032e19 src/gfx/wr/webrender/src/renderer.rs:2805:13
#20 0x7f41ad25f883 in std::sys_common::backtrace::__rust_begin_short_backtrace::h8569f85c5e3b1c81 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:137:18
#21 0x7f41ad27ec0f in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hfdd6e321654ab929 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:458:17
#22 0x7f41ad27ec0f in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h210807fa4e7da292 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:308:9
#23 0x7f41ad27ec0f in std::panicking::try::do_call::h5b4ef7a62f954e13 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:373:40
#24 0x7f41ad27ec0f in std::panicking::try::he203f9bdef340f62 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:337:19
#25 0x7f41ad27ec0f in std::panic::catch_unwind::ha0e0523afdba3673 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:379:14
#26 0x7f41ad27ec0f in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h6fbe1e1777c1f55e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:457:30
#27 0x7f41ad27ec0f in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h291894847cf59194 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
#28 0x7f41ae9a7369 in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::h670c50864ac2cb92 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/alloc/src/boxed.rs:1042:9
#29 0x7f41ae9a7369 in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::h2511952749086d81 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/alloc/src/boxed.rs:1042:9
#30 0x7f41ae9a7369 in std::sys::unix::thread::Thread::new::thread_start::h5ad4ddffe24373a8 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/sys/unix/thread.rs:87:17
#31 0x7f41c20a06da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#32 0x7f41c107ea3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Tyson Smith [:tsmith]]

Attachment: b5df533a4222f126a77c9c8688fdae3008c8e8d4.svg

Comment 2

[Tyson Smith [:tsmith]]

Attachment: prefs.js

Comment 3

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/JIC_N_QKCrb2zUf4acf-kw/index.html

Comment 4

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201119095716-36ef6c97da5b.
The bug appears to have been introduced in the following build range:

Start: 0cf4cdedf9af82e1cddef191f44730b4a78c1a9d (20191125092805)
End: 74d6833f6173c10417ffc1c7baa687fd907d15ad (20191125095153)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0cf4cdedf9af82e1cddef191f44730b4a78c1a9d&tochange=74d6833f6173c10417ffc1c7baa687fd907d15ad

Comment 5

[Sotaro Ikeda [:sotaro]]

:gw, can you comment to the bug?

Comment 6

[Glenn Watson [:gw]]

The assert checks that the provided data buffer for a texture is large enough for the supplied dimensions / stride / format. Logging out the length of the buffer and those parameters should be enough to see what is going on.

Comment 7

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: 9ab10a81eb56099cf471400400fa827a2359f201 (20210209042330)
End: a995ea903b917224dfbc969604ae94c9b30709e5 (20210209053322)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=9ab10a81eb56099cf471400400fa827a2359f201&tochange=a995ea903b917224dfbc969604ae94c9b30709e5
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 8

[Jason Kratzer [:jkratzer]]

It appears that the previous testcase is no longer able to reproduce the issue.  However, this issue does still occur.

The following testcase was found while fuzzing mozilla-central rev e8a29c8f1e09 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:
```
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build e8a29c8f1e09 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
```

Comment 9

[Jason Kratzer [:jkratzer]]

Attachment: Detailed Crash Information

Comment 10

[Jason Kratzer [:jkratzer]]

Attachment: Testcase for comment 4

Comment 11

[Tyson Smith [:tsmith]]

The attached test case no longer reproduces the issue and the issue was last reported by fuzzers targeting m-c 20220330-89e43e0269de.

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

Setting regressed_by field after analyzing regression range found by bugmon.