1699929 - heap-use-after-free in [@ DrawElementsInstanced] with sw-wr

Status: RESOLVED FIXED

(Core :: Graphics: WebRender, defect)

Description

[Tyson Smith [:tsmith]]

Found while fuzzing m-c 20210320-f56d2bf535d6 (--enable-address-sanitizer --enable-fuzzing)

A testcase will be will be attached once reduction is complete.

==27059==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f342e223800 at pc 0x7f34677d57b9 bp 0x7f34401e62f0 sp 0x7f34401e62e8
READ of size 16 at 0x7f342e223800 thread T31 (Renderer)
    #0 0x7f34677d57b8 in load<unsigned int> /gecko/gfx/wr/swgl/src/vector_type.h:502:5
    #1 0x7f34677d57b8 in unaligned_load<unsigned char __attribute__((ext_vector_type(16))), unsigned int> /gecko/gfx/wr/swgl/src/vector_type.h:531:10
    #2 0x7f34677d57b8 in void blendTextureLinearUpscale<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*) /gecko/gfx/wr/swgl/src/swgl_ext.h:217:7
    #3 0x7f3467786e23 in int blendTextureLinear<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec4_scalar const&, NoColor, unsigned int*, LinearFilter) /gecko/gfx/wr/swgl/src/swgl_ext.h:426:9
    #4 0x7f3467892e3c in brush_image_ALPHA_PASS_TEXTURE_2D_frag::swgl_drawSpanRGBA8() /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-fa1cedbe8c8d7d30/out/brush_image_ALPHA_PASS_TEXTURE_2D.h:895:2
    #5 0x7f3467888d69 in brush_image_ALPHA_PASS_TEXTURE_2D_frag::draw_span_RGBA8(brush_image_ALPHA_PASS_TEXTURE_2D_frag*) /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-fa1cedbe8c8d7d30/out/brush_image_ALPHA_PASS_TEXTURE_2D.h:938:42
    #6 0x7f3467b368eb in draw_span /gecko/gfx/wr/swgl/src/program.h:149:12
    #7 0x7f3467b368eb in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) /gecko/gfx/wr/swgl/src/rasterize.h:1008:42
    #8 0x7f34676cf0c3 in draw_quad(int, Texture&, Texture&) /gecko/gfx/wr/swgl/src/rasterize.h:1592:5
    #9 0x7f34676caa7d in void draw_elements<unsigned short>(int, int, unsigned long, VertexArray&, Texture&, Texture&) /gecko/gfx/wr/swgl/src/rasterize.h:1625:7
    #10 0x7f34676ca6b9 in DrawElementsInstanced /gecko/gfx/wr/swgl/src/gl.cc:2685:7
    #11 0x7f3466b3cb8f in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::hdf4e10b32e2cd617 /gecko/gfx/wr/webrender/src/device/gl.rs:3460:9
    #12 0x7f3466b3cb8f in webrender::renderer::Renderer::draw_instanced_batch::haeb1e6b58a929c2c /gecko/gfx/wr/webrender/src/renderer/mod.rs:2508:17
    #13 0x7f3466b29a99 in webrender::renderer::Renderer::draw_alpha_batch_container::h63595a787678f5b1 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2992:17
    #14 0x7f3466afc2b4 in webrender::renderer::Renderer::draw_color_target::h4a62af02b47d92c9 /gecko/gfx/wr/webrender/src/renderer/mod.rs:3661:13
    #15 0x7f3466afc2b4 in webrender::renderer::Renderer::draw_frame::h2fe5327ba37c56d5 /gecko/gfx/wr/webrender/src/renderer/mod.rs:4651:17
    #16 0x7f3466b6003d in webrender::renderer::Renderer::render_impl::ha4774478a54aef7a /gecko/gfx/wr/webrender/src/renderer/mod.rs:2154:17
    #17 0x7f3466b94ef2 in webrender::renderer::Renderer::update::h4bfd10fa01371c07 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1459:29
    #18 0x7f34583a975e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /gecko/gfx/webrender_bindings/RendererOGL.cpp:173:3
    #19 0x7f34583a8102 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /gecko/gfx/webrender_bindings/RenderThread.cpp:482:31
    #20 0x7f34583a729e in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /gecko/gfx/webrender_bindings/RenderThread.cpp:337:3
    #21 0x7f34583bf4c6 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #22 0x7f34583bf4c6 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #23 0x7f34583bf4c6 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #24 0x7f34566041d7 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #25 0x7f3456604f3e in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #26 0x7f34566057db in MessageLoop::DoWork() /gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #27 0x7f3456606ad6 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #28 0x7f3456603d81 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #29 0x7f3456603d81 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #30 0x7f3456603d81 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #31 0x7f3456622088 in base::Thread::ThreadMain() /gecko/ipc/chromium/src/base/thread.cc:191:16
    #32 0x7f3456615c7c in ThreadFunc(void*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #33 0x7f3475ef4608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #34 0x7f3475abd292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x7f342e223800 is located 184320 bytes inside of 442368-byte region [0x7f342e1f6800,0x7f342e262800)
freed by thread T31 (Renderer) here:
    #0 0x55d2d905419d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x7f3466158a9c in alloc::alloc::dealloc::hf4366a06cfeb0f71 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:102:14
    #2 0x7f3466158a9c in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..AllocRef$GT$::dealloc::h4a285e28afeea3c6 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:237:22
    #3 0x7f3466158a9c in _$LT$alloc..raw_vec..RawVec$LT$T$C$A$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h384f8d8bd0a94ff6 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/raw_vec.rs:505:22
    #4 0x7f3466158a9c in core::ptr::drop_in_place::hf94b30d50514a31f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #5 0x7f3466158a9c in core::ptr::drop_in_place::hfda17f987532691a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #6 0x7f3466158a9c in core::ptr::drop_in_place::hfb361052c63d856d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #7 0x7f3466158a9c in core::ptr::drop_in_place::he24f2df36bac40ea /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #8 0x7f3466158a9c in core::ptr::mut_ptr::_$LT$impl$u20$$BP$mut$u20$T$GT$::drop_in_place::hfbd43de3becaecf6 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mut_ptr.rs:963:18
    #9 0x7f3466158a9c in hashbrown::raw::Bucket$LT$T$GT$::drop::h99f482c51d046908 /cargo/registry/src/github.com-1ecc6299db9ec823/hashbrown-0.9.0/src/raw/mod.rs:334:9
    #10 0x7f3466158a9c in _$LT$hashbrown..raw..RawTable$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h9f4947d35767e0eb /cargo/registry/src/github.com-1ecc6299db9ec823/hashbrown-0.9.0/src/raw/mod.rs:1325:25
    #11 0x7f3466158a9c in core::ptr::drop_in_place::h6dba84ced4c3b9e2 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #12 0x7f3466158a9c in core::ptr::drop_in_place::h28c55de3de1157f7 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #13 0x7f3466158a9c in core::ptr::drop_in_place::h1a4067b8d7ca483a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #14 0x7f3466158a9c in core::ptr::drop_in_place::h1d506a2b6383040b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #15 0x7f3466158a9c in core::ptr::drop_in_place::hc66f639e79167f63 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #16 0x7f3466158a9c in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h40355cbf85977381 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec.rs:2595:13
    #17 0x7f3466158a9c in core::ptr::drop_in_place::h455143603e6ecb16 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #18 0x7f3466158a9c in core::ptr::drop_in_place::hd5a692896f7386d2 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #19 0x7f3466158a9c in core::ptr::drop_in_place::h85b39be5493096fb /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #20 0x7f3466b950e9 in webrender::renderer::Renderer::update::h4bfd10fa01371c07 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1466:21
    #21 0x7f34583a975e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /gecko/gfx/webrender_bindings/RendererOGL.cpp:173:3
    #22 0x7f34583a8102 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /gecko/gfx/webrender_bindings/RenderThread.cpp:482:31
    #23 0x7f34583a729e in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /gecko/gfx/webrender_bindings/RenderThread.cpp:337:3
    #24 0x7f34583bf4c6 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #25 0x7f34583bf4c6 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #26 0x7f34583bf4c6 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #27 0x7f34566041d7 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #28 0x7f3456604f3e in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #29 0x7f34566057db in MessageLoop::DoWork() /gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #30 0x7f3456606ad6 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #31 0x7f3456603d81 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #32 0x7f3456603d81 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #33 0x7f3456603d81 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #34 0x7f3456622088 in base::Thread::ThreadMain() /gecko/ipc/chromium/src/base/thread.cc:191:16
    #35 0x7f3456615c7c in ThreadFunc(void*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #36 0x7f3475ef4608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8

previously allocated by thread T74 (WRRende~ckend#1) here:
    #0 0x55d2d9054739 in realloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
    #1 0x7f346665d4cb in alloc::alloc::realloc::h04ce23b52b8f32be /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:120:14
    #2 0x7f346665d4cb in alloc::alloc::Global::grow_impl::h8d7fecf467d28f0a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:196:31
    #3 0x7f346665d4cb in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..AllocRef$GT$::grow::h877226ca602f063d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:249:18
    #4 0x7f346665d4cb in alloc::raw_vec::finish_grow::h12ac47497089d541 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/raw_vec.rs:492:13
    #5 0x7f346665d4cb in alloc::raw_vec::RawVec$LT$T$C$A$GT$::grow_amortized::hb3e867a02af6c92a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/raw_vec.rs:428:19
    #6 0x7f346665d4cb in alloc::raw_vec::RawVec$LT$T$C$A$GT$::try_reserve::h883d3c67a7dccfa1 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/raw_vec.rs:317:13
    #7 0x7f346665d4cb in alloc::raw_vec::RawVec$LT$T$C$A$GT$::reserve::h6e0afa3b567820b5 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/raw_vec.rs:311:24
    #8 0x7f346665d4cb in alloc::vec::Vec$LT$T$GT$::reserve::had26d9b5805a26c3 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec.rs:505:9
    #9 0x7f34665cf677 in alloc::vec::Vec$LT$T$GT$::push::h2d4cbe11def3e614 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec.rs:1210:13
    #10 0x7f34665cf677 in webrender::render_target::TextureCacheRenderTarget::add_task::hf4aa1c646ffc987d /gecko/gfx/wr/webrender/src/render_target.rs:685:25
    #11 0x7f34665cf677 in webrender::frame_builder::build_render_pass::h07439a287fa21047 /gecko/gfx/wr/webrender/src/frame_builder.rs:860:21
    #12 0x7f34665cf677 in webrender::frame_builder::FrameBuilder::build::h279237b1ec8fe937 /gecko/gfx/wr/webrender/src/frame_builder.rs:633:28
    #13 0x7f34664a96ba in webrender::render_backend::Document::build_frame::hdb124cb99665283c /gecko/gfx/wr/webrender/src/render_backend.rs:622:25
    #14 0x7f346649312f in webrender::render_backend::RenderBackend::update_document::h0446f3a4a930ed1a /gecko/gfx/wr/webrender/src/render_backend.rs:1508:41
    #15 0x7f3466424df9 in webrender::render_backend::RenderBackend::prepare_transactions::h950f199a4894208d /gecko/gfx/wr/webrender/src/render_backend.rs:1362:28
    #16 0x7f3466424df9 in webrender::render_backend::RenderBackend::process_api_msg::hf02d08552b7093db /gecko/gfx/wr/webrender/src/render_backend.rs:1218:17
    #17 0x7f346640882e in webrender::render_backend::RenderBackend::run::hed0f20aa71c5feb0 /gecko/gfx/wr/webrender/src/render_backend.rs:894:21
    #18 0x7f346640882e in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h2e873f4173ddd35f /gecko/gfx/wr/webrender/src/renderer/mod.rs:1281:13
    #19 0x7f346640882e in std::sys_common::backtrace::__rust_begin_short_backtrace::hb942a35b4b18b38d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:125:18
    #20 0x7f3466403fda in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1d3d14bc33d6cbfd /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:474:17
    #21 0x7f3466403fda in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h557b28b5b8a3b7fc /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #22 0x7f3466403fda in std::panicking::try::do_call::hbf8b602a9cc4d35e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #23 0x7f3466403fda in std::panicking::try::hffd002b014b7867d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #24 0x7f3466403fda in std::panic::catch_unwind::h3fbd9254fb973e40 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #25 0x7f3466403fda in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h71e708c50f653a84 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:473:30
    #26 0x7f3466403fda in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::he7b696b33ce470e7 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
    #27 0x7f3464e5fb24 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h9e7afb7a0a438236 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/boxed.rs:1307:9
    #28 0x7f3464e5fb24 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h70c646c4271337a1 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/boxed.rs:1307:9
    #29 0x7f3464e5fb24 in std::sys::unix::thread::Thread::new::thread_start::h35d2b8d36f210d02 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/std/src/sys/unix/thread.rs:71:17

Thread T31 (Renderer) created by T0 here:
    #0 0x55d2d903ee8a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7f345661016c in CreateThread /gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7f345661016c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7f34566218ad in base::Thread::StartWithOptions(base::Thread::Options const&) /gecko/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7f34583a3e91 in mozilla::wr::RenderThread::Start() /gecko/gfx/webrender_bindings/RenderThread.cpp:90:16
    #5 0x7f34581155a9 in gfxPlatform::InitLayersIPC() /gecko/gfx/thebes/gfxPlatform.cpp:1322:7
    #6 0x7f3458110bf6 in gfxPlatform::Init() /gecko/gfx/thebes/gfxPlatform.cpp:963:3
    #7 0x7f345810f54b in gfxPlatform::GetPlatform() /gecko/gfx/thebes/gfxPlatform.cpp:480:5
    #8 0x7f345cdf209c in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /gecko/widget/GfxInfoBase.cpp:1778:25
    #9 0x7f34555073a1 in NS_InvokeByIndex /gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #10 0x7f3457492eca in Invoke /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1623:10
    #11 0x7f3457492eca in Call /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #12 0x7f3457492eca in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #13 0x7f34574988b3 in GetAttribute /gecko/js/xpconnect/src/xpcprivate.h:1460:12
    #14 0x7f34574988b3 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
    #15 0x7f3460b71050 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:435:13
    #16 0x7f3460b71050 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:520:12
    #17 0x7f3460b72e89 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:580:10
    #18 0x7f3460b7310b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:597:8
    #19 0x7f3460b746c8 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:721:10
    #20 0x7f346108c212 in CallGetter /gecko/js/src/vm/NativeObject.cpp:2104:12
    #21 0x7f346108c212 in GetExistingProperty<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2134:12
    #22 0x7f346108c212 in NativeGetPropertyInline<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2278:14
    #23 0x7f346108c212 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2308:10
    #24 0x7f3460b5ea6d in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:116:10
    #25 0x7f3460b5ea6d in GetObjectElementOperation /gecko/js/src/vm/Interpreter-inl.h:452:10
    #26 0x7f3460b5ea6d in GetElementOperationWithStackIndex /gecko/js/src/vm/Interpreter-inl.h:559:10
    #27 0x7f3460b5ea6d in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3051:14
    #28 0x7f3460b3fde3 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:405:13
    #29 0x7f3460b7118a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:552:13
    #30 0x7f3460b72e89 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:580:10
    #31 0x7f3460b7310b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:597:8
    #32 0x7f34613d8e90 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2793:10
    #33 0x7f3457485bf1 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:971:17
    #34 0x7f3455508cf0 in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #35 0x7f3455507a8a in SharedStub (/home/worker/builds/m-c-20210320085643-fuzzing-asan-opt/libxul.so+0x50cfa8a)
    #36 0x7f345546d6c8 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /gecko/xpcom/components/nsCategoryManager.cpp:689:19
    #37 0x7f34609379c2 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:1029:11
    #38 0x7f3460912de9 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5102:18
    #39 0x7f3460915fc6 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5543:8
    #40 0x7f3460916f83 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5606:21
    #41 0x55d2d90875d2 in do_main /gecko/browser/app/nsBrowserApp.cpp:220:22
    #42 0x55d2d90875d2 in main /gecko/browser/app/nsBrowserApp.cpp:347:16
    #43 0x7f34759c20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Lee Salzman [:lsalzman]]

Attachment: Bug 1699929 - Check for non-zero uv_step. r?jrmuizel

Comment 2

[Lee Salzman [:lsalzman]]

Tyson, since there is no reported testcase at all, I just have to make a guess here at what the problem is. Please test my patch to verify if I fixed it or not.

Comment 3

[Tyson Smith [:tsmith]]

(In reply to Lee Salzman [:lsalzman] from comment #2)

Please test my patch to verify if I fixed it or not.

Unfortunately I don't have a way of reproducing this issue. This issue was first reported with m-c 20210320-f56d2bf535d6 and has been reported once a day since by different fuzzers. None of the reported test cases have reproduced the issue.

Once the patch is landed we should be able to confirm it fixed the issue if it is not reported over then next week. As a side note, only counting the fuzzers that found this we'd be looking at ~40 machines running 2-4 instances of the fuzzers each for a minimum of 48h if we wanted to try to confirm this fix before landing.

Comment 4

[Lee Salzman [:lsalzman]]

Comment on attachment 9211631 [details]
Bug 1699929 - Check for non-zero uv_step. r?jrmuizel

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Not easily.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?: 88
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?:
• How likely is this patch to cause regressions; how much testing does it need?: Just works around a divide by zero in a fast-path that may lead to a comparison NaN. Doesn't really change anything else. Since there is no testcase, we can only verify if it is actually fixed once landed. SW-WR only recently rode the trains to beta for a subset of Windows and Linux users in 88. Before that it was nightly only.

Comment 5

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Comment on attachment 9211631 [details]
Bug 1699929 - Check for non-zero uv_step. r?jrmuizel

Approved to land

Comment 6

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Check for non-zero uv_step. r=jrmuizel
https://hg.mozilla.org/integration/autoland/rev/2cf240a96f61653419f613bd82ff841d6e57b8f5
https://hg.mozilla.org/mozilla-central/rev/2cf240a96f61

Comment 7

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/f78b085bdd8dc33a22dd9d3eb5d1c4ce1f0b289e

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.