1703893 - AddressSanitizer: heap-buffer-overflow [@ load<unsigned int>] with READ of size 16

Status: VERIFIED FIXED

(Core :: Graphics: WebRender, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.zip

Testcase found while fuzzing mozilla-central rev 83a21ab93aff (built with --enable-address-sanitizer --enable-fuzzing).

==144187==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000f93b at pc 0x7fa0b8096866 bp 0x7fa07b002110 sp 0x7fa07b002108
READ of size 16 at 0x63000000f93b thread T60 (Renderer)
    #0 0x7fa0b8096865 in load<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:503:5
    #1 0x7fa0b8096865 in unaligned_load<unsigned char __attribute__((ext_vector_type(16))), unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:532:10
    #2 0x7fa0b8096865 in void blendTextureLinearFast<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:311:9
    #3 0x7fa0b807be99 in unsigned int* blendTextureLinearDispatch<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*, LinearFilter) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:424:9
    #4 0x7fa0b8038dcb in int blendTextureLinearRepeat<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar const&, glsl::vec4_scalar const&, glsl::vec4_scalar const&, NoColor, unsigned int*) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:666:15
    #5 0x7fa0b81a2d4c in brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::swgl_drawSpanRGBA8() /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-fa1cedbe8c8d7d30/out/brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D.h:969:2
    #6 0x7fa0b8199479 in brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::draw_span_RGBA8(brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag*) /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-fa1cedbe8c8d7d30/out/brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D.h:1012:42
    #7 0x7fa0b8469fee in draw_span /builds/worker/checkouts/gecko/gfx/wr/swgl/src/program.h:149:12
    #8 0x7fa0b8469fee in draw_depth_span<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:597:38
    #9 0x7fa0b8469fee in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:999:13
    #10 0x7fa0b7fe5743 in draw_quad(int, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1592:5
    #11 0x7fa0b7fe1103 in void draw_elements<unsigned short>(int, int, unsigned long, VertexArray&, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1622:5
    #12 0x7fa0b7fe0da9 in DrawElementsInstanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2699:7
    #13 0x7fa0b744dca5 in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::h51e0b62033070f29 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:3522:9
    #14 0x7fa0b744dca5 in webrender::renderer::Renderer::draw_instanced_batch::hff0dd0452e9d80c1 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2553:17
    #15 0x7fa0b7439f0d in webrender::renderer::Renderer::draw_alpha_batch_container::hb633ae3deaa60ff4 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:3037:17
    #16 0x7fa0b740df81 in webrender::renderer::Renderer::draw_picture_cache_target::h4479a69d077f4535 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2860:9
    #17 0x7fa0b740df81 in webrender::renderer::Renderer::draw_frame::h2fe5327ba37c56d5 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4603:21
    #18 0x7fa0b7473db2 in webrender::renderer::Renderer::render_impl::hc14c54b40ec9d2eb /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2154:17
    #19 0x7fa0b74954c9 in webrender::renderer::Renderer::render::h630e7c763bf04fda /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1889:30
    #20 0x7fa0b77019df in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:637:11
    #21 0x7fa0a8d6801e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #22 0x7fa0a8d6674f in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:486:31
    #23 0x7fa0a8d658d1 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:341:3
    #24 0x7fa0a8d7dc66 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #25 0x7fa0a8d7dc66 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #26 0x7fa0a8d7dc66 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #27 0x7fa0a701e9e7 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #28 0x7fa0a701f74e in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #29 0x7fa0a701ffeb in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #30 0x7fa0a70212e6 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #31 0x7fa0a701e591 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #32 0x7fa0a701e591 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #33 0x7fa0a701e591 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #34 0x7fa0a703bc18 in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:191:16
    #35 0x7fa0a702f80c in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #36 0x7fa0c67d1608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #37 0x7fa0c639a292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x63000000f93b is located 3 bytes to the right of 62776-byte region [0x630000000400,0x63000000f938)
allocated by thread T60 (Renderer) here:
    #0 0x558dacf12a69 in realloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
    #1 0x7fa0b7fe7473 in Texture::allocate(bool, int, int) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:492:32
    #2 0x7fa0b7fd04af in set_tex_storage(Texture&, unsigned int, int, int, void*, int, int, int) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1678:5
    #3 0x7fa0b7fcff6e in TexStorage2D /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1692:3
    #4 0x7fa0b7fd1129 in TexImage2D /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1780:3
    #5 0x7fa0b6513eea in _$LT$swgl..swgl_fns..Context$u20$as$u20$gleam..gl..Gl$GT$::tex_image_2d::h4a67fbdce1d3895b /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_fns.rs:995:13
    #6 0x7fa0b7384226 in webrender::device::gl::Device::create_texture::h9ccd7458decb5fd7 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:2453:13
    #7 0x7fa0b7457924 in webrender::renderer::Renderer::update_texture_cache::_$u7b$$u7b$closure$u7d$$u7d$::h10aab31fc41e7d8f /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2435:29
    #8 0x7fa0b7457924 in core::option::Option$LT$T$GT$::unwrap_or_else::h95a9ebff8addefd0 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/option.rs:427:21
    #9 0x7fa0b7457924 in webrender::renderer::Renderer::update_texture_cache::hbe25867822377249 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2434:43
    #10 0x7fa0b7473009 in webrender::renderer::Renderer::render_impl::hc14c54b40ec9d2eb /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2114:13
    #11 0x7fa0b74954c9 in webrender::renderer::Renderer::render::h630e7c763bf04fda /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1889:30
    #12 0x7fa0b77019df in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:637:11
    #13 0x7fa0a8d6801e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #14 0x7fa0a8d6674f in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:486:31
    #15 0x7fa0a8d658d1 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:341:3
    #16 0x7fa0a8d7dc66 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #17 0x7fa0a8d7dc66 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #18 0x7fa0a8d7dc66 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #19 0x7fa0a701e9e7 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #20 0x7fa0a701f74e in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #21 0x7fa0a701ffeb in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #22 0x7fa0a70212e6 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #23 0x7fa0a701e591 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #24 0x7fa0a701e591 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #25 0x7fa0a701e591 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3

Thread T60 (Renderer) created by T0 here:
    #0 0x558dacefd1ba in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7fa0a7029cfc in CreateThread /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7fa0a7029cfc in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7fa0a703b43d in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7fa0a8d62521 in mozilla::wr::RenderThread::Start() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:92:16
    #5 0x7fa0a8ad2299 in gfxPlatform::InitLayersIPC() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1324:7
    #6 0x7fa0a8acd896 in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:964:3
    #7 0x7fa0a8acc1db in gfxPlatform::GetPlatform() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:480:5
    #8 0x7fa0ad70ed3c in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/checkouts/gecko/widget/GfxInfoBase.cpp:1778:25
    #9 0x7fa0a5f13031 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #10 0x7fa0a7e445da in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1623:10
    #11 0x7fa0a7e445da in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #12 0x7fa0a7e445da in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #13 0x7fa0a7e49fc3 in GetAttribute /builds/worker/checkouts/gecko/js/xpconnect/src/xpcprivate.h:1460:12
    #14 0x7fa0a7e49fc3 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
    #15 0x7fa0b14b6760 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:435:13
    #16 0x7fa0b14b6760 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:520:12
    #17 0x7fa0b14b8599 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
    #18 0x7fa0b14b881b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:8
    #19 0x7fa0b14b9dd8 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:721:10
    #20 0x7fa0b19b7cf4 in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2168:12
    #21 0x7fa0b19b7cf4 in GetExistingProperty<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2197:12
    #22 0x7fa0b19b7cf4 in NativeGetPropertyInline<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2341:14
    #23 0x7fa0b19b7cf4 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2371:10
    #24 0x7fa0b14a4709 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:116:10
    #25 0x7fa0b14a4709 in GetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:451:10
    #26 0x7fa0b14a4709 in GetElementOperationWithStackIndex /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:558:10
    #27 0x7fa0b14a4709 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3051:14
    #28 0x7fa0b14863d3 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:13
    #29 0x7fa0b14b689a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:552:13
    #30 0x7fa0b14b8599 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
    #31 0x7fa0b14b881b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:8
    #32 0x7fa0b1d20cb0 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2793:10
    #33 0x7fa0a7e37301 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:971:17
    #34 0x7fa0a5f14980 in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #35 0x7fa0a5f1371a in SharedStub (/home/jkratzer/builds/mc-asan/libxul.so+0x506d71a)
    #36 0x7fa0a5e74bc8 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/components/nsCategoryManager.cpp:687:19
    #37 0x7fa0b127e862 in nsXREDirProvider::DoStartup() /builds/worker/checkouts/gecko/toolkit/xre/nsXREDirProvider.cpp:977:11
    #38 0x7fa0b125a119 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5098:18
    #39 0x7fa0b125d2f6 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5539:8
    #40 0x7fa0b125e0d3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5598:21
    #41 0x558dacf45902 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:220:22
    #42 0x558dacf45902 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:347:16
    #43 0x7fa0c629f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:503:5 in load<unsigned int>
Shadow bytes around the buggy address:
  0x0c607fff9ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff9ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff9ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff9f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c607fff9f20: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
  0x0c607fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff9f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff9f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc

Comment 1

[Jason Kratzer [:jkratzer]]

Reduced build range to:

Start: 7552f5acc03b5fd126d584a4fa8b324afbf1a471 (20210406094706)
End: dcc9ca0ad46eea95eacc9071ba55015a8803e224 (20210406075638)
https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=7552f5acc03b5fd126d584a4fa8b324afbf1a471&tochange=dcc9ca0ad46eea95eacc9071ba55015a8803e224

Comment 2

[Jason Kratzer [:jkratzer]]

This appears to be a regression of bug 1678783.

Comment 3

[Lee Salzman [:lsalzman]]

When I run the testcase in SW-WR, it does not reproduce for me.

Comment 4

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/0JP68sdmFsJj6g7VlyLfoA/index.html

Comment 5

[Lee Salzman [:lsalzman]]

There don't appear to be any debugging symbols in this so I can't tell much from it. Can you resolve that? The variables that I need to inspect just say "optimized out".

Comment 6

[Tyson Smith [:tsmith]]

I'm not sure what is wrong. I built with --disable-optimize and further up the stack looks better but sw-wr seems to be optimized?

truber or glandium: Could this be similar to bug 1695285?

Comment 7

[Lee Salzman [:lsalzman]]

Attachment: Bug 1703893 - More accurate uv_step for fast-paths. r?jrmuizel

Comment 8

[Lee Salzman [:lsalzman]]

It looks like the number of steps in fast-paths can be potentially overestimated since when choosing a fast-path to apply it rounds the uv_step to allow for some amount of imperceptible visual error. This could cause us to slightly overread from a texture.

Comment 9

[Lee Salzman [:lsalzman]]

Since this is just a nightly regression and seems very hard to test reliably outside of the fuzzer, I am just going to land the presumptive fix so that we can more easily verify if it does fix it.

Comment 10

[Tyson Smith [:tsmith]]

I verified that the issue is no longer reproducible with the patch applied.

Comment 11

[Jason Kratzer [:jkratzer]]

Just a note - it appears that the bug's reproducibility relies on the window's zoom level. When I open the testcase and zoom in/out repeatedly I can reliably trigger this issue.

Comment 12

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

More accurate uv_step for fast-paths. r=jrmuizel
https://hg.mozilla.org/integration/autoland/rev/03f57beffd17066281a639a76ee612ad65fefc6f
https://hg.mozilla.org/mozilla-central/rev/03f57beffd17

Comment 13

[Jesse Schwartzentruber (:truber)]

(In reply to Tyson Smith [:tsmith] from comment #6)

I'm not sure what is wrong. I built with --disable-optimize and further up the stack looks better but sw-wr seems to be optimized?

truber or glandium: Could this be similar to bug 1695285?

I don't think this is related to bug 1695285 at all. (the section touched in rust.mk shouldn't be filtering anything anymore except in two cases: TSan and Windows code coverage).

Comment 14

[Tyson Smith [:tsmith]]

Opened bug 1704580 for no-opt build issue.

Comment 15

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211123033957-ba4d4963c38b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.