Closed Bug 1704319 Opened 3 years ago Closed 3 years ago

crash in [@ blend_span]

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox87 --- unaffected
firefox88 --- unaffected
firefox89 --- verified

People

(Reporter: tsmith, Assigned: lsalzman)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(3 files, 1 obsolete file)

testcase.html
118 bytes, text/html
Details
prefs.js
9.20 KB, application/x-javascript
Details
Bug 1704319 - Clamp linear dispatch bounds. r?aosmond
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20210410-f84605e6fc8b (--enable-address-sanitizer --enable-fuzzing)

==9657==ERROR: AddressSanitizer: SEGV on unknown address 0x7f41870d8800 (pc 0x7f41fdd30d14 bp 0x7f41d783a030 sp 0x7f41d7839d80 T29)
==9657==The signal is caused by a READ memory access.
    #0 0x7f41fdd30d14 in load<unsigned int> /gecko/gfx/wr/swgl/src/vector_type.h:503:5
    #1 0x7f41fdd30d14 in unaligned_load<unsigned char __attribute__((ext_vector_type(16))), unsigned int> /gecko/gfx/wr/swgl/src/vector_type.h:532:10
    #2 0x7f41fdd30d14 in blend_span /gecko/gfx/wr/swgl/src/blend.h:732:28
    #3 0x7f41fdd30d14 in commit_blend_span<true, unsigned int, unsigned short __attribute__((ext_vector_type(16)))> /gecko/gfx/wr/swgl/src/blend.h:792:22
    #4 0x7f41fdd30d14 in unsigned int* blendTextureLinearFallback<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*) /gecko/gfx/wr/swgl/src/swgl_ext.h:177:5
    #5 0x7f41fdd30838 in unsigned int* blendTextureLinearDispatch<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*, LinearFilter) /gecko/gfx/wr/swgl/src/swgl_ext.h:441:11
    #6 0x7f41fdde9f7e in int blendTextureLinear<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec4_scalar const&, NoColor, unsigned int*, LinearFilter) /gecko/gfx/wr/swgl/src/swgl_ext.h:456:3
    #7 0x7f41fde800db in brush_image_ALPHA_PASS_TEXTURE_2D_frag::swgl_drawSpanRGBA8() /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-51db388d6c37570b/out/brush_image_ALPHA_PASS_TEXTURE_2D.h:895:2
    #8 0x7f41fde76019 in brush_image_ALPHA_PASS_TEXTURE_2D_frag::draw_span_RGBA8(brush_image_ALPHA_PASS_TEXTURE_2D_frag*) /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-51db388d6c37570b/out/brush_image_ALPHA_PASS_TEXTURE_2D.h:938:42
    #9 0x7f41fe1254fe in draw_span /gecko/gfx/wr/swgl/src/program.h:149:12
    #10 0x7f41fe1254fe in draw_depth_span<unsigned int> /gecko/gfx/wr/swgl/src/rasterize.h:597:38
    #11 0x7f41fe1254fe in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) /gecko/gfx/wr/swgl/src/rasterize.h:999:13
    #12 0x7f41fdc99f63 in draw_quad(int, Texture&, Texture&) /gecko/gfx/wr/swgl/src/rasterize.h:1592:5
    #13 0x7f41fdc95923 in void draw_elements<unsigned short>(int, int, unsigned long, VertexArray&, Texture&, Texture&) /gecko/gfx/wr/swgl/src/rasterize.h:1622:5
    #14 0x7f41fdc955c9 in DrawElementsInstanced /gecko/gfx/wr/swgl/src/gl.cc:2699:7
    #15 0x7f41fd10362b in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::h9db85ebc5dd1be98 /gecko/gfx/wr/webrender/src/device/gl.rs:3532:9
    #16 0x7f41fd10362b in webrender::renderer::Renderer::draw_instanced_batch::he82cf5f9df3fb284 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2561:17
    #17 0x7f41fd0ef2dd in webrender::renderer::Renderer::draw_alpha_batch_container::h759cbbb5db45fa8c /gecko/gfx/wr/webrender/src/renderer/mod.rs:3045:17
    #18 0x7f41fd0c2f61 in webrender::renderer::Renderer::draw_picture_cache_target::h134498a9cc4a253a /gecko/gfx/wr/webrender/src/renderer/mod.rs:2868:9
    #19 0x7f41fd0c2f61 in webrender::renderer::Renderer::draw_frame::h20341baafbe8ca20 /gecko/gfx/wr/webrender/src/renderer/mod.rs:4683:21
    #20 0x7f41fd12973f in webrender::renderer::Renderer::render_impl::h05e0a812274e4fa6 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2159:17
    #21 0x7f41fd14aff9 in webrender::renderer::Renderer::render::h510b6ab158a5e145 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1894:30
    #22 0x7f41fd3b74ff in wr_renderer_render /gecko/gfx/webrender_bindings/src/bindings.rs:637:11
    #23 0x7f41ee93e9fe in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #24 0x7f41ee93d12f in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /gecko/gfx/webrender_bindings/RenderThread.cpp:486:31
    #25 0x7f41ee93c2b1 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /gecko/gfx/webrender_bindings/RenderThread.cpp:341:3
    #26 0x7f41ee954646 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #27 0x7f41ee954646 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #28 0x7f41ee954646 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #29 0x7f41ecbf4a87 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #30 0x7f41ecbf57ee in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #31 0x7f41ecbf608b in MessageLoop::DoWork() /gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #32 0x7f41ecbf7386 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #33 0x7f41ecbf4631 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #34 0x7f41ecbf4631 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #35 0x7f41ecbf4631 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #36 0x7f41ecc11cb8 in base::Thread::ThreadMain() /gecko/ipc/chromium/src/base/thread.cc:191:16
    #37 0x7f41ecc058ac in ThreadFunc(void*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #38 0x7f420c4b0608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #39 0x7f420c079292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /gecko/gfx/wr/swgl/src/vector_type.h:503:5 in load<unsigned int>
Thread T29 (Renderer) created by T0 here:
    #0 0x5630d79161ba in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7f41ecbffd9c in CreateThread /gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7f41ecbffd9c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7f41ecc114dd in base::Thread::StartWithOptions(base::Thread::Options const&) /gecko/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7f41ee938f01 in mozilla::wr::RenderThread::Start() /gecko/gfx/webrender_bindings/RenderThread.cpp:92:16
    #5 0x7f41ee6a8c79 in gfxPlatform::InitLayersIPC() /gecko/gfx/thebes/gfxPlatform.cpp:1324:7
    #6 0x7f41ee6a4276 in gfxPlatform::Init() /gecko/gfx/thebes/gfxPlatform.cpp:964:3
    #7 0x7f41ee6a2bbb in gfxPlatform::GetPlatform() /gecko/gfx/thebes/gfxPlatform.cpp:480:5
    #8 0x7f41f32e8cac in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /gecko/widget/GfxInfoBase.cpp:1778:25
    #9 0x7f41ebae4c91 in NS_InvokeByIndex /gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #10 0x7f41eda1a5ea in Invoke /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1623:10
    #11 0x7f41eda1a5ea in Call /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #12 0x7f41eda1a5ea in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #13 0x7f41eda1ffd3 in GetAttribute /gecko/js/xpconnect/src/xpcprivate.h:1460:12
    #14 0x7f41eda1ffd3 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
    #15 0x7f41f7090bc0 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:435:13
    #16 0x7f41f7090bc0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:520:12
    #17 0x7f41f70929f9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:580:10
    #18 0x7f41f7092c7b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:597:8
    #19 0x7f41f7094238 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:721:10
    #20 0x7f41f758f464 in CallGetter /gecko/js/src/vm/NativeObject.cpp:2168:12
    #21 0x7f41f758f464 in GetExistingProperty<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2197:12
    #22 0x7f41f758f464 in NativeGetPropertyInline<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2341:14
    #23 0x7f41f758f464 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2371:10
    #24 0x7f41f707eb69 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:116:10
    #25 0x7f41f707eb69 in GetObjectElementOperation /gecko/js/src/vm/Interpreter-inl.h:451:10
    #26 0x7f41f707eb69 in GetElementOperationWithStackIndex /gecko/js/src/vm/Interpreter-inl.h:558:10
    #27 0x7f41f707eb69 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3051:14
    #28 0x7f41f7060833 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:405:13
    #29 0x7f41f7090cfa in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:552:13
    #30 0x7f41f70929f9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:580:10
    #31 0x7f41f7092c7b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:597:8
    #32 0x7f41f78f57f0 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2758:10
    #33 0x7f41eda0d311 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:971:17
    #34 0x7f41ebae65e0 in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #35 0x7f41ebae537a in SharedStub (/home/worker/builds/m-c-20210410091448-fuzzing-asan-opt/libxul.so+0x508537a)
    #36 0x7f41eba46828 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /gecko/xpcom/components/nsCategoryManager.cpp:687:19
    #37 0x7f41f6e58cc2 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:977:11
    #38 0x7f41f6e34579 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5098:18
    #39 0x7f41f6e37756 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5539:8
    #40 0x7f41f6e38533 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5598:21
    #41 0x5630d795e902 in do_main /gecko/browser/app/nsBrowserApp.cpp:220:22
    #42 0x5630d795e902 in main /gecko/browser/app/nsBrowserApp.cpp:347:16
    #43 0x7f420bf7e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?
Attached file prefs.js (obsolete) —
Attached file prefs.js
Attachment #9214919 - Attachment is obsolete: true

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210412092813-3e349af4587a.
The bug appears to have been introduced in the following build range:

Start: da0e4ceeb6a49298a2415aff4ce1ae3a38480f44 (20210409062024)
End: 209696ddb4c6398e0178e3a1988033c740312ee0 (20210409122809)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=da0e4ceeb6a49298a2415aff4ce1ae3a38480f44&tochange=209696ddb4c6398e0178e3a1988033c740312ee0

Whiteboard: [bugmon:bisected,confirmed]

Bug 1703893 is in the regression range, and it changed blendTextureLinearDispatch, so maybe it is related to that.

Regressed by: 1703893
Has Regression Range: --- → yes
Keywords: regression

The testcase does not reproduce for me.

Flags: needinfo?(twsmith)
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED

Since the testcase does not repro for me at all, the best I can do is take a wild stab in the dark here about what's going on. Tyson or Jason, can you see if this patch fixes it? If not, there is not much I can do until a better testcase is nailed down.

Flags: needinfo?(jkratzer)

A Pernosco session is available here: https://pernos.co/debug/oKJJmYhcnkM45PtlQqlhMg/index.html

Based on what I can tell from the Pernosco session, my patch should avoid this. Can you confirm?

The issue is no longer reproducible with the patch applied. Thanks!

Flags: needinfo?(twsmith)
Flags: needinfo?(jkratzer)

Since this regression should affect nightly only, and Tyson has confirmed, I will go ahead and land my fix.

Clamp linear dispatch bounds. r=aosmond
https://hg.mozilla.org/integration/autoland/rev/16765e5aef999a05398da87c8a99b4fef0b15286
https://hg.mozilla.org/mozilla-central/rev/16765e5aef99

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox89: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210415040011-3b9876116bf1.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox89: fixedverified
Keywords: bugmon
See Also: → 1706069
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: