Closed Bug 1710178 Opened 4 years ago Closed 4 years ago

high memory usage in [@ mozilla::gfx::Factory::CreateDrawTargetForData]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox90 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-oom, testcase, Whiteboard: [fuzzblocker])

Attachments

(1 file)

testcase.html
184 bytes, text/plain
Details
Attached file testcase.html

Found while fuzzing m-c 20210505-cee8c3405f2e (--enable-address-sanitizer --enable-fuzzing)

This test case triggers high memory usage and has a negative impact on fuzzing. Multiple instances of fuzzers are run in parallel on a single machine. When this is hit the other instances can crash or report bogus results. Marking as fuzzblocker please prioritize appropriately.

==349005==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x55a1b8c379b8 bp 0x7fa3ac5e3390 sp 0x7fa3ac5e3380 T37)
==349005==The signal is caused by a WRITE memory access.
==349005==Hint: address points to the zero page.
    #0 0x55a1b8c379b8 in mozalloc_abort src/memory/mozalloc/mozalloc_abort.cpp:33:3
    #1 0x55a1b8c37b4a in mozalloc_handle_oom(unsigned long) src/memory/mozalloc/mozalloc_oom.cpp:51:3
    #2 0x55a1b8c37a6b in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54:5
    #3 0x7fa3cedb1e2e in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #4 0x7fa3cedb1e2e in mozilla::gfx::Factory::CreateDrawTargetForData(mozilla::gfx::BackendType, unsigned char*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, int, mozilla::gfx::SurfaceFormat, bool) src/gfx/2d/Factory.cpp:478:19
    #5 0x7fa3cf8f4293 in Moz2DRenderCallback src/gfx/webrender_bindings/Moz2DImageRenderer.cpp:365:32
    #6 0x7fa3cf8f4293 in wr_moz2d_render_cb src/gfx/webrender_bindings/Moz2DImageRenderer.cpp:471:10
    #7 0x7fa3de4c6a6f in webrender_bindings::moz2d_renderer::rasterize_blob::_$u7b$$u7b$closure$u7d$$u7d$::haa027e58c8095d16 src/gfx/webrender_bindings/src/moz2d_renderer.rs:644:16
    #8 0x7fa3de4c6a6f in webrender_bindings::moz2d_renderer::autoreleasepool::he53ddb283ee4fda1 src/gfx/webrender_bindings/src/moz2d_renderer.rs:625:9
    #9 0x7fa3de4c6a6f in webrender_bindings::moz2d_renderer::rasterize_blob::h33de72f567727496 src/gfx/webrender_bindings/src/moz2d_renderer.rs:642:18
    #10 0x7fa3de4cd7a2 in core::ops::function::Fn::call::h487287b5cb763d49 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
    #11 0x7fa3de4cd7a2 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnMut$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_mut::h1866df5c01a04f9f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:247:13
    #12 0x7fa3de4cd7a2 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$mut$u20$F$GT$::call_once::h7aa838e744811eb0 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:280:13
    #13 0x7fa3de4cd7a2 in core::option::Option$LT$T$GT$::map::h18ff2b0c4fc63f5f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/option.rs:453:29
    #14 0x7fa3de4cd7a2 in _$LT$core..iter..adapters..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::h4c2411721df7ff68 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/adapters/mod.rs:924:9
    #15 0x7fa3de4cd7a2 in rayon::iter::plumbing::Folder::consume_iter::h9f5d5839951b006e src/third_party/rust/rayon/src/iter/plumbing/mod.rs:178:21
    #16 0x7fa3de4cd7a2 in _$LT$rayon..iter..map..MapFolder$LT$C$C$F$GT$$u20$as$u20$rayon..iter..plumbing..Folder$LT$T$GT$$GT$::consume_iter::h7586563140e590f2 src/third_party/rust/rayon/src/iter/map.rs:248:21
    #17 0x7fa3de4cd7a2 in rayon::iter::plumbing::Producer::fold_with::h53ae0cbc27aa1aca src/third_party/rust/rayon/src/iter/plumbing/mod.rs:110:9
    #18 0x7fa3de4cd7a2 in rayon::iter::plumbing::bridge_producer_consumer::helper::h1a5c29a91324b25d src/third_party/rust/rayon/src/iter/plumbing/mod.rs:438:13
    #19 0x7fa3de4cf8ae in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hd029e1cf0875c8b9 src/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #20 0x7fa3de4cf8ae in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::hed93511036c1d547 src/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #21 0x7fa3de4cf8ae in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h0d481931fc59a738 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #22 0x7fa3de4cf8ae in std::panicking::try::do_call::h7d628e09c8769a5b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #23 0x7fa3de4cf8ae in std::panicking::try::h0ad9c92b4e010c77 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #24 0x7fa3de4cf8ae in std::panic::catch_unwind::h6e1ddb1686739d37 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #25 0x7fa3de4cf8ae in rayon_core::unwind::halt_unwinding::h2e211cc804011a53 src/third_party/rust/rayon-core/src/unwind.rs:17:5
    #26 0x7fa3de4cf8ae in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::hbbc3be553f0b5052 src/third_party/rust/rayon-core/src/join/mod.rs:141:24
    #27 0x7fa3de4cdd2b in rayon_core::registry::in_worker::hf6ed758ea463c7c8 src/third_party/rust/rayon-core/src/registry.rs:879:13
    #28 0x7fa3de4cdd2b in rayon_core::join::join_context::h62728333dae00101 src/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #29 0x7fa3de4cdd2b in rayon::iter::plumbing::bridge_producer_consumer::helper::h1a5c29a91324b25d src/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #30 0x7fa3de4cf8ae in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hd029e1cf0875c8b9 src/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #31 0x7fa3de4cf8ae in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::hed93511036c1d547 src/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #32 0x7fa3de4cf8ae in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h0d481931fc59a738 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #33 0x7fa3de4cf8ae in std::panicking::try::do_call::h7d628e09c8769a5b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #34 0x7fa3de4cf8ae in std::panicking::try::h0ad9c92b4e010c77 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #35 0x7fa3de4cf8ae in std::panic::catch_unwind::h6e1ddb1686739d37 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #36 0x7fa3de4cf8ae in rayon_core::unwind::halt_unwinding::h2e211cc804011a53 src/third_party/rust/rayon-core/src/unwind.rs:17:5
    #37 0x7fa3de4cf8ae in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::hbbc3be553f0b5052 src/third_party/rust/rayon-core/src/join/mod.rs:141:24
    #38 0x7fa3de4cdd2b in rayon_core::registry::in_worker::hf6ed758ea463c7c8 src/third_party/rust/rayon-core/src/registry.rs:879:13
    #39 0x7fa3de4cdd2b in rayon_core::join::join_context::h62728333dae00101 src/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #40 0x7fa3de4cdd2b in rayon::iter::plumbing::bridge_producer_consumer::helper::h1a5c29a91324b25d src/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #41 0x7fa3de4cfbcd in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::h1f05d851bf2e4d0d src/third_party/rust/rayon/src/iter/plumbing/mod.rs:427:21
    #42 0x7fa3de4cfbcd in rayon_core::join::join_context::call_b::_$u7b$$u7b$closure$u7d$$u7d$::h0fc169d61f40de0e src/third_party/rust/rayon-core/src/join/mod.rs:129:25
    #43 0x7fa3de4cfbcd in rayon_core::job::StackJob$LT$L$C$F$C$R$GT$::run_inline::h49c2f095104d72e4 src/third_party/rust/rayon-core/src/job.rs:97:9
    #44 0x7fa3de4cfbcd in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::hbbc3be553f0b5052 src/third_party/rust/rayon-core/src/join/mod.rs:158:36
    #45 0x7fa3de4cdd2b in rayon_core::registry::in_worker::hf6ed758ea463c7c8 src/third_party/rust/rayon-core/src/registry.rs:879:13
    #46 0x7fa3de4cdd2b in rayon_core::join::join_context::h62728333dae00101 src/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #47 0x7fa3de4cdd2b in rayon::iter::plumbing::bridge_producer_consumer::helper::h1a5c29a91324b25d src/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #48 0x7fa3de4cf8ae in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hd029e1cf0875c8b9 src/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #49 0x7fa3de4cf8ae in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::hed93511036c1d547 src/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #50 0x7fa3de4cf8ae in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h0d481931fc59a738 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #51 0x7fa3de4cf8ae in std::panicking::try::do_call::h7d628e09c8769a5b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #52 0x7fa3de4cf8ae in std::panicking::try::h0ad9c92b4e010c77 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #53 0x7fa3de4cf8ae in std::panic::catch_unwind::h6e1ddb1686739d37 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #54 0x7fa3de4cf8ae in rayon_core::unwind::halt_unwinding::h2e211cc804011a53 src/third_party/rust/rayon-core/src/unwind.rs:17:5
    #55 0x7fa3de4cf8ae in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::hbbc3be553f0b5052 src/third_party/rust/rayon-core/src/join/mod.rs:141:24
    #56 0x7fa3de4cdd2b in rayon_core::registry::in_worker::hf6ed758ea463c7c8 src/third_party/rust/rayon-core/src/registry.rs:879:13
    #57 0x7fa3de4cdd2b in rayon_core::join::join_context::h62728333dae00101 src/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #58 0x7fa3de4cdd2b in rayon::iter::plumbing::bridge_producer_consumer::helper::h1a5c29a91324b25d src/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #59 0x7fa3de4d0787 in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::h1f05d851bf2e4d0d src/third_party/rust/rayon/src/iter/plumbing/mod.rs:427:21
    #60 0x7fa3de4d0787 in rayon_core::join::join_context::call_b::_$u7b$$u7b$closure$u7d$$u7d$::h0fc169d61f40de0e src/third_party/rust/rayon-core/src/join/mod.rs:129:25
    #61 0x7fa3de4d0787 in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::call::_$u7b$$u7b$closure$u7d$$u7d$::h4d2feff395e7cb9d src/third_party/rust/rayon-core/src/job.rs:113:21
    #62 0x7fa3de4d0787 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h15c97008fade5782 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #63 0x7fa3de4d0787 in std::panicking::try::do_call::hee263674515f7384 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #64 0x7fa3de4d0787 in std::panicking::try::hb2a12feaf3d5e2c1 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #65 0x7fa3de4d0787 in std::panic::catch_unwind::hb789359a79ef758b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #66 0x7fa3de4d0787 in rayon_core::unwind::halt_unwinding::h745561b39dc7f300 src/third_party/rust/rayon-core/src/unwind.rs:17:5
    #67 0x7fa3de4d0787 in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::h3d408434561b939a src/third_party/rust/rayon-core/src/job.rs:119:38
    #68 0x7fa3dc0ddf42 in rayon_core::job::JobRef::execute::h84ee64a107ae87f4 src/third_party/rust/rayon-core/src/job.rs:59:9
    #69 0x7fa3dc0ddf42 in rayon_core::registry::WorkerThread::execute::h501e5788ff35db61 src/third_party/rust/rayon-core/src/registry.rs:753:9
    #70 0x7fa3dc0ddf42 in rayon_core::registry::WorkerThread::wait_until_cold::h2fb7488a109d1a57 src/third_party/rust/rayon-core/src/registry.rs:730:17
    #71 0x7fa3dc0dbacc in rayon_core::registry::WorkerThread::wait_until::hf3b852df50792538 src/third_party/rust/rayon-core/src/registry.rs:704:13
    #72 0x7fa3dc0dbacc in rayon_core::registry::main_loop::hcbe8a830a7636ee7 src/third_party/rust/rayon-core/src/registry.rs:837:5
    #73 0x7fa3dc0dbacc in rayon_core::registry::ThreadBuilder::run::h5f3bf6b0baf7fce1 src/third_party/rust/rayon-core/src/registry.rs:56:18
    #74 0x7fa3dc0d9b28 in _$LT$rayon_core..registry..DefaultSpawn$u20$as$u20$rayon_core..registry..ThreadSpawn$GT$::spawn::_$u7b$$u7b$closure$u7d$$u7d$::h2ff7e410b6169672 src/third_party/rust/rayon-core/src/registry.rs:101:20
    #75 0x7fa3dc0d9b28 in std::sys_common::backtrace::__rust_begin_short_backtrace::h6c192e4720b1c0ec /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:125:18
    #76 0x7fa3dc0d96d6 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h112104375459f419 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:474:17
    #77 0x7fa3dc0d96d6 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h050b89bc87d55ee9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #78 0x7fa3dc0d96d6 in std::panicking::try::do_call::hb1c9c62553d93da2 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #79 0x7fa3dc0d96d6 in std::panicking::try::h3b38abeb6d02d5a0 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #80 0x7fa3dc0d96d6 in std::panic::catch_unwind::hf4ee6c3d569ac886 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #81 0x7fa3dc0d96d6 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h36781edff253ac03 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:473:30
    #82 0x7fa3dc0d96d6 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h15b7cc511154e052 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
    #83 0x7fa3dc5f7574 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h9e7afb7a0a438236 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/boxed.rs:1307:9
    #84 0x7fa3dc5f7574 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h70c646c4271337a1 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/boxed.rs:1307:9
    #85 0x7fa3dc5f7574 in std::sys::unix::thread::Thread::new::thread_start::h35d2b8d36f210d02 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/std/src/sys/unix/thread.rs:71:17
    #86 0x7fa3edfea608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #87 0x7fa3edbb3292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?

Happens with WR too.

This bug appears to have been introduced in the following range:

Start: db75491e5d2eb754452146cffe297f0d77033052 (20210125155441)
End: 98349a6be0f60d968d7049c0b734294a5b7d5480 (20210125182759)
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=db75491e5d2eb754452146cffe297f0d77033052&tochange=98349a6be0f60d968d7049c0b734294a5b7d5480

See Also: → 1710514

To help catch this issue ASAN_OPTIONS=soft_rss_limit_mb=5000 was used.

Attachment #9220911 - Attachment mime type: text/html → text/plain

Fixed by bug 1710695, thanks Jeff!

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Blocks: oom-fuzz

This appears to impact the end user after looking at bug 1710695.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: