1711602 - Assertion failure: false, at src/gfx/webrender_bindings/Moz2DImageRenderer.cpp:430

Status: NEW

(Core :: Graphics: WebRender, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20210514-ef13365d8188 (--enable-address-sanitizer --enable-fuzzing)

To help catch this issue ASAN_OPTIONS=max_allocation_size_mb=512 was used.

Assertion failure: false, at /builds/worker/checkouts/gecko/gfx/webrender_bindings/Moz2DImageRenderer.cpp:430

==30777==WARNING: AddressSanitizer failed to allocate 0x288a9b28 bytes
=================================================================
==30777==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f01f590714d bp 0x7f01dc72cef0 sp 0x7f01dc72bbc0 T34)
==30777==The signal is caused by a WRITE memory access.
==30777==Hint: address points to the zero page.
==30777==WARNING: AddressSanitizer failed to allocate 0x288a9b28 bytes
    #0 0x7f01f590714d in Moz2DRenderCallback /gecko/gfx/webrender_bindings/Moz2DImageRenderer.cpp:430:7
    #1 0x7f01f590714d in wr_moz2d_render_cb /gecko/gfx/webrender_bindings/Moz2DImageRenderer.cpp:471:10
    #2 0x7f0204af6c0f in webrender_bindings::moz2d_renderer::rasterize_blob::_$u7b$$u7b$closure$u7d$$u7d$::heaeeae96183e5da9 /gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:644:16
    #3 0x7f0204af6c0f in webrender_bindings::moz2d_renderer::autoreleasepool::h7813e85171822065 /gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:625:9
    #4 0x7f0204af6c0f in webrender_bindings::moz2d_renderer::rasterize_blob::h018f877d5542471a /gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:642:18
    #5 0x7f0204afd982 in core::ops::function::Fn::call::hd9357ffaf432a4ea /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
    #6 0x7f0204afd982 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnMut$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_mut::hd698dfaee0aca97c /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:247:13
    #7 0x7f0204afd982 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$mut$u20$F$GT$::call_once::h534bc5f1cf563b68 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:280:13
    #8 0x7f0204afd982 in core::option::Option$LT$T$GT$::map::h5e88740866556319 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/option.rs:453:29
    #9 0x7f0204afd982 in _$LT$core..iter..adapters..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::h6eecaa98d154f0d7 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/adapters/mod.rs:924:9
    #10 0x7f0204afd982 in rayon::iter::plumbing::Folder::consume_iter::hec1e668c1f64b16a /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:178:21
    #11 0x7f0204afd982 in _$LT$rayon..iter..map..MapFolder$LT$C$C$F$GT$$u20$as$u20$rayon..iter..plumbing..Folder$LT$T$GT$$GT$::consume_iter::h1aa5be1a4338e718 /gecko/third_party/rust/rayon/src/iter/map.rs:248:21
    #12 0x7f0204afd982 in rayon::iter::plumbing::Producer::fold_with::ha6a9b65db01083f8 /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:110:9
    #13 0x7f0204afd982 in rayon::iter::plumbing::bridge_producer_consumer::helper::hffbf3798f82b15d3 /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:438:13
    #14 0x7f0204affa8e in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hc6f8ed9018b2aeaf /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #15 0x7f0204affa8e in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::he699529ca2739774 /gecko/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #16 0x7f0204affa8e in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h2cb9f4e942c7b12a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #17 0x7f0204affa8e in std::panicking::try::do_call::h996de839d85ee28b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #18 0x7f0204affa8e in std::panicking::try::ha774027eb742719d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #19 0x7f0204affa8e in std::panic::catch_unwind::he0ca7fffd4bf8936 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #20 0x7f0204affa8e in rayon_core::unwind::halt_unwinding::ha3ad353aa58b89f1 /gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
    #21 0x7f0204affa8e in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h93e18a5bfcf0f47b /gecko/third_party/rust/rayon-core/src/join/mod.rs:141:24
    #22 0x7f0204afdf0b in rayon_core::registry::in_worker::h4e0582c1e7b825ec /gecko/third_party/rust/rayon-core/src/registry.rs:879:13
    #23 0x7f0204afdf0b in rayon_core::join::join_context::h25152c906481c6c8 /gecko/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #24 0x7f0204afdf0b in rayon::iter::plumbing::bridge_producer_consumer::helper::hffbf3798f82b15d3 /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #25 0x7f0204affa8e in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hc6f8ed9018b2aeaf /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #26 0x7f0204affa8e in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::he699529ca2739774 /gecko/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #27 0x7f0204affa8e in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h2cb9f4e942c7b12a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #28 0x7f0204affa8e in std::panicking::try::do_call::h996de839d85ee28b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #29 0x7f0204affa8e in std::panicking::try::ha774027eb742719d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #30 0x7f0204affa8e in std::panic::catch_unwind::he0ca7fffd4bf8936 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #31 0x7f0204affa8e in rayon_core::unwind::halt_unwinding::ha3ad353aa58b89f1 /gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
    #32 0x7f0204affa8e in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h93e18a5bfcf0f47b /gecko/third_party/rust/rayon-core/src/join/mod.rs:141:24
    #33 0x7f0204afdf0b in rayon_core::registry::in_worker::h4e0582c1e7b825ec /gecko/third_party/rust/rayon-core/src/registry.rs:879:13
    #34 0x7f0204afdf0b in rayon_core::join::join_context::h25152c906481c6c8 /gecko/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #35 0x7f0204afdf0b in rayon::iter::plumbing::bridge_producer_consumer::helper::hffbf3798f82b15d3 /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #36 0x7f0204affa8e in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hc6f8ed9018b2aeaf /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #37 0x7f0204affa8e in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::he699529ca2739774 /gecko/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #38 0x7f0204affa8e in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h2cb9f4e942c7b12a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #39 0x7f0204affa8e in std::panicking::try::do_call::h996de839d85ee28b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #40 0x7f0204affa8e in std::panicking::try::ha774027eb742719d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #41 0x7f0204affa8e in std::panic::catch_unwind::he0ca7fffd4bf8936 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #42 0x7f0204affa8e in rayon_core::unwind::halt_unwinding::ha3ad353aa58b89f1 /gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
    #43 0x7f0204affa8e in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h93e18a5bfcf0f47b /gecko/third_party/rust/rayon-core/src/join/mod.rs:141:24
    #44 0x7f0204afdf0b in rayon_core::registry::in_worker::h4e0582c1e7b825ec /gecko/third_party/rust/rayon-core/src/registry.rs:879:13
    #45 0x7f0204afdf0b in rayon_core::join::join_context::h25152c906481c6c8 /gecko/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #46 0x7f0204afdf0b in rayon::iter::plumbing::bridge_producer_consumer::helper::hffbf3798f82b15d3 /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #47 0x7f0204affa8e in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hc6f8ed9018b2aeaf /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #48 0x7f0204affa8e in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::he699529ca2739774 /gecko/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #49 0x7f0204affa8e in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h2cb9f4e942c7b12a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #50 0x7f0204affa8e in std::panicking::try::do_call::h996de839d85ee28b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #51 0x7f0204affa8e in std::panicking::try::ha774027eb742719d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #52 0x7f0204affa8e in std::panic::catch_unwind::he0ca7fffd4bf8936 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #53 0x7f0204affa8e in rayon_core::unwind::halt_unwinding::ha3ad353aa58b89f1 /gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
    #54 0x7f0204affa8e in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h93e18a5bfcf0f47b /gecko/third_party/rust/rayon-core/src/join/mod.rs:141:24
    #55 0x7f0204afdf0b in rayon_core::registry::in_worker::h4e0582c1e7b825ec /gecko/third_party/rust/rayon-core/src/registry.rs:879:13
    #56 0x7f0204afdf0b in rayon_core::join::join_context::h25152c906481c6c8 /gecko/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #57 0x7f0204afdf0b in rayon::iter::plumbing::bridge_producer_consumer::helper::hffbf3798f82b15d3 /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #58 0x7f0204b00967 in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hbae1a4deb6e0c8b8 /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:427:21
    #59 0x7f0204b00967 in rayon_core::join::join_context::call_b::_$u7b$$u7b$closure$u7d$$u7d$::h3ceecd3c3c2dae59 /gecko/third_party/rust/rayon-core/src/join/mod.rs:129:25
    #60 0x7f0204b00967 in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::call::_$u7b$$u7b$closure$u7d$$u7d$::hbb76942cb8dc98d7 /gecko/third_party/rust/rayon-core/src/job.rs:113:21
    #61 0x7f0204b00967 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h8bcdb40b617564ea /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #62 0x7f0204b00967 in std::panicking::try::do_call::h56b5c36c524d12e7 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #63 0x7f0204b00967 in std::panicking::try::hb8efff6857db3a06 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #64 0x7f0204b00967 in std::panic::catch_unwind::h259a6c14c4cba13e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #65 0x7f0204b00967 in rayon_core::unwind::halt_unwinding::h232043ae0e93e1df /gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
    #66 0x7f0204b00967 in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::hd8997bb0ce1386fd /gecko/third_party/rust/rayon-core/src/job.rs:119:38
    #67 0x7f0202717f22 in rayon_core::job::JobRef::execute::h84ee64a107ae87f4 /gecko/third_party/rust/rayon-core/src/job.rs:59:9
    #68 0x7f0202717f22 in rayon_core::registry::WorkerThread::execute::h501e5788ff35db61 /gecko/third_party/rust/rayon-core/src/registry.rs:753:9
    #69 0x7f0202717f22 in rayon_core::registry::WorkerThread::wait_until_cold::h2fb7488a109d1a57 /gecko/third_party/rust/rayon-core/src/registry.rs:730:17
    #70 0x7f0202715aac in rayon_core::registry::WorkerThread::wait_until::hf3b852df50792538 /gecko/third_party/rust/rayon-core/src/registry.rs:704:13
    #71 0x7f0202715aac in rayon_core::registry::main_loop::hcbe8a830a7636ee7 /gecko/third_party/rust/rayon-core/src/registry.rs:837:5
    #72 0x7f0202715aac in rayon_core::registry::ThreadBuilder::run::h5f3bf6b0baf7fce1 /gecko/third_party/rust/rayon-core/src/registry.rs:56:18
    #73 0x7f0202713b08 in _$LT$rayon_core..registry..DefaultSpawn$u20$as$u20$rayon_core..registry..ThreadSpawn$GT$::spawn::_$u7b$$u7b$closure$u7d$$u7d$::h2ff7e410b6169672 /gecko/third_party/rust/rayon-core/src/registry.rs:101:20
    #74 0x7f0202713b08 in std::sys_common::backtrace::__rust_begin_short_backtrace::h6c192e4720b1c0ec /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:125:18
    #75 0x7f02027136b6 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h112104375459f419 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:474:17
    #76 0x7f02027136b6 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h050b89bc87d55ee9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #77 0x7f02027136b6 in std::panicking::try::do_call::hb1c9c62553d93da2 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #78 0x7f02027136b6 in std::panicking::try::h3b38abeb6d02d5a0 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #79 0x7f02027136b6 in std::panic::catch_unwind::hf4ee6c3d569ac886 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #80 0x7f02027136b6 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h36781edff253ac03 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:473:30
    #81 0x7f02027136b6 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h15b7cc511154e052 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
    #82 0x7f0202c31564 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h9e7afb7a0a438236 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/boxed.rs:1307:9
    #83 0x7f0202c31564 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h70c646c4271337a1 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/boxed.rs:1307:9
    #84 0x7f0202c31564 in std::sys::unix::thread::Thread::new::thread_start::h35d2b8d36f210d02 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/std/src/sys/unix/thread.rs:71:17
    #85 0x7f021469f608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #86 0x7f0214268292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Tyson Smith [:tsmith]]

Attachment: b5df533a4222f126a77c9c8688fdae3008c8e8d4.svg

Comment 2

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/J6HGoQ_-J8wt8xCObZobGA/index.html

Comment 3

[Jim Blandy :jimb]

[deleted]

Comment 4

[Jim Blandy :jimb]

[deleted]

Comment 5

[Jim Blandy :jimb]

Okay, now that I've got my ASAN build done properly, I can reproduce this in ef13365d8188 on Fedora 33.

Comment 6

[Jim Blandy :jimb]

And I can reproduce with the attached .mozconfig file on b64759becddf (m-c Tue Oct 5).

Comment 7

[Jim Blandy :jimb]

Attachment: .mozconfig file for ASAN build on Fedora 33

Comment 8

[Intermittent Failures Robot]

1 failures in 3030 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• try: 1

Platform and build breakdown:

• linux1804-64-asan-qr: 1
  • opt: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1711602&startday=2021-11-01&endday=2021-11-07&tree=all

Comment 9

[Intermittent Failures Robot]

1 failures in 3281 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• try: 1

Platform and build breakdown:

• linux1804-64-asan-qr: 1
  • opt: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1711602&startday=2022-02-14&endday=2022-02-20&tree=all

Comment 10

[Intermittent Failures Robot]

1 failures in 3885 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 1

Platform and build breakdown:

• macosx1015-64-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1711602&startday=2023-06-05&endday=2023-06-11&tree=all

Comment 11

[Tyson Smith [:tsmith]]

There has been a sustained spike in reports of this issue from fuzzers since Aug 28 2023.

Comment 12

[Intermittent Failures Robot]

1 failures in 3599 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• try: 1

Platform and build breakdown:

• windows11-32-2009-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1711602&startday=2024-01-15&endday=2024-01-21&tree=all

Comment 13

[Intermittent Failures Robot]

3 failures in 4034 pushes (0.001 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• mozilla-beta: 2
• autoland: 1

Platform and build breakdown:

• windows11-32-2009-qr: 3
  • debug: 3

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1711602&startday=2024-01-22&endday=2024-01-28&tree=all