Closed Bug 1711606 Opened 4 years ago Closed 3 years ago

Large allocation in [@ webrender::glyph_rasterizer::GlyphRasterizer::flush_glyph_requests]

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox90 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: testcase)

Attachments

(1 file)

testcase.html
287 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20210513-940a3ad12e3d (--enable-address-sanitizer --enable-fuzzing)

To help catch this issue ASAN_OPTIONS=max_allocation_size_mb=512 was used.

==15505==WARNING: AddressSanitizer failed to allocate 0x2025004e bytes
==15505==WARNING: AddressSanitizer failed to allocate 0x77b9fb60 bytes
=================================================================
==15505==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x557703e51a18 bp 0x7efcdb328b30 sp 0x7efcdb328b20 T43)
==15505==The signal is caused by a WRITE memory access.
==15505==Hint: address points to the zero page.
    #0 0x557703e51a18 in mozalloc_abort /gecko/memory/mozalloc/mozalloc_abort.cpp:33:3
    #1 0x557703e51baa in mozalloc_handle_oom(unsigned long) /gecko/memory/mozalloc/mozalloc_oom.cpp:51:3
==15505==WARNING: AddressSanitizer failed to allocate 0x77b9fb60 bytes
    #2 0x7efd8c4b7da6 in gkrust_shared::oom_hook::hook::hbd255e807e20b63b /gecko/toolkit/library/rust/shared/lib.rs:133:13
    #3 0x7efd8dcbc697 in rust_oom /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/std/src/alloc.rs:330:5
    #4 0x7efd8b32c955 in __rg_oom /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/alloc.rs:409:18
    #5 0x7efd8b2e8fc5 in __rust_alloc_error_handler (/home/worker/builds/m-c-20210513214800-fuzzing-asan-opt/libxul.so+0x128fcfc5)
    #6 0x7efd8b32c945 in alloc::alloc::handle_alloc_error::h1ec3a24ddd4da47f /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/alloc.rs:363:9
    #7 0x7efd8f5ee0fc in webrender::glyph_rasterizer::GlyphRasterizer::flush_glyph_requests::_$u7b$$u7b$closure$u7d$$u7d$::hae49721948b30eda /gecko/gfx/wr/webrender/src/glyph_rasterizer/mod.rs
    #8 0x7efd8f5f442f in webrender::glyph_rasterizer::GlyphRasterizer::flush_glyph_requests::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h214fbedf8b49c876 /gecko/gfx/wr/webrender/src/glyph_rasterizer/mod.rs:211:43
    #9 0x7efd8f5f442f in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnMut$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_mut::h0ed4a0c9ab1e9806 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:247:13
    #10 0x7efd8f5f442f in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$mut$u20$F$GT$::call_once::ha3aa355bc7eaf609 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:280:13
    #11 0x7efd8f5f442f in core::option::Option$LT$T$GT$::map::hd3545b9bd3754aa4 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/option.rs:453:29
    #12 0x7efd8f5f442f in _$LT$core..iter..adapters..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::hfb170dadf68cc721 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/adapters/mod.rs:924:9
    #13 0x7efd8f5f442f in rayon::iter::plumbing::Folder::consume_iter::haf6cb47df4305a40 /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:178:21
    #14 0x7efd8f5f442f in _$LT$rayon..iter..map..MapFolder$LT$C$C$F$GT$$u20$as$u20$rayon..iter..plumbing..Folder$LT$T$GT$$GT$::consume_iter::h9910c0742b81a08c /gecko/third_party/rust/rayon/src/iter/map.rs:248:21
    #15 0x7efd8f5f442f in rayon::iter::plumbing::Producer::fold_with::h6c4d08a6e1023332 /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:110:9
    #16 0x7efd8f5f442f in rayon::iter::plumbing::bridge_producer_consumer::helper::h1013e6183b8d632a /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:438:13
    #17 0x7efd8f5f5c5a in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::h32874f7128b14abc /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #18 0x7efd8f5f5c5a in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::h2049d3bca0d8b6a8 /gecko/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #19 0x7efd8f5f5c5a in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h8efff32f15873c76 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #20 0x7efd8f5f5c5a in std::panicking::try::do_call::h0b283396b2ab83ec /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #21 0x7efd8f5f5c5a in std::panicking::try::h058defff0164634f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #22 0x7efd8f5f5c5a in std::panic::catch_unwind::ha489ddda97a6c195 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #23 0x7efd8f5f5c5a in rayon_core::unwind::halt_unwinding::heaa5454cb20067c4 /gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
    #24 0x7efd8f5f5c5a in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::hc69922b78dd6399f /gecko/third_party/rust/rayon-core/src/join/mod.rs:141:24
    #25 0x7efd8f5f493a in rayon_core::registry::in_worker::ha9cab65e5e291d8d /gecko/third_party/rust/rayon-core/src/registry.rs:879:13
    #26 0x7efd8f5f493a in rayon_core::join::join_context::ha70d455c5d15e479 /gecko/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #27 0x7efd8f5f493a in rayon::iter::plumbing::bridge_producer_consumer::helper::h1013e6183b8d632a /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #28 0x7efd8f5f5c5a in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::h32874f7128b14abc /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #29 0x7efd8f5f5c5a in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::h2049d3bca0d8b6a8 /gecko/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #30 0x7efd8f5f5c5a in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h8efff32f15873c76 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #31 0x7efd8f5f5c5a in std::panicking::try::do_call::h0b283396b2ab83ec /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #32 0x7efd8f5f5c5a in std::panicking::try::h058defff0164634f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #33 0x7efd8f5f5c5a in std::panic::catch_unwind::ha489ddda97a6c195 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #34 0x7efd8f5f5c5a in rayon_core::unwind::halt_unwinding::heaa5454cb20067c4 /gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
    #35 0x7efd8f5f5c5a in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::hc69922b78dd6399f /gecko/third_party/rust/rayon-core/src/join/mod.rs:141:24
    #36 0x7efd8f5f493a in rayon_core::registry::in_worker::ha9cab65e5e291d8d /gecko/third_party/rust/rayon-core/src/registry.rs:879:13
    #37 0x7efd8f5f493a in rayon_core::join::join_context::ha70d455c5d15e479 /gecko/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #38 0x7efd8f5f493a in rayon::iter::plumbing::bridge_producer_consumer::helper::h1013e6183b8d632a /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #39 0x7efd8f5f6926 in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::h951f03290a1eed13 /gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:427:21
    #40 0x7efd8f5f6926 in rayon_core::join::join_context::call_b::_$u7b$$u7b$closure$u7d$$u7d$::had7b05c040f7efd2 /gecko/third_party/rust/rayon-core/src/join/mod.rs:129:25
    #41 0x7efd8f5f6926 in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::call::_$u7b$$u7b$closure$u7d$$u7d$::h6cb46e81e16bc5fa /gecko/third_party/rust/rayon-core/src/job.rs:113:21
    #42 0x7efd8f5f6926 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h0a3d2616c421b9ba /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #43 0x7efd8f5f6926 in std::panicking::try::do_call::heccfbc4c187bbcc5 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #44 0x7efd8f5f6926 in std::panicking::try::hddd00e874ee8a5ec /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #45 0x7efd8f5f6926 in std::panic::catch_unwind::h68510f407df95890 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #46 0x7efd8f5f6926 in rayon_core::unwind::halt_unwinding::hde31e68ba39c221a /gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
    #47 0x7efd8f5f6926 in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::h0665d096ca02fbff /gecko/third_party/rust/rayon-core/src/job.rs:119:38
    #48 0x7efd8d7a68c2 in rayon_core::job::JobRef::execute::h84ee64a107ae87f4 /gecko/third_party/rust/rayon-core/src/job.rs:59:9
    #49 0x7efd8d7a68c2 in rayon_core::registry::WorkerThread::execute::h501e5788ff35db61 /gecko/third_party/rust/rayon-core/src/registry.rs:753:9
    #50 0x7efd8d7a68c2 in rayon_core::registry::WorkerThread::wait_until_cold::h2fb7488a109d1a57 /gecko/third_party/rust/rayon-core/src/registry.rs:730:17
    #51 0x7efd8d7a444c in rayon_core::registry::WorkerThread::wait_until::hf3b852df50792538 /gecko/third_party/rust/rayon-core/src/registry.rs:704:13
    #52 0x7efd8d7a444c in rayon_core::registry::main_loop::hcbe8a830a7636ee7 /gecko/third_party/rust/rayon-core/src/registry.rs:837:5
    #53 0x7efd8d7a444c in rayon_core::registry::ThreadBuilder::run::h5f3bf6b0baf7fce1 /gecko/third_party/rust/rayon-core/src/registry.rs:56:18
    #54 0x7efd8d7a24a8 in _$LT$rayon_core..registry..DefaultSpawn$u20$as$u20$rayon_core..registry..ThreadSpawn$GT$::spawn::_$u7b$$u7b$closure$u7d$$u7d$::h2ff7e410b6169672 /gecko/third_party/rust/rayon-core/src/registry.rs:101:20
    #55 0x7efd8d7a24a8 in std::sys_common::backtrace::__rust_begin_short_backtrace::h6c192e4720b1c0ec /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:125:18
    #56 0x7efd8d7a2056 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h112104375459f419 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:474:17
    #57 0x7efd8d7a2056 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h050b89bc87d55ee9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #58 0x7efd8d7a2056 in std::panicking::try::do_call::hb1c9c62553d93da2 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #59 0x7efd8d7a2056 in std::panicking::try::h3b38abeb6d02d5a0 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #60 0x7efd8d7a2056 in std::panic::catch_unwind::hf4ee6c3d569ac886 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #61 0x7efd8d7a2056 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h36781edff253ac03 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:473:30
    #62 0x7efd8d7a2056 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h15b7cc511154e052 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
    #63 0x7efd8dcbff04 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h9e7afb7a0a438236 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/boxed.rs:1307:9
    #64 0x7efd8dcbff04 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h70c646c4271337a1 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/boxed.rs:1307:9
    #65 0x7efd8dcbff04 in std::sys::unix::thread::Thread::new::thread_start::h35d2b8d36f210d02 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/std/src/sys/unix/thread.rs:71:17
    #66 0x7efd9f728608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #67 0x7efd9f2f1292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
Blocks: oom-fuzz

I am not able to reproduce this crash on x86_64 Fedora 33, either on recent M-C (Oct 5, b64759becddf) or on the 940a3ad12e3d (May 13) changeset mentioned in comment 0. I used the .mozconfig attached to bug 1711602.

Since the two other fuzz bugs from this time period (1711602, 171604) do reproduce, I'm inclined to say that we have enough actionable work from the fuzzer for the moment without chasing down more delicate failuresx, and close this. If you disagree, feel free to re-open.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: