1716829 - Large allocation [@ webrender::api_resources::ApiResources::update]

Status: RESOLVED WORKSFORME

(Core :: Graphics: WebRender, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20210615-206721f8064a (--enable-address-sanitizer --enable-fuzzing)

To help catch this issue ASAN_OPTIONS=max_allocation_size_mb=512 was used. See Bug 1715316 for details about fuzzing triggered OOMs.

==24766==WARNING: AddressSanitizer failed to allocate 0x38000000 bytes
=================================================================
==24766==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x55ee59933b48 bp 0x7f1bcbfcfef0 sp 0x7f1bcbfcfee0 T51)
==24766==The signal is caused by a WRITE memory access.
==24766==Hint: address points to the zero page.
    #0 0x55ee59933b48 in mozalloc_abort /gecko/memory/mozalloc/mozalloc_abort.cpp:33:3
    #1 0x55ee59933cdd in mozalloc_handle_oom(unsigned long) /gecko/memory/mozalloc/mozalloc_oom.cpp:51:3
    #2 0x7f1c739b6b06 in gkrust_shared::oom_hook::hook::hee77a579d18ff533 /gecko/toolkit/library/rust/shared/lib.rs:134:13
    #3 0x7f1c750b19fa in rust_oom (/home/worker/builds/m-c-20210615214502-fuzzing-asan-opt/libxul.so+0x156269fa)
    #4 0x7f1c728d1e48 in __rg_oom (/home/worker/builds/m-c-20210615214502-fuzzing-asan-opt/libxul.so+0x12e46e48)
    #5 0x7f1c74b925b5 in __rust_alloc_error_handler (/home/worker/builds/m-c-20210615214502-fuzzing-asan-opt/libxul.so+0x151075b5)
    #6 0x7f1c649d5698 in alloc::alloc::handle_alloc_error::he2e665afdbd07b0b (/home/worker/builds/m-c-20210615214502-fuzzing-asan-opt/libxul.so+0x4f4a698)
    #7 0x7f1c76bf168b in webrender::api_resources::ApiResources::update::h0f52ef270747c749 /gecko/gfx/wr/webrender/src/api_resources.rs
    #8 0x7f1c76bf168b in webrender::render_api::RenderApi::send_transaction::h2a14b39e06835dd8 /gecko/gfx/wr/webrender/src/render_api.rs:1242:9
    #9 0x7f1c76f3d98b in wr_api_send_transaction /gecko/gfx/webrender_bindings/src/bindings.rs:2138:5
    #10 0x7f1c6783eaec in mozilla::layers::WebRenderBridgeParent::SetDisplayList(mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::ipc::ByteBuf&&, mozilla::wr::BuiltDisplayListDescriptor const&, nsTArray<mozilla::layers::OpUpdateResource> const&, nsTArray<mozilla::layers::RefCountedShmem> const&, nsTArray<mozilla::ipc::Shmem> const&, mozilla::TimeStamp const&, mozilla::wr::TransactionBuilder&, mozilla::wr::Epoch, bool) /gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:1137:9
    #11 0x7f1c6783f5cc in mozilla::layers::WebRenderBridgeParent::ProcessDisplayListData(mozilla::layers::DisplayListData&, mozilla::wr::Epoch, mozilla::TimeStamp const&, bool, bool) /gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:1170:8
    #12 0x7f1c678409d4 in mozilla::layers::WebRenderBridgeParent::RecvSetDisplayList(mozilla::layers::DisplayListData&&, nsTArray<mozilla::layers::OpDestroy>&&, unsigned long const&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType> const&, bool const&, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTString<char> const&, mozilla::TimeStamp const&, nsTArray<mozilla::layers::CompositionPayload>&&) /gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:1218:8
    #13 0x7f1c66b801be in mozilla::layers::PWebRenderBridgeParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebRenderBridgeParent.cpp:403:28
    #14 0x7f1c663d0496 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:200:32
    #15 0x7f1c66194eea in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2171:25
    #16 0x7f1c66191618 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2095:9
    #17 0x7f1c66192f75 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1940:3
    #18 0x7f1c66193adb in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1971:13
    #19 0x7f1c64f883da in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1156:16
    #20 0x7f1c64f929ec in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #21 0x7f1c6619df70 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:330:5
    #22 0x7f1c660a3b01 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #23 0x7f1c660a3b01 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #24 0x7f1c660a3b01 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #25 0x7f1c64f81e98 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:398:10
    #26 0x7f1c829983fe in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #27 0x7f1c86ab8608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #28 0x7f1c86681292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /gecko/memory/mozalloc/mozalloc_abort.cpp:33:3 in mozalloc_abort
Thread T51 (Compositor) created by T0 here:
    #0 0x55ee598e3e6c in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
    #1 0x7f1c82988474 in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f1c8297994e in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f1c64f8486a in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:616:18
    #4 0x7f1c64f90496 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /gecko/xpcom/threads/nsThreadManager.cpp:574:12
    #5 0x7f1c64f9b5f1 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:169:57
    #6 0x7f1c67bac499 in NS_NewNamedThread<11> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
    #7 0x7f1c67bac499 in mozilla::layers::CompositorThreadHolder::CreateCompositorThread() /gecko/gfx/layers/ipc/CompositorThread.cpp:55:17
    #8 0x7f1c67baca56 in CompositorThreadHolder /gecko/gfx/layers/ipc/CompositorThread.cpp:39:25
    #9 0x7f1c67baca56 in mozilla::layers::CompositorThreadHolder::Start() /gecko/gfx/layers/ipc/CompositorThread.cpp:94:33
    #10 0x7f1c67c42908 in gfxPlatform::Init() /gecko/gfx/thebes/gfxPlatform.cpp:965:3
    #11 0x7f1c67c4136b in gfxPlatform::GetPlatform() /gecko/gfx/thebes/gfxPlatform.cpp:481:5
    #12 0x7f1c6c91d9cc in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /gecko/widget/GfxInfoBase.cpp:1851:25
    #13 0x7f1c64fd2e41 in NS_InvokeByIndex /gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #14 0x7f1c66fa6919 in Invoke /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1644:10
    #15 0x7f1c66fa6919 in Call /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1197:19
    #16 0x7f1c66fa6919 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1143:23
    #17 0x7f1c66fabeff in GetAttribute /gecko/js/xpconnect/src/xpcprivate.h:1460:12
    #18 0x7f1c66fabeff in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:962:10
    #19 0x7f1c70e23e32 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:426:13
    #20 0x7f1c70e23e32 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:511:12
    #21 0x7f1c70e25b6b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:588:8
    #22 0x7f1c70e26feb in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:713:10
    #23 0x7f1c71320dad in CallGetter /gecko/js/src/vm/NativeObject.cpp:2101:12
    #24 0x7f1c71320dad in GetExistingProperty<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2129:12
    #25 0x7f1c71320dad in NativeGetPropertyInline<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2274:14
    #26 0x7f1c71320dad in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2305:10
    #27 0x7f1c70e123ec in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:116:10
    #28 0x7f1c70e123ec in GetObjectElementOperation /gecko/js/src/vm/Interpreter-inl.h:419:10
    #29 0x7f1c70e123ec in GetElementOperationWithStackIndex /gecko/js/src/vm/Interpreter-inl.h:505:10
    #30 0x7f1c70e123ec in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3058:12
    #31 0x7f1c70df5036 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:395:13
    #32 0x7f1c70e23f6b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:543:13
    #33 0x7f1c70e25b6b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:588:8
    #34 0x7f1c71693d00 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2722:10
    #35 0x7f1c66f98469 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:971:17
    #36 0x7f1c64fd47d2 in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #37 0x7f1c64fd355a in SharedStub (/home/worker/builds/m-c-20210615214502-fuzzing-asan-opt/libxul.so+0x554855a)
    #38 0x7f1c64f34a00 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /gecko/xpcom/components/nsCategoryManager.cpp:687:19
    #39 0x7f1c70be9787 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:982:11
    #40 0x7f1c70bc6544 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:4988:18
    #41 0x7f1c70bc94be in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5437:8
    #42 0x7f1c70bca213 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5496:21
    #43 0x55ee5992e15a in do_main /gecko/browser/app/nsBrowserApp.cpp:224:22
    #44 0x55ee5992e15a in main /gecko/browser/app/nsBrowserApp.cpp:351:16
    #45 0x7f1c865860b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/5eByAvgI6s3khwCGmX21pA/index.html

Comment 2

[Jeff Muizelaar [:jrmuizel]]

This is caused by fallback of a large -webkit-background-clip: text

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: 346e2204b8cb88896f3c9aaf9792508967f9bdd0 (20210719172340)
End: 0244529dcf99f9bb266e96c81531faca6cd1a3a2 (20210719202020)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=346e2204b8cb88896f3c9aaf9792508967f9bdd0&tochange=0244529dcf99f9bb266e96c81531faca6cd1a3a2
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 4

[Jeff Muizelaar [:jrmuizel]]

That's surprising. I would not have expected anything in that range to help.

Comment 5

[Jason Kratzer [:jkratzer]]

(In reply to Jeff Muizelaar [:jrmuizel] from comment #4)

That's surprising. I would not have expected anything in that range to help.

Bugmon is confused here. There was a pref change in bug 1720221 that caused it to believe the bug had been fixed. I'll reset the flags.

Comment 6

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210723093620-287995cabe8e.
The bug appears to have been introduced in the following build range:

Start: 8bee937821e3725b922352a0493f53b5e431c3d0 (20210524213758)
End: 38bfba07a1aca3de3dbf3183e16a9dca26c65c54 (20210525020049)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8bee937821e3725b922352a0493f53b5e431c3d0&tochange=38bfba07a1aca3de3dbf3183e16a9dca26c65c54

Comment 7

[Tyson Smith [:tsmith]]

To help us direct our efforts accordingly can you please help categorize the impact of this fix. For example is this likely to benefit end users (improve performance, avoid OOM, etc) or only unblock testing/fuzzing? Thank you!

Comment 8

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210615214502-206721f8064a) but not with tip (mozilla-central 20220325214737-2b624fdb002e.)
The bug appears to have been fixed in the following build range:

Start: 10178bda5cdd23c669578c163c350adf728a08a8 (20220323040913)
End: 0ab8d1869fbfc43f80fe8c5f4d00fed88845d2e6 (20220323034111)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=10178bda5cdd23c669578c163c350adf728a08a8&tochange=0ab8d1869fbfc43f80fe8c5f4d00fed88845d2e6
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 9

[Tyson Smith [:tsmith]]

The attached test case no longer reproduces the issue.