Hit MOZ_CRASH(attempt to subtract with overflow) at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/ops/arith.rs:213
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
People
(Reporter: jkratzer, Assigned: gw)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev b50ef8e31c4c (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build b50ef8e31c4c --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(attempt to subtract with overflow) at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/ops/arith.rs:213
==2734781==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa99803e815 bp 0x7fa97aadaaa0 sp 0x7fa97aadaa90 T2734967)
==2734781==The signal is caused by a WRITE memory access.
==2734781==Hint: address points to the zero page.
#0 0x7fa99803e815 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
#1 0x7fa99803e815 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fa99803e794 in mozglue_static::panic_hook::h216d5f09042d10ab /mozglue/static/rust/lib.rs:91:9
#3 0x7fa99803e20b in core::ops::function::Fn::call::h7b33fc64ef50c9e0 /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/ops/function.rs:70:5
#4 0x7fa998e046e8 in std::panicking::rust_panic_with_hook::h67c812a4fe9d4c91 /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:626:17
#5 0x7fa998e04166 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h33f9c1b96af300d7 /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:517:13
#6 0x7fa998e0063b in std::sys_common::backtrace::__rust_end_short_backtrace::h51bae64be5921f0e /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/sys_common/backtrace.rs:141:18
#7 0x7fa998e040f8 in rust_begin_unwind /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:515:5
#8 0x7fa98efc6ce0 in core::panicking::panic_fmt::h12a3a3c256485fca /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/panicking.rs:92:14
#9 0x7fa98efc6c2c in core::panicking::panic::h344f23ad26057b48 /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/panicking.rs:50:5
#10 0x7fa997969e59 in webrender::device::gl::DrawTarget::to_framebuffer_rect::h652bd800ebc64b3a /gfx/wr/webrender/src/device/gl.rs
#11 0x7fa997a85c8a in webrender::renderer::Renderer::composite_simple::h67b692d6199e9a63 /gfx/wr/webrender/src/renderer/mod.rs:3388:51
#12 0x7fa997a85c8a in webrender::renderer::Renderer::composite_frame::hd94c8431410a6290 /gfx/wr/webrender/src/renderer/mod.rs:4766:21
#13 0x7fa997a85c8a in webrender::renderer::Renderer::draw_frame::ha3ee5e227aad59be /gfx/wr/webrender/src/renderer/mod.rs:4695:9
#14 0x7fa997a66b60 in webrender::renderer::Renderer::render_impl::ha8d9b41c34de39b0 /gfx/wr/webrender/src/renderer/mod.rs:1966:17
#15 0x7fa997a65029 in webrender::renderer::Renderer::render::h3e04e63bf849cb6a /gfx/wr/webrender/src/renderer/mod.rs:1708:30
#16 0x7fa9977c63a7 in wr_renderer_render /gfx/webrender_bindings/src/bindings.rs:622:11
#17 0x7fa990b79d7f in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /gfx/webrender_bindings/RendererOGL.cpp:186:8
#18 0x7fa990b78caa in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /gfx/webrender_bindings/RenderThread.cpp:501:31
#19 0x7fa990b78506 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /gfx/webrender_bindings/RenderThread.cpp:355:3
#20 0x7fa990b834fe in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#21 0x7fa990b834fe in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#22 0x7fa990b834fe in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#23 0x7fa98f1cda18 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1142:16
#24 0x7fa98f1d469a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:466:10
#25 0x7fa98fc2f684 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
#26 0x7fa98fb4e937 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
#27 0x7fa98fb4e842 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#28 0x7fa98fb4e842 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#29 0x7fa98f1c9edf in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:390:10
#30 0x7fa9a4172957 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#31 0x7fa9a4ee6608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#32 0x7fa9a4aae292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3 in MOZ_Crash
==2734781==ABORTING
Reporter | ||
Comment 1•3 years ago
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210914143556-ae68c3ee95d6.
The bug appears to have been introduced in the following build range:
Start: 1af009ce08e3cb60bd6ce23b03afd84366997e2d (20210426044314)
End: f3da10259fe1d53df200609e2f48b3d9f689f27a (20210426074305)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1af009ce08e3cb60bd6ce23b03afd84366997e2d&tochange=f3da10259fe1d53df200609e2f48b3d9f689f27a
Comment 3•3 years ago
|
||
Comment 4•3 years ago
|
||
The severity field is not set for this bug.
:jgilbert, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•3 years ago
|
Comment 5•3 years ago
|
||
Still reproducible: bp-14fb6c04-c06a-48f1-b22d-b11f40211011
(Bugmon [:jkratzer for issues] from comment #2)
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210914143556-ae68c3ee95d6.
The bug appears to have been introduced in the following build range:Start: 1af009ce08e3cb60bd6ce23b03afd84366997e2d (20210426044314)
End: f3da10259fe1d53df200609e2f48b3d9f689f27a (20210426074305)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1af009ce08e3cb60bd6ce23b03afd84366997e2d&tochange=f3da10259fe1d53df200609e2f48b3d9f689f27a
likely
86a1362f15e66f65e582fccae00fc127f2b4e162 Hiroyuki Ikezoe — Bug 1705280 - Allow overscroll handoff to the root content APZC on pan gestures even if the root APZC is not scrollable to the given input directions. r=botond
Comment 6•3 years ago
|
||
Debian Testing, Gnome Xwayland, Intel Macbook Pro
I got a different result than the bot:
mozregression --good 2021-01-01 --bad 2021-10-10 --pref gfx.webrender.all:true -a https://bugzilla.mozilla.org/attachment.cgi?id=9241128 -P stdout
8:01.10 INFO: Last good revision: 48d477ba4f9e332c47aaed2de90264d3c8173d41
8:01.10 INFO: First bad revision: 735ba5802dabbe739a1f6ede60ec052bd17a5008
8:01.10 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=48d477ba4f9e332c47aaed2de90264d3c8173d41&tochange=735ba5802dabbe739a1f6ede60ec052bd17a5008
735ba5802dabbe739a1f6ede60ec052bd17a5008 Glenn Watson — Bug 1655639 - Add support for transforms in the Draw compositor r=nical
Updated•3 years ago
|
Assignee | ||
Comment 7•3 years ago
|
||
Updated•3 years ago
|
Pushed by gwatson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/95eeb31a4edd Fix panic when casting large value to i32 rect r=gfx-reviewers,bradwerth
Comment 10•3 years ago
•
|
||
Backed out changeset 95eeb31a4edd (Bug 1730695) for causing crashtest failures on 1730695.html.
Backout link
Push with failures - C
Failure Log
Assignee | ||
Comment 11•3 years ago
|
||
It looks like this patch fixes the initial fuzzing panic, but it then panics inside sw-wr compositor. Any ideas Lee what might cause this?
[task 2021-10-11T23:57:44.637Z] 23:57:44 INFO - Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at /builds/worker/checkouts/gecko/third_party/rust/euclid/src/point.rs:418
[task 2021-10-11T23:57:44.638Z] 23:57:44 INFO - #01: RustMozCrash [mozglue/static/rust/wrappers.cpp:18]
[task 2021-10-11T23:57:44.638Z] 23:57:44 INFO - #02: mozglue_static::panic_hook::h89763f795d6ff345 [/opt/worker/tasks/task_163399569831752/build/application/Firefox NightlyDebug.app/Contents/MacOS/XUL + 0x77dcbb3]
[task 2021-10-11T23:57:44.639Z] 23:57:44 INFO - #03: core::ops::function::Fn::call::hfa6ee2c5f0a9ea58 [/opt/worker/tasks/task_163399569831752/build/application/Firefox NightlyDebug.app/Contents/MacOS/XUL + 0x77dc83c]
[task 2021-10-11T23:57:44.639Z] 23:57:44 INFO - #04: std::panicking::rust_panic_with_hook [git:github.com/rust-lang/rust:library/std/src/panicking.rs:c8dfcfe046a7680554bf4eb612bad840e7631c4b:629]
[task 2021-10-11T23:57:44.640Z] 23:57:44 INFO - #05: std::panicking::begin_panic_handler::{{closure}} [git:github.com/rust-lang/rust:library/std/src/panicking.rs:c8dfcfe046a7680554bf4eb612bad840e7631c4b:519]
[task 2021-10-11T23:57:44.641Z] 23:57:44 INFO - #06: std::sys_common::backtrace::__rust_end_short_backtrace::h86522c151a195ff9 [/opt/worker/tasks/task_163399569831752/build/application/Firefox NightlyDebug.app/Contents/MacOS/XUL + 0x80b2e28]
[task 2021-10-11T23:57:44.641Z] 23:57:44 INFO - #07: rust_begin_unwind [/opt/worker/tasks/task_163399569831752/build/application/Firefox NightlyDebug.app/Contents/MacOS/XUL + 0x80b67ca]
[task 2021-10-11T23:57:44.642Z] 23:57:44 INFO - #08: core::panicking::panic_fmt::h8ab5bf5f27d0a26a [/opt/worker/tasks/task_163399569831752/build/application/Firefox NightlyDebug.app/Contents/MacOS/XUL + 0x821495f]
[task 2021-10-11T23:57:44.643Z] 23:57:44 INFO - #09: core::panicking::panic::h2c89bafc52ad2c2f [/opt/worker/tasks/task_163399569831752/build/application/Firefox NightlyDebug.app/Contents/MacOS/XUL + 0x82148b7]
[task 2021-10-11T23:57:44.643Z] 23:57:44 INFO - #10: <webrender::compositor::sw_compositor::SwCompositor as webrender::composite::Compositor>::start_compositing [gfx/wr/webrender/src/compositor/sw_compositor.rs:1422]
[task 2021-10-11T23:57:44.644Z] 23:57:44 INFO - #11: webrender::renderer::Renderer::draw_frame [gfx/wr/webrender/src/renderer/mod.rs:4588]
[task 2021-10-11T23:57:44.644Z] 23:57:44 INFO - #12: webrender::renderer::Renderer::render_impl [gfx/wr/webrender/src/renderer/mod.rs:2009]
[task 2021-10-11T23:57:44.645Z] 23:57:44 INFO - #13: webrender::renderer::Renderer::render [gfx/wr/webrender/src/renderer/mod.rs:1723]
[task 2021-10-11T23:57:44.646Z] 23:57:44 INFO - #14: wr_renderer_render [gfx/webrender_bindings/src/bindings.rs:623]
[task 2021-10-11T23:57:44.647Z] 23:57:44 INFO - #15: mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) [gfx/webrender_bindings/RendererOGL.cpp:186]
[task 2021-10-11T23:57:44.648Z] 23:57:44 INFO - #16: mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) [gfx/webrender_bindings/RenderThread.cpp:501]
[task 2021-10-11T23:57:44.648Z] 23:57:44 INFO - #17: mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) [gfx/webrender_bindings/RenderThread.cpp:355]
[task 2021-10-11T23:57:44.649Z] 23:57:44 INFO - #18: mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() [xpcom/threads/nsThreadUtils.h:1203]
[task 2021-10-11T23:57:44.649Z] 23:57:44 INFO - #19: nsThread::ProcessNextEvent(bool, bool*) [xpcom/threads/nsThread.cpp:1145]
Updated•3 years ago
|
Comment 12•3 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:gw, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•3 years ago
|
Assignee | ||
Comment 13•3 years ago
|
||
The patch is good, but the test case then shows up a subsequent unrelated panic somewhere inside the swgl compositor code, so it's waiting on Lee to take a look at that before we can land this.
Comment 14•3 years ago
|
||
Discussed some changes with Glenn to make this pass...
Comment 15•3 years ago
|
||
The severity field is not set for this bug.
:jimm, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 16•3 years ago
|
||
Pushed by gwatson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6d98d185a076 Fix panic when casting large value to i32 rect r=gfx-reviewers,bradwerth,nical,lsalzman
Comment 17•3 years ago
|
||
bugherder |
Comment 18•3 years ago
|
||
Bugmon Analysis
Bug marked as FIXED but still reproduces on mozilla-central 20211105093421-7e8e3747c3f8.
Comment 19•3 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210913213224-b50ef8e31c4c) but not with tip (mozilla-central 20211112213406-d2b5e7cc2dbb.)
The bug appears to have been fixed in the following build range:
Start: 7e8e3747c3f81e844e17ae8d645dd6091bafcae7 (20211105053623)
End: 7e8e3747c3f81e844e17ae8d645dd6091bafcae7 (20211105093421)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=7e8e3747c3f81e844e17ae8d645dd6091bafcae7&tochange=7e8e3747c3f81e844e17ae8d645dd6091bafcae7
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•2 years ago
|
Updated•2 years ago
|
Comment 20•2 years ago
|
||
This appears to be fixed in 96 but we are still seeing some crashes. Can you take a look? Do we want to track this here or in a new bug?
Assignee | ||
Comment 21•2 years ago
|
||
I think this is because fixing this bug meant that it showed up in some other code that ran after this panic was fixed. That subsequently was fixed in https://bugzilla.mozilla.org/show_bug.cgi?id=1739567 which (perhaps?) didn't make it into 96? So I think this is fixed in 97, according to the crash data and can be closed?
Updated•2 years ago
|
Updated•2 years ago
|
Description
•