1730695 - Hit MOZ_CRASH(attempt to subtract with overflow) at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/ops/arith.rs:213

Status: RESOLVED FIXED

(Core :: Graphics: WebRender, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev b50ef8e31c4c (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build b50ef8e31c4c --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(attempt to subtract with overflow) at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/ops/arith.rs:213

    ==2734781==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa99803e815 bp 0x7fa97aadaaa0 sp 0x7fa97aadaa90 T2734967)
    ==2734781==The signal is caused by a WRITE memory access.
    ==2734781==Hint: address points to the zero page.
        #0 0x7fa99803e815 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
        #1 0x7fa99803e815 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7fa99803e794 in mozglue_static::panic_hook::h216d5f09042d10ab /mozglue/static/rust/lib.rs:91:9
        #3 0x7fa99803e20b in core::ops::function::Fn::call::h7b33fc64ef50c9e0 /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/ops/function.rs:70:5
        #4 0x7fa998e046e8 in std::panicking::rust_panic_with_hook::h67c812a4fe9d4c91 /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:626:17
        #5 0x7fa998e04166 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h33f9c1b96af300d7 /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:517:13
        #6 0x7fa998e0063b in std::sys_common::backtrace::__rust_end_short_backtrace::h51bae64be5921f0e /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/sys_common/backtrace.rs:141:18
        #7 0x7fa998e040f8 in rust_begin_unwind /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:515:5
        #8 0x7fa98efc6ce0 in core::panicking::panic_fmt::h12a3a3c256485fca /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/panicking.rs:92:14
        #9 0x7fa98efc6c2c in core::panicking::panic::h344f23ad26057b48 /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/panicking.rs:50:5
        #10 0x7fa997969e59 in webrender::device::gl::DrawTarget::to_framebuffer_rect::h652bd800ebc64b3a /gfx/wr/webrender/src/device/gl.rs
        #11 0x7fa997a85c8a in webrender::renderer::Renderer::composite_simple::h67b692d6199e9a63 /gfx/wr/webrender/src/renderer/mod.rs:3388:51
        #12 0x7fa997a85c8a in webrender::renderer::Renderer::composite_frame::hd94c8431410a6290 /gfx/wr/webrender/src/renderer/mod.rs:4766:21
        #13 0x7fa997a85c8a in webrender::renderer::Renderer::draw_frame::ha3ee5e227aad59be /gfx/wr/webrender/src/renderer/mod.rs:4695:9
        #14 0x7fa997a66b60 in webrender::renderer::Renderer::render_impl::ha8d9b41c34de39b0 /gfx/wr/webrender/src/renderer/mod.rs:1966:17
        #15 0x7fa997a65029 in webrender::renderer::Renderer::render::h3e04e63bf849cb6a /gfx/wr/webrender/src/renderer/mod.rs:1708:30
        #16 0x7fa9977c63a7 in wr_renderer_render /gfx/webrender_bindings/src/bindings.rs:622:11
        #17 0x7fa990b79d7f in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /gfx/webrender_bindings/RendererOGL.cpp:186:8
        #18 0x7fa990b78caa in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /gfx/webrender_bindings/RenderThread.cpp:501:31
        #19 0x7fa990b78506 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /gfx/webrender_bindings/RenderThread.cpp:355:3
        #20 0x7fa990b834fe in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
        #21 0x7fa990b834fe in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
        #22 0x7fa990b834fe in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
        #23 0x7fa98f1cda18 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1142:16
        #24 0x7fa98f1d469a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:466:10
        #25 0x7fa98fc2f684 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
        #26 0x7fa98fb4e937 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #27 0x7fa98fb4e842 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #28 0x7fa98fb4e842 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #29 0x7fa98f1c9edf in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:390:10
        #30 0x7fa9a4172957 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #31 0x7fa9a4ee6608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
        #32 0x7fa9a4aae292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3 in MOZ_Crash
    ==2734781==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210914143556-ae68c3ee95d6.
The bug appears to have been introduced in the following build range:

Start: 1af009ce08e3cb60bd6ce23b03afd84366997e2d (20210426044314)
End: f3da10259fe1d53df200609e2f48b3d9f689f27a (20210426074305)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1af009ce08e3cb60bd6ce23b03afd84366997e2d&tochange=f3da10259fe1d53df200609e2f48b3d9f689f27a

Comment 3

[Mayank Bansal]

got a crash : https://crash-stats.mozilla.org/report/index/ce288e7d-0df7-482c-a555-c77380210914#tab-bugzilla

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:jgilbert, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 5

[Darkspirit]

Still reproducible: bp-14fb6c04-c06a-48f1-b22d-b11f40211011

(Bugmon [:jkratzer for issues] from comment #2)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210914143556-ae68c3ee95d6.
The bug appears to have been introduced in the following build range:

Start: 1af009ce08e3cb60bd6ce23b03afd84366997e2d (20210426044314)
End: f3da10259fe1d53df200609e2f48b3d9f689f27a (20210426074305)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1af009ce08e3cb60bd6ce23b03afd84366997e2d&tochange=f3da10259fe1d53df200609e2f48b3d9f689f27a

likely

86a1362f15e66f65e582fccae00fc127f2b4e162 Hiroyuki Ikezoe — Bug 1705280 - Allow overscroll handoff to the root content APZC on pan gestures even if the root APZC is not scrollable to the given input directions. r=botond

Comment 6

[Darkspirit]

Debian Testing, Gnome Xwayland, Intel Macbook Pro
I got a different result than the bot:
mozregression --good 2021-01-01 --bad 2021-10-10 --pref gfx.webrender.all:true -a https://bugzilla.mozilla.org/attachment.cgi?id=9241128 -P stdout

8:01.10 INFO: Last good revision: 48d477ba4f9e332c47aaed2de90264d3c8173d41
8:01.10 INFO: First bad revision: 735ba5802dabbe739a1f6ede60ec052bd17a5008
8:01.10 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=48d477ba4f9e332c47aaed2de90264d3c8173d41&tochange=735ba5802dabbe739a1f6ede60ec052bd17a5008

735ba5802dabbe739a1f6ede60ec052bd17a5008 Glenn Watson — Bug 1655639 - Add support for transforms in the Draw compositor r=nical

Comment 7

[Glenn Watson [:gw]]

Attachment: Bug 1730695 - Fix panic when casting large value to i32 rect

Comment 8

[Glenn Watson [:gw]]

Attached a patch + crash test for this.

Comment 9

[Pulsebot]

Pushed by gwatson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/95eeb31a4edd
Fix panic when casting large value to i32 rect r=gfx-reviewers,bradwerth

Comment 10

[Marian-Vasile Laza]

Backed out changeset 95eeb31a4edd (Bug 1730695) for causing crashtest failures on 1730695.html.
Backout link
Push with failures - C
Failure Log

Comment 11

[Glenn Watson [:gw]]

It looks like this patch fixes the initial fuzzing panic, but it then panics inside sw-wr compositor. Any ideas Lee what might cause this?

[task 2021-10-11T23:57:44.637Z] 23:57:44     INFO - Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at /builds/worker/checkouts/gecko/third_party/rust/euclid/src/point.rs:418
[task 2021-10-11T23:57:44.638Z] 23:57:44     INFO - #01: RustMozCrash [mozglue/static/rust/wrappers.cpp:18]
[task 2021-10-11T23:57:44.638Z] 23:57:44     INFO - #02: mozglue_static::panic_hook::h89763f795d6ff345 [/opt/worker/tasks/task_163399569831752/build/application/Firefox NightlyDebug.app/Contents/MacOS/XUL + 0x77dcbb3]
[task 2021-10-11T23:57:44.639Z] 23:57:44     INFO - #03: core::ops::function::Fn::call::hfa6ee2c5f0a9ea58 [/opt/worker/tasks/task_163399569831752/build/application/Firefox NightlyDebug.app/Contents/MacOS/XUL + 0x77dc83c]
[task 2021-10-11T23:57:44.639Z] 23:57:44     INFO - #04: std::panicking::rust_panic_with_hook [git:github.com/rust-lang/rust:library/std/src/panicking.rs:c8dfcfe046a7680554bf4eb612bad840e7631c4b:629]
[task 2021-10-11T23:57:44.640Z] 23:57:44     INFO - #05: std::panicking::begin_panic_handler::{{closure}} [git:github.com/rust-lang/rust:library/std/src/panicking.rs:c8dfcfe046a7680554bf4eb612bad840e7631c4b:519]
[task 2021-10-11T23:57:44.641Z] 23:57:44     INFO - #06: std::sys_common::backtrace::__rust_end_short_backtrace::h86522c151a195ff9 [/opt/worker/tasks/task_163399569831752/build/application/Firefox NightlyDebug.app/Contents/MacOS/XUL + 0x80b2e28]
[task 2021-10-11T23:57:44.641Z] 23:57:44     INFO - #07: rust_begin_unwind [/opt/worker/tasks/task_163399569831752/build/application/Firefox NightlyDebug.app/Contents/MacOS/XUL + 0x80b67ca]
[task 2021-10-11T23:57:44.642Z] 23:57:44     INFO - #08: core::panicking::panic_fmt::h8ab5bf5f27d0a26a [/opt/worker/tasks/task_163399569831752/build/application/Firefox NightlyDebug.app/Contents/MacOS/XUL + 0x821495f]
[task 2021-10-11T23:57:44.643Z] 23:57:44     INFO - #09: core::panicking::panic::h2c89bafc52ad2c2f [/opt/worker/tasks/task_163399569831752/build/application/Firefox NightlyDebug.app/Contents/MacOS/XUL + 0x82148b7]
[task 2021-10-11T23:57:44.643Z] 23:57:44     INFO - #10: <webrender::compositor::sw_compositor::SwCompositor as webrender::composite::Compositor>::start_compositing [gfx/wr/webrender/src/compositor/sw_compositor.rs:1422]
[task 2021-10-11T23:57:44.644Z] 23:57:44     INFO - #11: webrender::renderer::Renderer::draw_frame [gfx/wr/webrender/src/renderer/mod.rs:4588]
[task 2021-10-11T23:57:44.644Z] 23:57:44     INFO - #12: webrender::renderer::Renderer::render_impl [gfx/wr/webrender/src/renderer/mod.rs:2009]
[task 2021-10-11T23:57:44.645Z] 23:57:44     INFO - #13: webrender::renderer::Renderer::render [gfx/wr/webrender/src/renderer/mod.rs:1723]
[task 2021-10-11T23:57:44.646Z] 23:57:44     INFO - #14: wr_renderer_render [gfx/webrender_bindings/src/bindings.rs:623]
[task 2021-10-11T23:57:44.647Z] 23:57:44     INFO - #15: mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) [gfx/webrender_bindings/RendererOGL.cpp:186]
[task 2021-10-11T23:57:44.648Z] 23:57:44     INFO - #16: mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) [gfx/webrender_bindings/RenderThread.cpp:501]
[task 2021-10-11T23:57:44.648Z] 23:57:44     INFO - #17: mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) [gfx/webrender_bindings/RenderThread.cpp:355]
[task 2021-10-11T23:57:44.649Z] 23:57:44     INFO - #18: mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() [xpcom/threads/nsThreadUtils.h:1203]
[task 2021-10-11T23:57:44.649Z] 23:57:44     INFO - #19: nsThread::ProcessNextEvent(bool, bool*) [xpcom/threads/nsThread.cpp:1145]

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:gw, could you have a look please?
For more information, please visit auto_nag documentation.

Comment 13

[Glenn Watson [:gw]]

The patch is good, but the test case then shows up a subsequent unrelated panic somewhere inside the swgl compositor code, so it's waiting on Lee to take a look at that before we can land this.

Comment 14

[Lee Salzman [:lsalzman]]

Discussed some changes with Glenn to make this pass...

Comment 15

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:jimm, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 16

[Pulsebot]

Pushed by gwatson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6d98d185a076
Fix panic when casting large value to i32 rect r=gfx-reviewers,bradwerth,nical,lsalzman

Comment 17

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/6d98d185a076

Comment 18

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Bug marked as FIXED but still reproduces on mozilla-central 20211105093421-7e8e3747c3f8.

Comment 19

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210913213224-b50ef8e31c4c) but not with tip (mozilla-central 20211112213406-d2b5e7cc2dbb.)
The bug appears to have been fixed in the following build range:

Start: 7e8e3747c3f81e844e17ae8d645dd6091bafcae7 (20211105053623)
End: 7e8e3747c3f81e844e17ae8d645dd6091bafcae7 (20211105093421)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=7e8e3747c3f81e844e17ae8d645dd6091bafcae7&tochange=7e8e3747c3f81e844e17ae8d645dd6091bafcae7
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 20

[Dianna Smith [:diannaS]]

This appears to be fixed in 96 but we are still seeing some crashes. Can you take a look? Do we want to track this here or in a new bug?

Comment 21

[Glenn Watson [:gw]]

I think this is because fixing this bug meant that it showed up in some other code that ran after this panic was fixed. That subsequently was fixed in https://bugzilla.mozilla.org/show_bug.cgi?id=1739567 which (perhaps?) didn't make it into 96? So I think this is fixed in 97, according to the crash data and can be closed?