1746545 - Crash at [@ fill_n] gfx/wr/swgl/src/gl.cc:2114:3

Status: RESOLVED FIXED

(Core :: Graphics: WebRender, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20211212-ce23c0066bac (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

This crash only seems to be reproducible on a fuzzing debug build (using Ubuntu 20.04). It does not reproduce using a no-opt fuzzing build (required for Pernosco).

==1177==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7edeaa00ece0 (pc 0x7fd711ace8ca bp 0x7fd70108fb10 sp 0x7fd70108fb00 T1223)
==1177==The signal is caused by a WRITE memory access.
    #0 0x7fd711ace8ca in fill_n<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2114:3
    #1 0x7fd711ace8ca in clear_row<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2144:3
    #2 0x7fd711ace8ca in force_clear_row<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2192:5
    #3 0x7fd711ace8ca in void prepare_row<unsigned int>(Texture&, int, int, int, bool, DepthRun*, unsigned int, DepthCursor*) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:728:7
    #4 0x7fd711acb2f8 in draw_perspective_spans<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1224:9
    #5 0x7fd711acb2f8 in draw_perspective_clipped(int, glsl::vec4_scalar*, glsl::vec3*, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1432:5
    #6 0x7fd7119c8c7f in draw_perspective /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h
    #7 0x7fd7119c8c7f in draw_quad(int, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1549:5
    #8 0x7fd7119c6a38 in draw_elements<unsigned short> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1645:5
    #9 0x7fd7119c6a38 in DrawElementsInstanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2738:7
    #10 0x7fd711731e09 in _$LT$gleam..gl..ErrorReactingGl$LT$F$GT$$u20$as$u20$gleam..gl..Gl$GT$::draw_elements_instanced::h6671687b5c7dcf2d /builds/worker/checkouts/gecko/third_party/rust/gleam/src/gl.rs:98:26
    #11 0x7fd7117bca44 in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::hbad7fbb79a5b54df /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:3639:9
    #12 0x7fd711860878 in webrender::renderer::Renderer::draw_instanced_batch::h53e90fed6fca99a3 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2498:17
    #13 0x7fd711863606 in webrender::renderer::Renderer::draw_alpha_batch_container::h92feacd7d630866c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2988:17
    #14 0x7fd71186d568 in webrender::renderer::Renderer::draw_picture_cache_target::h2c192280037f62fa /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2808:9
    #15 0x7fd71186d568 in webrender::renderer::Renderer::draw_frame::h8912f96c63330470 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4701:21
    #16 0x7fd7118588a8 in webrender::renderer::Renderer::render_impl::h0be3a69be7085e2e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2002:17
    #17 0x7fd711857776 in webrender::renderer::Renderer::render::h08b689c8a6b4d645 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1724:30
    #18 0x7fd7116b7e00 in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:622:11
    #19 0x7fd70a86d34f in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:185:8
    #20 0x7fd70a86c279 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:516:31
    #21 0x7fd70a86ba1b in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:368:3
    #22 0x7fd70a876a2e in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0UL, 1UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
    #23 0x7fd70a876a2e in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
    #24 0x7fd70a876a2e in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
    #25 0x7fd708e43a59 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1177:16
    #26 0x7fd708e4ac5a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #27 0x7fd7098ebf54 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
    #28 0x7fd70980a7a7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #29 0x7fd70980a6b2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #30 0x7fd70980a6b2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #31 0x7fd708e3f68b in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
    #32 0x7fd71d1a6997 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #33 0x7fd71df22608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #34 0x7fd71daea292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Tyson Smith [:tsmith]]

This test case can also produce a different crash. It is also only reproducible on a fuzzing debug build on Ubuntu 20.04 (maybe other distros?)

==21032==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7f525c02d9c0 (pc 0x7f52cc9b4d39 bp 0x7f5260040b10 sp 0x7f5260040b00 T21089)
==21032==The signal is caused by a READ memory access.
    #0 0x7f52cc9b4d39 in void prepare_row<unsigned int>(Texture&, int, int, int, bool, DepthRun*, unsigned int, DepthCursor*) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:722:8
    #1 0x7f52cc9b1888 in draw_perspective_spans<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1224:9
    #2 0x7f52cc9b1888 in draw_perspective_clipped(int, glsl::vec4_scalar*, glsl::vec3*, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1432:5
    #3 0x7f52cc8af20f in draw_perspective /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h
    #4 0x7f52cc8af20f in draw_quad(int, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1549:5
    #5 0x7f52cc8ad00b in draw_elements<unsigned short> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1648:7
    #6 0x7f52cc8ad00b in DrawElementsInstanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2738:7
    #7 0x7f52cc618239 in _$LT$gleam..gl..ErrorReactingGl$LT$F$GT$$u20$as$u20$gleam..gl..Gl$GT$::draw_elements_instanced::h6671687b5c7dcf2d /builds/worker/checkouts/gecko/third_party/rust/gleam/src/gl.rs:98:26
    #8 0x7f52cc6a2e74 in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::hbad7fbb79a5b54df /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:3639:9
    #9 0x7f52cc746e78 in webrender::renderer::Renderer::draw_instanced_batch::h53e90fed6fca99a3 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2498:17
    #10 0x7f52cc749c06 in webrender::renderer::Renderer::draw_alpha_batch_container::h92feacd7d630866c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2988:17
    #11 0x7f52cc753b68 in webrender::renderer::Renderer::draw_picture_cache_target::h2c192280037f62fa /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2808:9
    #12 0x7f52cc753b68 in webrender::renderer::Renderer::draw_frame::h8912f96c63330470 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4701:21
    #13 0x7f52cc73eea8 in webrender::renderer::Renderer::render_impl::h0be3a69be7085e2e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2002:17
    #14 0x7f52cc73dd76 in webrender::renderer::Renderer::render::h08b689c8a6b4d645 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1724:30
    #15 0x7f52cc59e230 in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:622:11
    #16 0x7f52c574ccff in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:185:8
    #17 0x7f52c574bc29 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:516:31
    #18 0x7f52c574b3cb in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:368:3
    #19 0x7f52c57563de in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0UL, 1UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
    #20 0x7f52c57563de in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
    #21 0x7f52c57563de in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
    #22 0x7f52c3d1a209 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1177:16
    #23 0x7f52c3d2140a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #24 0x7f52c47c23c4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
    #25 0x7f52c46e0a47 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #26 0x7f52c46e0952 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #27 0x7f52c46e0952 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #28 0x7f52c3d15e3b in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
    #29 0x7f52d80a7997 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #30 0x7f52d8e23608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #31 0x7f52d89eb292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Unable to reproduce bug 1746545 using build mozilla-central 20211212093503-ce23c0066bac. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 3

[Lee Salzman [:lsalzman]]

I can't seem to reproduce this in local builds, and the trace doesn't do much to indicate why this is happening. Can we please figure out how to get a pernosco session on this?

Comment 4

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/YaXAVOZ0V4MODH1FkzTJEw/index.html

Note this was created with a -O1 build because this testcase (or any others we have found) will not reproduce the issue with a -O0 build.

Comment 5

[Lee Salzman [:lsalzman]]

Attachment: Bug 1746545 - Use -fno-finite-math-only in SWGL. r?jrmuizel

Comment 6

[Lee Salzman [:lsalzman]]

It looks like this was regressed by bug 1700717 which landed in version 89. The addition of -ffast-math causes our isfinite() checks to not trigger. We need to use -fno-finite-math-only in the build options to work around this.

Comment 7

[Lee Salzman [:lsalzman]]

Tyson, this patch to build with -fno-finite-math-only seems to make your testcase pass, and also explains why with optimization disabled we might not see the issue. Can you verify this fixes it on your end?

Comment 8

[Lee Salzman [:lsalzman]]

Comment on attachment 9260787 [details]
Bug 1746545 - Use -fno-finite-math-only in SWGL. r?jrmuizel

Security Approval Request

• How easily could an exploit be constructed based on the patch?: There are a few cases inside SWGL/SW-WR where we check that geometry supplied either from content or canvas doesn't result in Infs/Nans in the code due to excessively large values or division by zero. Whether or not this could intentionally result in something exploitable is unknown, although it is observably able to cause infinite loops, crashing, and/or heap overruns due to checking against these values.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
• Which older supported branches are affected by this flaw?: 91+
• If not all supported branches, which bug introduced the flaw?: Bug 1700717
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?:
• How likely is this patch to cause regressions; how much testing does it need?: Pending testing on try, this should be fairly safe, since it just disables a side-effect optimization (-ffinite-math-only) that got enabled with -ffast-math, which was unexpected. Our debug builds already shouldn't have this problem since they are unaffected by -ffast-math, and thus we already have some indication things should work fine with this -fno-finite-math-only chucked on inside SWGL.

Beta/Release Uplift Approval Request

• User impact if declined:
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: Yes
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky):
• String changes made/needed:

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration:
• User impact if declined:
• Fix Landed on Version:
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky):

Comment 9

[Tyson Smith [:tsmith]]

With the patch applied I am no longer able to reproduce the issue. Thanks Lee!

Comment 10

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9260787 [details]
Bug 1746545 - Use -fno-finite-math-only in SWGL. r?jrmuizel

Not something we need in a dot release.

Comment 11

[Tom Ritter [:tjr]]

Comment on attachment 9260787 [details]
Bug 1746545 - Use -fno-finite-math-only in SWGL. r?jrmuizel

sec-approved

Comment 12

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Use -fno-finite-math-only in SWGL. r=jrmuizel
https://hg.mozilla.org/integration/autoland/rev/7949a09f4700715f407092a4a2710c1dd89fc36c
https://hg.mozilla.org/mozilla-central/rev/7949a09f4700

Comment 13

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9260787 [details]
Bug 1746545 - Use -fno-finite-math-only in SWGL. r?jrmuizel

Approved for 97.0b9 and 91.6esr.

Comment 14

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/56db01db16ca

Comment 15

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr91/rev/386b63ddcd80

Comment 18

[BugBot [:suhaib / :marco/ :calixte]]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.