1748463 - Hit MOZ_CRASH(slice index starts at 4804971105633523029 but ends at 127309511) at gfx/webrender_bindings/src/moz2d_renderer.rs:209

Status: NEW

(Core :: Graphics: WebRender, defect)

Description

Testcase found while fuzzing mozilla-central rev 8bc2581b2c7b (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 8bc2581b2c7b --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

Hit MOZ_CRASH(slice index starts at 4804971105633523029 but ends at 127309511) at gfx/webrender_bindings/src/moz2d_renderer.rs:209

    ==2413182==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb1ce8bf3b5 bp 0x7fb19005d6b0 sp 0x7fb19005d6a0 T2413304)
    ==2413182==The signal is caused by a WRITE memory access.
    ==2413182==Hint: address points to the zero page.
        #0 0x7fb1ce8bf3b5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7fb1ce8bf3b5 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7fb1ce8bf337 in mozglue_static::panic_hook::heacae7afaf9bf8bc /mozglue/static/rust/lib.rs:91:9
        #3 0x7fb1ce8befab in core::ops::function::Fn::call::hb79486ceb681b1e3 /rustc/f1edd0429582dd29cccacaf50fd134b05593bd9c/library/core/src/ops/function.rs:70:5
        #4 0x7fb1cf1afbb8 in std::panicking::rust_panic_with_hook::h50680ff4b44510c6 /rustc/f1edd0429582dd29cccacaf50fd134b05593bd9c/library/std/src/panicking.rs:628:17
        #5 0x7fb1cf1af65f in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h9371c0fbb1e8465a /rustc/f1edd0429582dd29cccacaf50fd134b05593bd9c/library/std/src/panicking.rs:521:13
        #6 0x7fb1cf1ac363 in std::sys_common::backtrace::__rust_end_short_backtrace::h9b3efa22a5768c0f /rustc/f1edd0429582dd29cccacaf50fd134b05593bd9c/library/std/src/sys_common/backtrace.rs:139:18
        #7 0x7fb1cf1af5c8 in rust_begin_unwind /rustc/f1edd0429582dd29cccacaf50fd134b05593bd9c/library/std/src/panicking.rs:517:5
        #8 0x7fb1c5626120 in core::panicking::panic_fmt::h23b9203e89cc61cf /rustc/f1edd0429582dd29cccacaf50fd134b05593bd9c/library/core/src/panicking.rs:100:14
        #9 0x7fb1c5626391 in core::slice::index::slice_index_order_fail::h9417f12051fd779f /rustc/f1edd0429582dd29cccacaf50fd134b05593bd9c/library/core/src/slice/index.rs:48:5
        #10 0x7fb1ce2e5cb6 in _$LT$core..ops..range..Range$LT$usize$GT$$u20$as$u20$core..slice..index..SliceIndex$LT$$u5b$T$u5d$$GT$$GT$::index::hbd6cce87e30b3f4f /rustc/f1edd0429582dd29cccacaf50fd134b05593bd9c/library/core/src/slice/index.rs:238:13
        #11 0x7fb1ce2e5cb6 in core::slice::index::_$LT$impl$u20$core..ops..index..Index$LT$I$GT$$u20$for$u20$$u5b$T$u5d$$GT$::index::hb0eab71861daff04 /rustc/f1edd0429582dd29cccacaf50fd134b05593bd9c/library/core/src/slice/index.rs:15:9
        #12 0x7fb1ce2e5cb6 in webrender_bindings::moz2d_renderer::BlobReader::new::haaa065a5962b8ace /gfx/webrender_bindings/src/moz2d_renderer.rs:209:37
        #13 0x7fb1ce2e5cb6 in _$LT$webrender_bindings..moz2d_renderer..Moz2dBlobImageHandler$u20$as$u20$webrender_api..image..BlobImageHandler$GT$::add::hd30e6dec8140ffca /gfx/webrender_bindings/src/moz2d_renderer.rs:647:25
        #14 0x7fb1ce4ecfa5 in webrender::api_resources::ApiResources::update::hd68315c3a28a7d26 /gfx/wr/webrender/src/api_resources.rs:78:21
        #15 0x7fb1ce4ecfa5 in webrender::render_api::RenderApi::send_transaction::h211c8339422d3bcd /gfx/wr/webrender/src/render_api.rs:1244:9
        #16 0x7fb1ce2dcb5b in wr_api_send_transaction /gfx/webrender_bindings/src/bindings.rs:2178:5
        #17 0x7fb1c7292ba0 in mozilla::layers::WebRenderBridgeParent::SetDisplayList(mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::ipc::ByteBuf&&, mozilla::ipc::ByteBuf&&, mozilla::ipc::ByteBuf&&, mozilla::wr::BuiltDisplayListDescriptor const&, nsTArray<mozilla::layers::OpUpdateResource> const&, nsTArray<mozilla::layers::RefCountedShmem> const&, nsTArray<mozilla::ipc::Shmem> const&, mozilla::TimeStamp const&, mozilla::wr::TransactionBuilder&, mozilla::wr::Epoch, bool) /gfx/layers/wr/WebRenderBridgeParent.cpp:1158:9
        #18 0x7fb1c7292ef5 in mozilla::layers::WebRenderBridgeParent::ProcessDisplayListData(mozilla::layers::DisplayListData&, mozilla::wr::Epoch, mozilla::TimeStamp const&, bool, bool) /gfx/layers/wr/WebRenderBridgeParent.cpp:1192:8
        #19 0x7fb1c7293cda in mozilla::layers::WebRenderBridgeParent::RecvSetDisplayList(mozilla::layers::DisplayListData&&, nsTArray<mozilla::layers::OpDestroy>&&, unsigned long const&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType> const&, bool const&, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTString<char> const&, mozilla::TimeStamp const&, nsTArray<mozilla::layers::CompositionPayload>&&) /gfx/layers/wr/WebRenderBridgeParent.cpp:1248:8
        #20 0x7fb1c6a92ce0 in mozilla::layers::PWebRenderBridgeParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebRenderBridgeParent.cpp:433:28
        #21 0x7fb1c65bb16d in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:204:32
        #22 0x7fb1c647e56f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:2043:25
        #23 0x7fb1c647aea1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /ipc/glue/MessageChannel.cpp:1968:9
        #24 0x7fb1c647c325 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1827:3
        #25 0x7fb1c647cf5d in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1855:14
        #26 0x7fb1c59da9c9 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1177:16
        #27 0x7fb1c59e1b6a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #28 0x7fb1c6485604 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
        #29 0x7fb1c63a3867 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #30 0x7fb1c63a3772 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #31 0x7fb1c63a3772 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #32 0x7fb1c59d65fb in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
        #33 0x7fb1d9eb8997 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #34 0x7fb1dac2c608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
        #35 0x7fb1da7f4292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    ==2413182==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220104034109-8bc2581b2c7b.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 1d89f3cb5bb3e5a37b0249977838c4a98c162c80 (20210105043131)
End: 8bc2581b2c7bb99a1138ece1f6e7bf80ff7f79d3 (20220104034109)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Comment 3

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/4xtTfiz8cCqwsHSTGqsqKw/index.html

Comment 4

[Dzmitry Malyshau [:kvark]]

Tried to look at this briefly. The index_offset is written at the end of the blob, and it's garbage.
Wasn't able to dig the part that writes the offset.
Perhaps, somebody from Blob land could investigate?

Comment 5

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220104034109-8bc2581b2c7b) but not with tip (mozilla-central 20220218215229-b21fa00b5f33.)
The bug appears to have been fixed in the following build range:

Start: 34ae3dfcb1badd42bb2975bd8b88ca56b221e233 (20220214092817)
End: 23f9ff7daa01b1273edb9c1df04436d895983b58 (20220214095712)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=34ae3dfcb1badd42bb2975bd8b88ca56b221e233&tochange=23f9ff7daa01b1273edb9c1df04436d895983b58
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 6

[Mayank Bansal]

Didnt crash, but the testcase will take 3.5GB+ RAM if you click inside the tab.
https://share.firefox.dev/3QdGBK8

Comment 7

[Tyson Smith [:tsmith]]

The attached test case does reproduce the issue with m-c 20220825-ed1f1140d8bd.