Closed Bug 1751818 Opened 2 years ago Closed 1 year ago

src/obj-build/dist/include/mozilla/rlbox/rlbox_sandbox.hpp:280:26: runtime error: call to function gfxFontEntry::GrGetTable through pointer to incorrect function type

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
109 Branch
Tracking Flags:
Tracking Status
firefox98 --- wontfix
firefox109 --- fixed

People

(Reporter: tsmith, Assigned: shravanrn)

References

Details

(Keywords: csectype-undefined)

Attachments

(1 file)

Bug 1751818 - Remove use tainted_opaque from callbacks of libGraphite r=glandium
48 bytes, text/x-phabricator-request
Details | Review

This was found by enabling the function check in UBSan and running existing tests. This type of issue can create inconsistencies across platforms, architectures and optimization levels.

Found with m-c 20220124-9b23d1bb84b.

To enable this check add the following to your mozconfig:

ac_add_options --enable-undefined-sanitizer="function"

This issue is found by the existing test: layout/forms/test/test_unstyled_control_height.html

INFO - TEST-START | layout/forms/test/test_unstyled_control_height.html
INFO - GECKO(9433) | /builds/worker/workspace/obj-build/dist/include/mozilla/rlbox/rlbox_sandbox.hpp:280:26: runtime error: call to function gfxFontEntry::GrGetTable(rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox>&, rlbox::tainted_opaque<void const*, rlbox::rlbox_wasm2c_sandbox>, rlbox::tainted_opaque<unsigned int, rlbox::rlbox_wasm2c_sandbox>, rlbox::tainted_opaque<unsigned int*, rlbox::rlbox_wasm2c_sandbox>) through pointer to incorrect function type 'rlbox::tainted<const void *, rlbox::rlbox_wasm2c_sandbox> (*)(rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox> &, rlbox::tainted<const void *, rlbox::rlbox_wasm2c_sandbox>, rlbox::tainted<unsigned int, rlbox::rlbox_wasm2c_sandbox>, rlbox::tainted<unsigned int *, rlbox::rlbox_wasm2c_sandbox>)'
INFO - GECKO(9433) | /builds/worker/checkouts/gecko/gfx/thebes/gfxFontEntry.cpp:656: note: gfxFontEntry::GrGetTable(rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox>&, rlbox::tainted_opaque<void const*, rlbox::rlbox_wasm2c_sandbox>, rlbox::tainted_opaque<unsigned int, rlbox::rlbox_wasm2c_sandbox>, rlbox::tainted_opaque<unsigned int*, rlbox::rlbox_wasm2c_sandbox>) defined here
INFO - GECKO(9433) |     #0 0x7fe4caaf9d41 in rlbox::detail::convert_to_sandbox_equivalent_helper<void const*, rlbox::rlbox_wasm2c_sandbox, void>::type rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox>::sandbox_callback_interceptor<void const*, void const*, unsigned int, unsigned int*>(rlbox::detail::convert_to_sandbox_equivalent_helper<void const*, rlbox::rlbox_wasm2c_sandbox, void>::type, rlbox::detail::convert_to_sandbox_equivalent_helper<unsigned int, rlbox::rlbox_wasm2c_sandbox, void>::type, rlbox::detail::convert_to_sandbox_equivalent_helper<unsigned int*, rlbox::rlbox_wasm2c_sandbox, void>::type) /builds/worker/workspace/obj-build/dist/include/mozilla/rlbox/rlbox_sandbox.hpp:280:26
INFO - GECKO(9433) |     #1 0x7fe4c7bc8d78 in w2c_graphite2__Face__Table__Table_graphite2__Face_const___graphite2__TtfUtil__Tag__unsigned_int_ /builds/worker/workspace/obj-build/security/rlbox/rlbox.wasm.c:197353:3
INFO - GECKO(9433) |     #2 0x7fe4c7c6ee81 in w2c_gr_make_face_with_ops /builds/worker/workspace/obj-build/security/rlbox/rlbox.wasm.c:227483:12
INFO - GECKO(9433) |     #3 0x7fe4cab26ca5 in auto rlbox::rlbox_wasm2c_sandbox::impl_invoke_with_func_ptr<gr_face* (void const*, gr_face_ops const*, unsigned int), unsigned int (unsigned int, unsigned int, unsigned int), unsigned int, unsigned int, gr_face_options>(unsigned int (*)(unsigned int, unsigned int, unsigned int), unsigned int&&, unsigned int&&, gr_face_options&&) /builds/worker/workspace/obj-build/dist/include/mozilla/rlbox/rlbox_wasm2c_sandbox.hpp:836:13
INFO - GECKO(9433) |     #4 0x7fe4caad5732 in auto rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox>::INTERNAL_invoke_with_func_ptr<gr_face* (void const*, gr_face_ops const*, unsigned int), rlbox::tainted<gr_face_ops*, rlbox::rlbox_wasm2c_sandbox>&, rlbox::tainted<gr_face_ops*, rlbox::rlbox_wasm2c_sandbox>&, gr_face_options>(char const*, void*, rlbox::tainted<gr_face_ops*, rlbox::rlbox_wasm2c_sandbox>&, rlbox::tainted<gr_face_ops*, rlbox::rlbox_wasm2c_sandbox>&, gr_face_options&&) /builds/worker/workspace/obj-build/dist/include/mozilla/rlbox/rlbox_sandbox.hpp:790:40
INFO - GECKO(9433) |     #5 0x7fe4caad4e99 in gfxFontEntry::GetGrFace() /builds/worker/checkouts/gecko/gfx/thebes/gfxFontEntry.cpp:728:17
INFO - GECKO(9433) |     #6 0x7fe4caab7ab4 in gfxFontEntry::HasGraphiteSpaceContextuals() /builds/worker/checkouts/gecko/gfx/thebes/gfxFontEntry.cpp:789:17
INFO - GECKO(9433) |     #7 0x7fe4caaca446 in bool gfxFont::SplitAndInitTextRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, unsigned int, mozilla::intl::Script, nsAtom*, mozilla::gfx::ShapedTextFlags) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:3143:7
INFO - GECKO(9433) |     #8 0x7fe4cabbc592 in void gfxFontGroup::InitScriptRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, unsigned int, mozilla::intl::Script, gfxMissingFontRecorder*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2707:25
INFO - GECKO(9433) |     #9 0x7fe4cab8a92a in void gfxFontGroup::InitTextRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, gfxMissingFontRecorder*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2614:9
INFO - GECKO(9433) |     #10 0x7fe4cab89e23 in gfxFontGroup::MakeTextRun(char16_t const*, unsigned int, gfxTextRunFactory::Parameters const*, mozilla::gfx::ShapedTextFlags, nsTextFrameUtils::Flags, gfxMissingFontRecorder*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2488:3
INFO - GECKO(9433) |     #11 0x7fe4d015b8ae in BuildTextRunsScanner::BuildTextRunForFrames(void*) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:2556:28
INFO - GECKO(9433) |     #12 0x7fe4d0157df6 in BuildTextRunsScanner::FlushFrames(bool, bool) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:1674:17
INFO - GECKO(9433) |     #13 0x7fe4d01634c0 in BuildTextRuns(mozilla::gfx::DrawTarget*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:1596:11
INFO - GECKO(9433) |     #14 0x7fe4d01618dc in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:3015:7
INFO - GECKO(9433) |     #15 0x7fe4d01930f1 in nsTextFrame::AddInlineMinISizeForFlow(gfxContext*, nsIFrame::InlineMinISizeData*, nsTextFrame::TextRunType) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:8560:7
INFO - GECKO(9433) |     #16 0x7fe4d0195456 in nsTextFrame::AddInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:8750:10
INFO - GECKO(9433) |     #17 0x7fe4cfee549f in nsBlockFrame::GetMinISize(gfxContext*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:827:16
INFO - GECKO(9433) |     #18 0x7fe4cffb0dc8 in operator() /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1170:36
INFO - GECKO(9433) |     #19 0x7fe4cffb0dc8 in nsHTMLScrollFrame::GetMinISize(gfxContext*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1163:20
INFO - GECKO(9433) |     #20 0x7fe4d0063dca in nsIFrame::ShrinkWidthToFit(gfxContext*, int, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6650:22
INFO - GECKO(9433) |     #21 0x7fe4cff2eb6e in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:916:11
INFO - GECKO(9433) |     #22 0x7fe4cff420ff in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6283:7
INFO - GECKO(9433) |     #23 0x7fe4cfea25e9 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:2370:19
INFO - GECKO(9433) |     #24 0x7fe4cfe9c91d in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /builds/worker/checkouts/gecko/layout/generic/ReflowInput.cpp:356:3
INFO - GECKO(9433) |     #25 0x7fe4d01fdf54 in nsTextControlFrame::ReflowTextControlChild(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, mozilla::ReflowOutput&, int&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:766:18
INFO - GECKO(9433) |     #26 0x7fe4d01fd664 in nsTextControlFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:724:7
INFO - GECKO(9433) |     #27 0x7fe4d0119876 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:875:13
INFO - GECKO(9433) |     #28 0x7fe4cff05cf1 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4565:15
INFO - GECKO(9433) |     #29 0x7fe4cff04cfd in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4367:5
INFO - GECKO(9433) |     #30 0x7fe4cfefe0be in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4252:9
INFO - GECKO(9433) |     #31 0x7fe4cfef7849 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3229:5
INFO - GECKO(9433) |     #32 0x7fe4cfeee95e in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2763:7
INFO - GECKO(9433) |     #33 0x7fe4cfee83c4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1394:3
INFO - GECKO(9433) |     #34 0x7fe4cff02852 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
INFO - GECKO(9433) |     #35 0x7fe4cfefa9dc in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3886:11
INFO - GECKO(9433) |     #36 0x7fe4cfef7996 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3226:5
INFO - GECKO(9433) |     #37 0x7fe4cfeee95e in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2763:7
INFO - GECKO(9433) |     #38 0x7fe4cfee83c4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1394:3
INFO - GECKO(9433) |     #39 0x7fe4cff02852 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
INFO - GECKO(9433) |     #40 0x7fe4cfefa9dc in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3886:11
INFO - GECKO(9433) |     #41 0x7fe4cfef7996 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3226:5
INFO - GECKO(9433) |     #42 0x7fe4cfeee95e in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2763:7
INFO - GECKO(9433) |     #43 0x7fe4cfee83c4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1394:3
INFO - GECKO(9433) |     #44 0x7fe4cff211ad in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1000:14
INFO - GECKO(9433) |     #45 0x7fe4cff1f987 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:787:7
INFO - GECKO(9433) |     #46 0x7fe4cff211ad in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1000:14
INFO - GECKO(9433) |     #47 0x7fe4cffabe66 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:839:3
INFO - GECKO(9433) |     #48 0x7fe4cffad489 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:974:3
INFO - GECKO(9433) |     #49 0x7fe4cffb2bb4 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1396:3
INFO - GECKO(9433) |     #50 0x7fe4cfed7fab in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1040:14
INFO - GECKO(9433) |     #51 0x7fe4cfed75d9 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:374:7
INFO - GECKO(9433) |     #52 0x7fe4cfd16369 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9636:11
INFO - GECKO(9433) |     #53 0x7fe4cfd28167 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9807:24
INFO - GECKO(9433) |     #54 0x7fe4cfd26675 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4299:11
INFO - GECKO(9433) |     #55 0x7fe4cb1edbbe in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1448:5
INFO - GECKO(9433) |     #56 0x7fe4cb1edbbe in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10746:16
INFO - GECKO(9433) |     #57 0x7fe4cb234bb4 in FlushPendingNotifications /builds/worker/checkouts/gecko/dom/base/Document.cpp:10667:3
INFO - GECKO(9433) |     #58 0x7fe4cb234bb4 in GetPrimaryFrame /builds/worker/checkouts/gecko/dom/base/Element.cpp:254:10
INFO - GECKO(9433) |     #59 0x7fe4cb234bb4 in mozilla::dom::Element::GetBoundingClientRect() /builds/worker/checkouts/gecko/dom/base/Element.cpp:1034:21

After reformatting the error message for readability, what it's complaining about is:

call to function:
gfxFontEntry::GrGetTable(rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox>&,
                         rlbox::tainted_opaque<void const*, rlbox::rlbox_wasm2c_sandbox>,
                         rlbox::tainted_opaque<unsigned int, rlbox::rlbox_wasm2c_sandbox>,
                         rlbox::tainted_opaque<unsigned int*, rlbox::rlbox_wasm2c_sandbox>)

through pointer to incorrect function type:
rlbox::tainted<const void *, rlbox::rlbox_wasm2c_sandbox> (*)
                        (rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox> &,
                         rlbox::tainted<const void *, rlbox::rlbox_wasm2c_sandbox>,
                         rlbox::tainted<unsigned int, rlbox::rlbox_wasm2c_sandbox>,
                         rlbox::tainted<unsigned int *, rlbox::rlbox_wasm2c_sandbox>)

So we have a tainted<> vs tainted_opaque<> mismatch in the parameters. Shravan, can you have a look at this? Thanks!

Flags: needinfo?(shravanrn)

(Triaging as S3 since it doesn't sound like this is actively causing harm; I'm not sure if there's any way for the tainted<> vs. tainted_opaque<> mismatch to cause trouble/mischief here, but if there is, please bump up to S2 or S1 as-you-see-fit. Thanks!)

Severity: -- → S3

Sorry about the delay. I'll respond to this shortly.

This issue is currently triggered in CI when the 'function' UBSan check is enabled. This issue will need to be addressed before the check can be enabled by default.

If it requires too much effort to fix immediately please ni? me and let me know. If necessary it will be added to a suppression list. Thank you :)

TLDR: this was an explicit design choice but we should probably move away from it. The fix is simple, but will take me a few days. We can either add an exception in the short term or I can submit a PR fixing the source of the problem.

@tsmith: Let me know how we should proceed.

Capturing some of the design rationale below

RLBox has a few different types, two of them being tainted_opaque and tainted. The goal of this design involving these two separate types was:

  1. First it reduces compilation times: the tainted structures do a lot of compile time checks and we try to avoid using tainted in headers in favor of tainted_opaque
  2. This previously allowed us use C++17 features when Firefox was still on C++11/14 (this was about 2 and half years ago, so is not something of concern anymore)

While there are suitable conversion operators between tainted and tainted_opaque, there is one part of the code that assumes these two types have the same layout and this is in indirect calls as seen above. These was by design and in theory should not cause any issues. However given that this is causing UBSan warnings, i think the best path is to move away from this and stick to using tainted everywhere. A more minimal fix for the issue would be to remove the use of tainted_opaque in callbacks alone

Flags: needinfo?(shravanrn) → needinfo?(twsmith)

(In reply to Shravan Narayan from comment #5)

We can either add an exception in the short term or I can submit a PR fixing the source of the problem.

@tsmith: Let me know how we should proceed.

I am happy to wait for the fix. Thank you!

Flags: needinfo?(twsmith)

(In reply to Shravan Narayan from comment #5)

The fix is simple, but will take me a few days. We can either add an exception in the short term or I can submit a PR fixing the source of the problem.

Hi Shravan, do you have an ETA for the PR (fixing the source of the problem)?

Flags: needinfo?(shravanrn)

Suppressing the first error leads to another, which I assume is related.

/builds/worker/workspace/obj-build/dist/include/mozilla/rlbox/rlbox_sandbox.hpp:280:26: runtime error: call to function gfxGraphiteShaper::GrGetAdvance(rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox>&, rlbox::tainted_opaque<void const*, rlbox::rlbox_wasm2c_sandbox>, rlbox::tainted_opaque<unsigned short, rlbox::rlbox_wasm2c_sandbox>) through pointer to incorrect function type 'rlbox::tainted<float, rlbox::rlbox_wasm2c_sandbox> (*)(rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox> &, rlbox::tainted<const void *, rlbox::rlbox_wasm2c_sandbox>, rlbox::tainted<unsigned short, rlbox::rlbox_wasm2c_sandbox>)'
/builds/worker/checkouts/gecko/gfx/thebes/gfxGraphiteShaper.cpp:69: note: gfxGraphiteShaper::GrGetAdvance(rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox>&, rlbox::tainted_opaque<void const*, rlbox::rlbox_wasm2c_sandbox>, rlbox::tainted_opaque<unsigned short, rlbox::rlbox_wasm2c_sandbox>) defined here
    #0 0x7f60768e3fcb in rlbox::detail::convert_to_sandbox_equivalent_helper<float, rlbox::rlbox_wasm2c_sandbox, void>::type rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox>::sandbox_callback_interceptor<float, void const*, unsigned short>(rlbox::detail::convert_to_sandbox_equivalent_helper<void const*, rlbox::rlbox_wasm2c_sandbox, void>::type, rlbox::detail::convert_to_sandbox_equivalent_helper<unsigned short, rlbox::rlbox_wasm2c_sandbox, void>::type) /builds/worker/workspace/obj-build/dist/include/mozilla/rlbox/rlbox_sandbox.hpp:280:26
    #1 0x7f60738c80af in w2c_graphite2__Slot__finalise_graphite2__Segment_const___graphite2__Font_const___graphite2__Position___graphite2__Rect___unsigned_char__float___bool__bool__int_ /builds/worker/workspace/obj-build/security/rlbox/rlbox.wasm.c:220508:3
    #2 0x7f60738aaeb5 in w2c_graphite2__Segment__positionSlots_graphite2__Font_const___graphite2__Slot___graphite2__Slot___bool__bool_ /builds/worker/workspace/obj-build/security/rlbox/rlbox.wasm.c:216649:5
    #3 0x7f60738fc19b in w2c_gr_make_seg /builds/worker/workspace/obj-build/security/rlbox/rlbox.wasm.c:231621:3
    #4 0x7f607698569f in auto rlbox::rlbox_wasm2c_sandbox::impl_invoke_with_func_ptr<gr_segment* (gr_font const*, gr_face const*, unsigned int, gr_feature_val const*, gr_encform, void const*, unsigned long, int), unsigned int (unsigned int, unsigned int, unsigned int, unsigned int, gr_encform, unsigned int, unsigned int, int), unsigned int, unsigned int, int, unsigned int, gr_encform, unsigned int, unsigned int, gr_bidirtl>(unsigned int (*)(unsigned int, unsigned int, unsigned int, unsigned int, gr_encform, unsigned int, unsigned int, int), unsigned int&&, unsigned int&&, int&&, unsigned int&&, gr_encform&&, unsigned int&&, unsigned int&&, gr_bidirtl&&) /builds/worker/workspace/obj-build/dist/include/mozilla/rlbox/rlbox_wasm2c_sandbox.hpp:836:13
    #5 0x7f6076911cd0 in auto rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox>::INTERNAL_invoke_with_func_ptr<gr_segment* (gr_font const*, gr_face const*, unsigned int, gr_feature_val const*, gr_encform, void const*, unsigned long, int), rlbox::tainted_opaque<gr_font*, rlbox::rlbox_wasm2c_sandbox>&, rlbox::tainted<gr_face*, rlbox::rlbox_wasm2c_sandbox>&, int, rlbox::tainted<gr_feature_val*, rlbox::rlbox_wasm2c_sandbox>&, gr_encform, rlbox::tainted<char16_t*, rlbox::rlbox_wasm2c_sandbox>&, unsigned long&, gr_bidirtl&>(char const*, void*, rlbox::tainted_opaque<gr_font*, rlbox::rlbox_wasm2c_sandbox>&, rlbox::tainted<gr_face*, rlbox::rlbox_wasm2c_sandbox>&, int&&, rlbox::tainted<gr_feature_val*, rlbox::rlbox_wasm2c_sandbox>&, gr_encform&&, rlbox::tainted<char16_t*, rlbox::rlbox_wasm2c_sandbox>&, unsigned long&, gr_bidirtl&) /builds/worker/workspace/obj-build/dist/include/mozilla/rlbox/rlbox_sandbox.hpp:790:40
    #6 0x7f607690fca4 in gfxGraphiteShaper::ShapeText(mozilla::gfx::DrawTarget*, char16_t const*, unsigned int, unsigned int, mozilla::intl::Script, nsAtom*, bool, gfxFontShaper::RoundingFlags, gfxShapedText*) /builds/worker/checkouts/gecko/gfx/thebes/gfxGraphiteShaper.cpp:242:7
    #7 0x7f607689af53 in gfxFont::ShapeText(mozilla::gfx::DrawTarget*, char16_t const*, unsigned int, unsigned int, mozilla::intl::Script, nsAtom*, bool, gfxFontShaper::RoundingFlags, gfxShapedText*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:3010:19
    #8 0x7f607689e7d3 in gfxShapedWord* gfxFont::GetShapedWord<char16_t>(mozilla::gfx::DrawTarget*, char16_t const*, unsigned int, unsigned int, mozilla::intl::Script, nsAtom*, bool, int, mozilla::gfx::ShapedTextFlags, gfxFontShaper::RoundingFlags, gfxTextPerfMetrics*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2879:24
    #9 0x7f607689d519 in bool gfxFont::SplitAndInitTextRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, unsigned int, mozilla::intl::Script, nsAtom*, mozilla::gfx::ShapedTextFlags) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:3317:27
    #10 0x7f6076998afb in void gfxFontGroup::InitScriptRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, unsigned int, mozilla::intl::Script, gfxMissingFontRecorder*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2744:25
    #11 0x7f607696159a in void gfxFontGroup::InitTextRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, gfxMissingFontRecorder*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2651:9
    #12 0x7f6076960a93 in gfxFontGroup::MakeTextRun(char16_t const*, unsigned int, gfxTextRunFactory::Parameters const*, mozilla::gfx::ShapedTextFlags, nsTextFrameUtils::Flags, gfxMissingFontRecorder*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2525:3
    #13 0x7f607cb4ab79 in BuildTextRunsScanner::BuildTextRunForFrames(void*) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:2637:28
    #14 0x7f607cb46fb0 in BuildTextRunsScanner::FlushFrames(bool, bool) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:1750:17
    #15 0x7f607cb52d61 in BuildTextRuns(mozilla::gfx::DrawTarget*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:1672:11
    #16 0x7f607cb513ec in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:3096:7
    #17 0x7f607cb0c065 in nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:9573:7
    #18 0x7f607cb08955 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:873:40
    #19 0x7f607ca913d9 in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:671:15
    #20 0x7f607ca906b8 in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:545:7
    #21 0x7f607ca8f9cd in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:359:3
    #22 0x7f607cb08b39 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:870:13
    #23 0x7f607c8f35d1 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4578:15
    #24 0x7f607c8f2530 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4380:5
    #25 0x7f607c8eb6da in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4263:9
    #26 0x7f607c8e5109 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3250:5
    #27 0x7f607c8dc3b0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2779:7
    #28 0x7f607c8d5d5d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1410:3
    #29 0x7f607c8f0092 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #30 0x7f607c8e80ff in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3897:11
    #31 0x7f607c8e5256 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3247:5
    #32 0x7f607c8dc3b0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2779:7
    #33 0x7f607c8d5d5d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1410:3
    #34 0x7f607c8f0092 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #35 0x7f607c8e80ff in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3897:11
    #36 0x7f607c8e5256 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3247:5
    #37 0x7f607c8dc3b0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2779:7
    #38 0x7f607c8d5d5d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1410:3
    #39 0x7f607c90ec9d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1005:14
    #40 0x7f607c90d424 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:791:7
    #41 0x7f607c90ec9d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1005:14
    #42 0x7f607c99aa5e in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:838:3
    #43 0x7f607c99c1f8 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:974:3
    #44 0x7f607c9a15d4 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1395:3
    #45 0x7f607c8c5734 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1045:14
    #46 0x7f607c8c4d69 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:374:7
    #47 0x7f607c6f4ff2 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9621:11
    #48 0x7f607c707947 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9792:24
    #49 0x7f607c705c91 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4361:11
    #50 0x7f607705e1ac in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10878:16
    #51 0x7f6075df5dac in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:739:14
    #52 0x7f6075df8921 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:677:5
    #53 0x7f608004934b in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13846:23
    #54 0x7f60746ae30e in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:614:22
    #55 0x7f60746b0d04 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:518:10
    #56 0x7f6077064d02 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11659:18
    #57 0x7f607701f030 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11597:9
    #58 0x7f6077042dd4 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8131:3
    #59 0x7f6077106eef in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
    #60 0x7f6077106eef in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
    #61 0x7f6077106eef in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
    #62 0x7f6074320a7f in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20
    #63 0x7f607436e572 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:475:16
    #64 0x7f6074333c85 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:788:26
    #65 0x7f6074330e38 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:620:15
    #66 0x7f6074331560 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:398:36
    #67 0x7f6074377271 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
    #68 0x7f6074377271 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #69 0x7f6074354957 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1180:16

Sorry, this fell of my radar for a bit. Please let me know if this is still blocking, and I can prioritize a fix

Flags: needinfo?(shravanrn)
Assignee: nobody → shravanrn
Status: NEW → ASSIGNED

Patch submitted

Pushed by mh@glandium.org:
https://hg.mozilla.org/integration/autoland/rev/b3a315189fad
Remove use tainted_opaque from callbacks of libGraphite r=glandium
Blocks: 1801932

https://hg.mozilla.org/mozilla-central/rev/b3a315189fad

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox109: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 109 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: