Open Bug 1756669 Opened 3 years ago Updated 8 months ago

Hit MOZ_CRASH(index out of bounds: the len is 4 but the index is 10) at gfx/wr/webrender_api/src/display_list.rs:2214

Categories

(Core :: Graphics: WebRender, defect)

defect

Tracking

()

Tracking Status
firefox-esr102 --- affected
firefox-esr115 --- affected
firefox99 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- wontfix
firefox114 --- wontfix
firefox115 --- wontfix
firefox116 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file, 1 obsolete file)

Attached file testcase.html (obsolete) —

Found while fuzzing m-c 20220221-ca774a5b6b7b (--enable-address-sanitizer --enable-fuzzing)

The attached test case reproduces on Windows.

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(index out of bounds: the len is 4 but the index is 10) at gfx/wr/webrender_api/src/display_list.rs:2214

#0 0x7ff81c4a88b7 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:40
#1 0x7ff81c4a88b7 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261
#2 0x7ff81c4a88b7 in RustMozCrash src/mozglue/static/rust/wrappers.cpp:17
#3 0x7ff81a806120 in mozglue_static::panic_hook src/mozglue/static/rust/lib.rs:91
#4 0x7ff81a806061 in core::ops::function::FnMut::call_mut<void (*)(ref$<core::panic::panic_info::PanicInfo>),tuple$<ref$<core::panic::panic_info::PanicInfo> > > /rustc/02072b482a8b5357f7fb5e5637444ae30e423c40\library\core\src\ops\function.rs:70
#5 0x7ff81aa66e97 in std::panicking::rust_panic_with_hook /rustc/02072b482a8b5357f7fb5e5637444ae30e423c40\/library\std\src\panicking.rs:610
#6 0x7ff81aa7a252 in std::panicking::begin_panic_handler::closure$0 /rustc/02072b482a8b5357f7fb5e5637444ae30e423c40\/library\std\src\panicking.rs:502
#7 0x7ff81aa7a1d8 in std::sys_common::backtrace::__rust_end_short_backtrace<std::panicking::begin_panic_handler::closure$0,never$> /rustc/02072b482a8b5357f7fb5e5637444ae30e423c40\/library\std\src\sys_common\backtrace.rs:139
#8 0x7ff81aa7a193 in std::panicking::begin_panic_handler /rustc/02072b482a8b5357f7fb5e5637444ae30e423c40\/library\std\src\panicking.rs:498
#9 0x7ff81ca02a3f in core::panicking::panic_fmt /rustc/02072b482a8b5357f7fb5e5637444ae30e423c40\/library\core\src\panicking.rs:107
#10 0x7ff81ca02a06 in core::panicking::panic_bounds_check /rustc/02072b482a8b5357f7fb5e5637444ae30e423c40\/library\core\src\panicking.rs:75
#11 0x7ff81b039b4a in core::slice::index::impl$2::index /rustc/02072b482a8b5357f7fb5e5637444ae30e423c40\library\core\src\slice\index.rs:184
#12 0x7ff81b039b4a in core::slice::index::impl$0::index /rustc/02072b482a8b5357f7fb5e5637444ae30e423c40\library\core\src\slice\index.rs:15
#13 0x7ff81b039b4a in alloc::vec::impl$16::index /rustc/02072b482a8b5357f7fb5e5637444ae30e423c40\library\alloc\src\vec\mod.rs:2528
#14 0x7ff81b039b4a in webrender_api::display_list::DisplayListBuilder::current_offset src/gfx/wr/webrender_api/src/display_list.rs:2211
#15 0x7ff81b039b4a in webrender_api::display_list::DisplayListBuilder::define_clip_image_mask src/gfx/wr/webrender_api/src/display_list.rs:1961
#16 0x7ff81b039b4a in wr_dp_define_image_mask_clip_with_parent_clip_chain src/gfx/webrender_bindings/src/bindings.rs:2694
#17 0x7ff80e6c40ab in mozilla::wr::DisplayListBuilder::DefineImageMaskClip(struct mozilla::wr::ImageMask const &, class nsTArray<struct mozilla::wr::Point2D<float, struct mozilla::wr::LayoutPixel>> const &, enum mozilla::wr::FillRule) src/gfx/webrender_bindings/WebRenderAPI.cpp:1077
#18 0x7ff815eaee25 in mozilla::CreateWRClipPathAndMasks src/layout/painting/nsDisplayList.cpp:8176
#19 0x7ff815eaee25 in mozilla::nsDisplayMasksAndClipPaths::CreateWebRenderCommands(class mozilla::wr::DisplayListBuilder &, class mozilla::wr::IpcResourceUpdateQueue &, class mozilla::layers::StackingContextHelper const &, class mozilla::layers::RenderRootStateManager *, class mozilla::nsDisplayListBuilder *) src/layout/painting/nsDisplayList.cpp:8189
#20 0x7ff80e2d33bb in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(class mozilla::nsDisplayItem *, class mozilla::wr::DisplayListBuilder &, class mozilla::wr::IpcResourceUpdateQueue &, class mozilla::layers::StackingContextHelper const &, class mozilla::nsDisplayListBuilder *) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1649
#21 0x7ff80e2d04cb in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(class mozilla::nsDisplayList *, class mozilla::nsDisplayItem *, class mozilla::nsDisplayListBuilder *, class mozilla::layers::StackingContextHelper const &, class mozilla::wr::DisplayListBuilder &, class mozilla::wr::IpcResourceUpdateQueue &, bool) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1888
#22 0x7ff815e7ea1c in mozilla::nsDisplayWrapList::CreateWebRenderCommandsNewClipListOption src/layout/painting/nsDisplayList.cpp:4688
#23 0x7ff815e7ea1c in mozilla::nsDisplayWrapList::CreateWebRenderCommands src/layout/painting/nsDisplayList.h:4945
#24 0x7ff815e7ea1c in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(class mozilla::wr::DisplayListBuilder &, class mozilla::wr::IpcResourceUpdateQueue &, class mozilla::layers::StackingContextHelper const &, class mozilla::layers::RenderRootStateManager *, class mozilla::nsDisplayListBuilder *) src/layout/painting/nsDisplayList.cpp:5317
#25 0x7ff80e2d33bb in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(class mozilla::nsDisplayItem *, class mozilla::wr::DisplayListBuilder &, class mozilla::wr::IpcResourceUpdateQueue &, class mozilla::layers::StackingContextHelper const &, class mozilla::nsDisplayListBuilder *) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1649
#26 0x7ff80e2d04cb in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(class mozilla::nsDisplayList *, class mozilla::nsDisplayItem *, class mozilla::nsDisplayListBuilder *, class mozilla::layers::StackingContextHelper const &, class mozilla::wr::DisplayListBuilder &, class mozilla::wr::IpcResourceUpdateQueue &, bool) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1888
#27 0x7ff80e2cceeb in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(class mozilla::wr::DisplayListBuilder &, class mozilla::wr::IpcResourceUpdateQueue &, class mozilla::nsDisplayList *, class mozilla::nsDisplayListBuilder *, class mozilla::layers::WebRenderScrollData &, struct WrFiltersHolder &&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1570
#28 0x7ff80e2f2b94 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(class mozilla::nsDisplayList *, class mozilla::nsDisplayListBuilder *, struct WrFiltersHolder &&, class mozilla::layers::WebRenderBackgroundData *, double) src/gfx/layers/wr/WebRenderLayerManager.cpp:362
#29 0x7ff815e447fe in mozilla::nsDisplayList::PaintRoot(class mozilla::nsDisplayListBuilder *, class gfxContext *, unsigned int, class mozilla::Maybe<double>) src/layout/painting/nsDisplayList.cpp:2273
#30 0x7ff8155232a2 in nsLayoutUtils::PaintFrame(class gfxContext *, class nsIFrame *, class nsRegion const &, unsigned int, enum mozilla::nsDisplayListBuilderMode, enum nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3437
#31 0x7ff8153e6aca in mozilla::PresShell::PaintInternal(class nsView *, enum mozilla::PaintInternalFlags) src/layout/base/PresShell.cpp:6351
#32 0x7ff814a3ac88 in nsViewManager::ProcessPendingUpdatesPaint(class nsIWidget *) src/view/nsViewManager.cpp:440
#33 0x7ff814a39dd1 in nsViewManager::ProcessPendingUpdatesForView(class nsView *, bool) src/view/nsViewManager.cpp:375
#34 0x7ff814a3ebd3 in nsViewManager::ProcessPendingUpdates(void) src/view/nsViewManager.cpp:948
#35 0x7ff8153336be in nsRefreshDriver::Tick(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp, enum nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2570
#36 0x7ff8153481d3 in mozilla::RefreshDriverTimer::TickDriver src/layout/base/nsRefreshDriver.cpp:349
#37 0x7ff8153481d3 in mozilla::RefreshDriverTimer::TickRefreshDrivers(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp, class nsTArray<class RefPtr<class nsRefreshDriver>> &) src/layout/base/nsRefreshDriver.cpp:326
#38 0x7ff815347dd3 in mozilla::RefreshDriverTimer::Tick(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:342
#39 0x7ff8153478f3 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:780
#40 0x7ff815346b83 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:703
#41 0x7ff8153457ae in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync(void) src/layout/base/nsRefreshDriver.cpp:620
#42 0x7ff815344f8e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(struct mozilla::VsyncEvent const &) src/layout/base/nsRefreshDriver.cpp:541
#43 0x7ff813f7ecb0 in mozilla::dom::VsyncMainChild::RecvNotify(struct mozilla::VsyncEvent const &, float const &) src/dom/ipc/VsyncMainChild.cpp:68
#44 0x7ff80d208718 in mozilla::dom::PVsyncChild::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:209
#45 0x7ff80cf32f3d in mozilla::ipc::PBackgroundChild::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6193
#46 0x7ff80ca9fd02 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(class mozilla::ipc::ActorLifecycleProxy *, class IPC::Message const &) src/ipc/glue/MessageChannel.cpp:1665
#47 0x7ff80ca9d74b in mozilla::ipc::MessageChannel::DispatchMessage(class IPC::Message &&) src/ipc/glue/MessageChannel.cpp:1590
#48 0x7ff80ca9eb98 in mozilla::ipc::MessageChannel::MessageTask::Run(void) src/ipc/glue/MessageChannel.cpp:1486
#49 0x7ff80b61d68d in mozilla::RunnableTask::Run(void) src/xpcom/threads/TaskController.cpp:467
#50 0x7ff80b5d2451 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) src/xpcom/threads/TaskController.cpp:770
#51 0x7ff80b5ce9ac in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) src/xpcom/threads/TaskController.cpp:606
#52 0x7ff80b5cf621 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:390
#53 0x7ff80b6259f1 in mozilla::TaskController::InitializeInternal::<lambda_2>::operator() src/xpcom/threads/TaskController.cpp:127
#54 0x7ff80b6259f1 in mozilla::detail::RunnableFunction<`lambda at src/xpcom/threads/TaskController.cpp:127:7'>::Run src/xpcom/threads/nsThreadUtils.h:531
#55 0x7ff80b5fd643 in nsThread::ProcessNextEvent(bool, bool *) src/xpcom/threads/nsThread.cpp:1173
#56 0x7ff80b60e75c in NS_ProcessNextEvent(class nsIThread *, bool) src/xpcom/threads/nsThreadUtils.cpp:467
#57 0x7ff80caa84ea in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) src/ipc/glue/MessagePump.cpp:107
#58 0x7ff80c9b9055 in MessageLoop::RunInternal src/ipc/chromium/src/base/message_loop.cc:331
#59 0x7ff80c9b9055 in MessageLoop::RunHandler(void) src/ipc/chromium/src/base/message_loop.cc:324
#60 0x7ff80c9b8e25 in MessageLoop::Run(void) src/ipc/chromium/src/base/message_loop.cc:306
#61 0x7ff814b5bc3a in nsBaseAppShell::Run(void) src/widget/nsBaseAppShell.cpp:137
#62 0x7ff814d41e6b in nsAppShell::Run(void) src/widget/windows/nsAppShell.cpp:605
#63 0x7ff8193d4574 in XRE_RunAppShell(void) src/toolkit/xre/nsEmbedFunctions.cpp:878
#64 0x7ff80c9b9055 in MessageLoop::RunInternal src/ipc/chromium/src/base/message_loop.cc:331
#65 0x7ff80c9b9055 in MessageLoop::RunHandler(void) src/ipc/chromium/src/base/message_loop.cc:324
#66 0x7ff80c9b8e25 in MessageLoop::Run(void) src/ipc/chromium/src/base/message_loop.cc:306
#67 0x7ff8193d3a95 in XRE_InitChildProcess(int, char **const, struct XREChildData const *) src/toolkit/xre/nsEmbedFunctions.cpp:715
#68 0x7ff62df5208c in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:58
#69 0x7ff62df5208c in NS_internal_main(int, char **, char **) src/browser/app/nsBrowserApp.cpp:327
#70 0x7ff62df517ad in wmain src/toolkit/xre/nsWindowsWMain.cpp:147
#71 0x7ff62e04e757 in invoke_main d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
#72 0x7ff62e04e757 in __scrt_common_main_seh d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#73 0x7ff857c37033  (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
#74 0x7ff858642650  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
Flags: in-testsuite?

Appears to be a safe Rust panic -- can deal with as a stability issue.

Group: gfx-core-security
Crash Signature: [@ webrender_api::display_list::DisplayListBuilder::define_clip_image_mask ]
Severity: S2 → S3
Keywords: bugmon

Unfortunately, bugmon is only supported on Linux at this time.

Keywords: bugmon
Attached file testcase.html
Attachment #9265031 - Attachment is obsolete: true
OS: Windows → Unspecified

This test case also works on Linux, so let's enable bugmon.

Keywords: bugmon
Crash Signature: [@ webrender_api::display_list::DisplayListBuilder::define_clip_image_mask ] → [@ webrender_api::display_list::DisplayListBuilder::define_clip_image_mask ] [@ webrender_api::display_list::DisplayListBuilder::current_offset ]

This test case seems to be another one where an invalid spatial node is being referenced in the display list (referring to an ID that has been removed from the spatial tree). It also has an earlier assertion:

Assertion failure: IsAncestor(aOne, aTwo) || IsAncestor(aTwo, aOne), at /code/work/gecko1/obj-x86_64-pc-linux-gnu/dist/include/nsDisplayList.h:203
Flags: needinfo?(tnikkel)

We've got several other bugs with testcases that trigger that assertion, bug 1826032 seems to be collecting the most as see also's so I'll link that here. This is a difficult problem with the current ASR model.

Flags: needinfo?(tnikkel)
See Also: → 1826032

Verified bug as reproducible on mozilla-central 20230629214838-c5ac7e957828.
Unable to bisect testcase (failed to find build near ca774a5b6b7b).

Whiteboard: [bugmon:bisected,confirmed]
Blocks: wr-fuzz
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: