1765838 - Hit MOZ_CRASH(Attempt to update non-existent blob image) at gfx/wr/webrender/src/api_resources.rs:175

Status: RESOLVED WORKSFORME

(Core :: Graphics: WebRender, defect, P3)

Description

[Tyson Smith [:tsmith]]

Found while fuzzing m-c 20220421-302c06a300ee (--enable-address-sanitizer --enable-fuzzing)

A reduced test case is not available at this time.

Hit MOZ_CRASH(Attempt to update non-existent blob image) at gfx/wr/webrender/src/api_resources.rs:175

#0 0x7f62657da860 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f62657da860 in RustMozCrash /gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f62657d9e86 in mozglue_static::panic_hook::hd6871e96b4bcbdcb /gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7f62657d93b5 in core::ops::function::Fn::call::hd69037864ae41b9e /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
#4 0x7f626881682f in std::panicking::rust_panic_with_hook::hd4b01d10d132fdc5 (/home/worker/builds/m-c-20220421094346-fuzzing-asan-opt/libxul.so+0x1f72082f) (BuildId: df72fb64a81a31ade56c2f0a247a1c636479a9b2)
#5 0x7f6268838b36 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::head537b50d915cd5 std.19cbab4a-cgu.7
#6 0x7f6268838323 in std::sys_common::backtrace::__rust_end_short_backtrace::h3809453eea6ed96e crtstuff.c
#7 0x7f6268816301 in rust_begin_unwind (/home/worker/builds/m-c-20220421094346-fuzzing-asan-opt/libxul.so+0x1f720301) (BuildId: df72fb64a81a31ade56c2f0a247a1c636479a9b2)
#8 0x7f625184ac72 in core::panicking::panic_fmt::heea304e80a792787 (/home/worker/builds/m-c-20220421094346-fuzzing-asan-opt/libxul.so+0x8754c72) (BuildId: df72fb64a81a31ade56c2f0a247a1c636479a9b2)
#9 0x7f6268870a20 in core::panicking::panic_display::h0418174c7b78d9c8 core.a48c58b0-cgu.5
#10 0x7f62688709ca in core::panicking::panic_str::hf444fbebfd604682 core.a48c58b0-cgu.5
#11 0x7f625184b0a5 in core::option::expect_failed::h1d1ddded60d05fd4 (/home/worker/builds/m-c-20220421094346-fuzzing-asan-opt/libxul.so+0x87550a5) (BuildId: df72fb64a81a31ade56c2f0a247a1c636479a9b2)
#12 0x7f626438af61 in core::option::Option$LT$T$GT$::expect::h681bc43de196c958 /builds/worker/fetches/rust/library/core/src/option.rs:715:21
#13 0x7f626438af61 in webrender::api_resources::ApiResources::update_blob_image::hf6c8ce2e30228e23 /gecko/gfx/wr/webrender/src/api_resources.rs:173:21
#14 0x7f62643bb228 in webrender::api_resources::ApiResources::update::h30e050ee777f84b9 /gecko/gfx/wr/webrender/src/api_resources.rs:97:21
#15 0x7f62643bb228 in webrender::render_api::RenderApi::send_transaction::h828532df12a643e6 /gecko/gfx/wr/webrender/src/render_api.rs:1243:9
#16 0x7f62634e5aba in wr_api_send_transaction /gecko/gfx/webrender_bindings/src/bindings.rs:2175:5
#17 0x7f6254cb65e2 in mozilla::layers::WebRenderBridgeParent::SetDisplayList(mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::ipc::ByteBuf&&, mozilla::ipc::ByteBuf&&, mozilla::ipc::ByteBuf&&, mozilla::wr::BuiltDisplayListDescriptor const&, nsTArray<mozilla::layers::OpUpdateResource> const&, nsTArray<mozilla::layers::RefCountedShmem> const&, nsTArray<mozilla::ipc::Shmem> const&, mozilla::TimeStamp const&, mozilla::wr::TransactionBuilder&, mozilla::wr::Epoch, bool) /gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:1153:9
#18 0x7f6254cb7307 in mozilla::layers::WebRenderBridgeParent::ProcessDisplayListData(mozilla::layers::DisplayListData&, mozilla::wr::Epoch, mozilla::TimeStamp const&, bool, bool) /gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:1184:15
#19 0x7f6254cb89d7 in mozilla::layers::WebRenderBridgeParent::RecvSetDisplayList(mozilla::layers::DisplayListData&&, nsTArray<mozilla::layers::OpDestroy>&&, unsigned long const&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType> const&, bool const&, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTString<char> const&, mozilla::TimeStamp const&, nsTArray<mozilla::layers::CompositionPayload>&&) /gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:1243:18
#20 0x7f62549d14f2 in mozilla::layers::PWebRenderBridgeParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebRenderBridgeParent.cpp:458:28
#21 0x7f6254965c58 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:193:32
#22 0x7f6253dd3519 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1707:25
#23 0x7f6253dd0fc2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:1632:9
#24 0x7f6253dd25d8 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1528:14
#25 0x7f62526e8a7e in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1174:16
#26 0x7f62526f1f6c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#27 0x7f6253ddc31b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:300:20
#28 0x7f6253c55a41 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
#29 0x7f6253c55a41 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
#30 0x7f6253c55a41 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
#31 0x7f62526e064b in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:378:10
#32 0x7f62779d858e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#33 0x7f6278673608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
#34 0x7f627823a162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/g03jFmY2RwaoW31fhYFo8g/index.html

Comment 2

[Tyson Smith [:tsmith]]

This issue seemed to spike for a few days in April and was last seen by fuzzers targeting m-c 20220422-93ecd130a241.