Hit MOZ_CRASH(assertion failed: self.fonts.templates.has_font(&shared_font_key)) at gfx/wr/webrender/src/api_resources.rs:115
Categories
(Core :: Graphics: WebRender, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox101 | --- | affected |
People
(Reporter: tsmith, Unassigned, NeedInfo)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion)
Found while fuzzing m-c 20220422-e54b77f74624 (--enable-debug --enable-fuzzing)
A reduced, reliable test case is not available at this time.
Hit MOZ_CRASH(assertion failed: self.fonts.templates.has_font(&shared_font_key)) at gfx/wr/webrender/src/api_resources.rs:115
#0 0x7ffb1bb09655 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7ffb1bb09655 in RustMozCrash mozglue/static/rust/wrappers.cpp:18:3
#2 0x7ffb1bb094b4 in mozglue_static::panic_hook::he011c928ff5f330d mozglue/static/rust/lib.rs:91:9
#3 0x7ffb1bb0903b in core::ops::function::Fn::call::h0cdf3844f7ee3316 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/core/src/ops/function.rs:70:5
#4 0x7ffb1c8e0b53 in std::panicking::rust_panic_with_hook::h3b7380e99b825b63 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/panicking.rs:702:17
#5 0x7ffb1c8e07c8 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h8e849d0710154ce0 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/panicking.rs:586:13
#6 0x7ffb1c8dc753 in std::sys_common::backtrace::__rust_end_short_backtrace::hedcdaddbd4c46cc5 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/sys_common/backtrace.rs:138:18
#7 0x7ffb1c8e0518 in rust_begin_unwind /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/panicking.rs:584:5
#8 0x7ffb122af1c2 in core::panicking::panic_fmt::he1bbc7336d49a357 /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/core/src/panicking.rs:143:14
#9 0x7ffb122af08c in core::panicking::panic::h4241c5ccea17faca /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/core/src/panicking.rs:48:5
#10 0x7ffb1b5f3278 in webrender::api_resources::ApiResources::update::hea8e07816bb42668 gfx/wr/webrender/src/api_resources.rs:115:21
#11 0x7ffb1b5f3278 in webrender::render_api::RenderApi::send_transaction::h3cdf1ef3f1a304af gfx/wr/webrender/src/render_api.rs:1243:9
#12 0x7ffb1b25dd2f in wr_api_send_transaction gfx/webrender_bindings/src/bindings.rs:2175:5
#13 0x7ffb139ee3f4 in mozilla::layers::WebRenderBridgeParent::SetDisplayList(mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::ipc::ByteBuf&&, mozilla::ipc::ByteBuf&&, mozilla::ipc::ByteBuf&&, mozilla::wr::BuiltDisplayListDescriptor const&, nsTArray<mozilla::layers::OpUpdateResource> const&, nsTArray<mozilla::layers::RefCountedShmem> const&, nsTArray<mozilla::ipc::Shmem> const&, mozilla::TimeStamp const&, mozilla::wr::TransactionBuilder&, mozilla::wr::Epoch, bool) gfx/layers/wr/WebRenderBridgeParent.cpp:1153:9
#14 0x7ffb139ee726 in mozilla::layers::WebRenderBridgeParent::ProcessDisplayListData(mozilla::layers::DisplayListData&, mozilla::wr::Epoch, mozilla::TimeStamp const&, bool, bool) gfx/layers/wr/WebRenderBridgeParent.cpp:1184:15
#15 0x7ffb139ef8b2 in mozilla::layers::WebRenderBridgeParent::RecvSetDisplayList(mozilla::layers::DisplayListData&&, nsTArray<mozilla::layers::OpDestroy>&&, unsigned long const&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType> const&, bool const&, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTString<char> const&, mozilla::TimeStamp const&, nsTArray<mozilla::layers::CompositionPayload>&&) gfx/layers/wr/WebRenderBridgeParent.cpp:1243:18
#16 0x7ffb1383e5a2 in mozilla::layers::PWebRenderBridgeParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebRenderBridgeParent.cpp:458:28
#17 0x7ffb13808eb2 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:193:32
#18 0x7ffb1321e721 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) ipc/glue/MessageChannel.cpp:1707:25
#19 0x7ffb1321b9a6 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) ipc/glue/MessageChannel.cpp:1632:9
#20 0x7ffb1321c4a9 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) ipc/glue/MessageChannel.cpp:1493:3
#21 0x7ffb1321cff4 in mozilla::ipc::MessageChannel::MessageTask::Run() ipc/glue/MessageChannel.cpp:1528:14
#22 0x7ffb1267d227 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1174:16
#23 0x7ffb1268354d in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:465:10
#24 0x7ffb13225385 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:300:20
#25 0x7ffb13142ce7 in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:380:10
#26 0x7ffb13142bf2 in RunHandler ipc/chromium/src/base/message_loop.cc:373:3
#27 0x7ffb13142bf2 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:355:3
#28 0x7ffb12678716 in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:378:10
#29 0x7ffb281df2e7 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:201:5
#30 0x7ffb28f59608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
#31 0x7ffb28b20162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Reporter | |
Comment 1•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/lH6c7kJpa1JNfrC0Qy_yNA/index.html
|
||
Comment 2•2 years ago
|
||
It looks like this should be crashing in ipc::FatalError but it has an #ifdef FUZZING from bug 1450231 that prevents the crash from happening. This seems to cause the SetDisplayList to fail to be received which puts us in an inconsistent state.
It might make sense to ignore FatalErrors when doing IPC fuzzing but I don't think it makes sense for regular DOM fuzzing.
|
|
||
Comment 3•2 years ago
|
||
The deserialization error is caused by us hitting:
https://searchfox.org/mozilla-central/rev/44527269dd96db7a3da81aafff33c84a031864c7/ipc/chromium/src/chrome/common/ipc_message_utils.h#626
I think this should probably be fatal to the child instead of killing the parent.
|
|
||
Comment 4•2 years ago
|
||
We get too many handles because mSmallShmems.Length() == 201 and this seems to be cause by adding a lot of blob images and perhaps some weird interaction in ShmSegmentsWriter::Write
|
|
Reporter | |
Comment 5•2 years ago
|
||
(In reply to Jeff Muizelaar [:jrmuizel] from comment #2)
It might make sense to ignore FatalErrors when doing IPC fuzzing but I don't think it makes sense for regular DOM fuzzing.
Decoder will know more about this.
|
||
Updated•2 years ago
|
|
||
Comment 6•2 years ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #5)
(In reply to Jeff Muizelaar [:jrmuizel] from comment #2)
It might make sense to ignore FatalErrors when doing IPC fuzzing but I don't think it makes sense for regular DOM fuzzing.
Decoder will know more about this.
We should use #ifdef FUZZING_SNAPSHOT here instead of the regular FUZZING ifdef. Then it will only be disabled in builds we use for IPC fuzzing.
|
|
Reporter | |
Updated•10 months ago
|
Description
•