1768578 - heap-buffer-overflow in [@ load]

Status: VERIFIED FIXED

(Core :: Graphics: WebRender, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20220509-70f5ae719af1 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay -p prefs.js ./firefox/firefox testcase.html

==24328==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000486c7f at pc 0x7fbc41ab6fca bp 0x7fbc12613d50 sp 0x7fbc12613d48
READ of size 2 at 0x61d000486c7f thread T30 (Renderer)
    #0 0x7fbc41ab6fc9 in load<unsigned char> /gecko/gfx/wr/swgl/src/vector_type.h:503:5
    #1 0x7fbc41ab6fc9 in unaligned_load<unsigned char __attribute__((ext_vector_type(2))), unsigned char> /gecko/gfx/wr/swgl/src/vector_type.h:532:10
    #2 0x7fbc41ab6fc9 in unsigned short vector[4] glsl::textureLinearUnpackedR8<glsl::sampler2D_impl*>(glsl::sampler2D_impl*, glsl::ivec2) /gecko/gfx/wr/swgl/src/texture.h:554:13
    #3 0x7fbc41ec6aba in textureLinearUnpacked<glsl::sampler2D_impl *> /gecko/gfx/wr/swgl/src/swgl_ext.h:145:10
    #4 0x7fbc41ec6aba in blendTextureLinearFallback<false, glsl::sampler2D_impl *, NoColor, unsigned char> /gecko/gfx/wr/swgl/src/swgl_ext.h:178:25
    #5 0x7fbc41ec6aba in blendTextureLinearDispatch<false, glsl::sampler2D_impl *, NoColor, unsigned char> /gecko/gfx/wr/swgl/src/swgl_ext.h:451:11
    #6 0x7fbc41ec6aba in int blendTextureLinear<false, glsl::sampler2D_impl*, NoColor, unsigned char>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec4_scalar const&, NoColor, unsigned char*, LinearFilter) /gecko/gfx/wr/swgl/src/swgl_ext.h:466:3
    #7 0x7fbc41ebb6ad in cs_clip_box_shadow_TEXTURE_2D_frag::swgl_drawSpanR8() /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-6552a371abcb3a5c/out/cs_clip_box_shadow_TEXTURE_2D.h:762:6
    #8 0x7fbc41eacbda in cs_clip_box_shadow_TEXTURE_2D_frag::draw_span_R8(glsl::FragmentShaderImpl*) /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-6552a371abcb3a5c/out/cs_clip_box_shadow_TEXTURE_2D.h:831:28
    #9 0x7fbc41fcd093 in draw_span /gecko/gfx/wr/swgl/src/program.h:178:12
    #10 0x7fbc41fcd093 in void draw_quad_spans<unsigned char>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) /gecko/gfx/wr/swgl/src/rasterize.h:1028:42
    #11 0x7fbc41a9ac68 in draw_quad(int, Texture&, Texture&) /gecko/gfx/wr/swgl/src/rasterize.h:1618:5
    #12 0x7fbc41a96a52 in void draw_elements<unsigned short>(int, int, unsigned long, VertexArray&, Texture&, Texture&) /gecko/gfx/wr/swgl/src/rasterize.h:1645:5
    #13 0x7fbc41a966f9 in DrawElementsInstanced /gecko/gfx/wr/swgl/src/gl.cc:2744:7
    #14 0x7fbc41384701 in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::h42212c7ec2e3db72 /gecko/gfx/wr/webrender/src/device/gl.rs:3633:9
    #15 0x7fbc41384701 in webrender::renderer::Renderer::draw_instanced_batch::h1db2bf55624de946 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2511:17
    #16 0x7fbc41384701 in webrender::renderer::Renderer::draw_clip_batch_list::h5d85ee13219da81e /gecko/gfx/wr/webrender/src/renderer/mod.rs:3935:13
    #17 0x7fbc41397e4d in webrender::renderer::Renderer::draw_alpha_target::h9ccd69028b7a15b0 /gecko/gfx/wr/webrender/src/renderer/mod.rs:4130:13
    #18 0x7fbc41397e4d in webrender::renderer::Renderer::draw_frame::h84acc984322e107e /gecko/gfx/wr/webrender/src/renderer/mod.rs:4905:17
    #19 0x7fbc4132cf33 in webrender::renderer::Renderer::render_impl::had18dff80f58dd00 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2015:17
    #20 0x7fbc4132841e in webrender::renderer::Renderer::render::hfcbfece57088587f /gecko/gfx/wr/webrender/src/renderer/mod.rs:1737:30
    #21 0x7fbc4071276f in wr_renderer_render /gecko/gfx/webrender_bindings/src/bindings.rs:616:11
    #22 0x7fbc32277c1e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /gecko/gfx/webrender_bindings/RendererOGL.cpp:185:8
    #23 0x7fbc3227606a in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /gecko/gfx/webrender_bindings/RenderThread.cpp:537:31
    #24 0x7fbc322751c9 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /gecko/gfx/webrender_bindings/RenderThread.cpp:387:3
    #25 0x7fbc322901b6 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool>, 0UL, 1UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
    #26 0x7fbc322901b6 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
    #27 0x7fbc322901b6 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
    #28 0x7fbc2f86aade in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1174:16
    #29 0x7fbc2f87441c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #30 0x7fbc30f73651 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:330:5
    #31 0x7fbc30de9841 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #32 0x7fbc30de9841 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #33 0x7fbc30de9841 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #34 0x7fbc2f8626ab in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:378:10
    #35 0x7fbc54bd857e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #36 0x7fbc55877608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
    #37 0x7fbc5543e162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x61d000486c7f is located 1 bytes to the left of 2068-byte region [0x61d000486c80,0x61d000487494)
allocated by thread T30 (Renderer) here:
    #0 0x564c475b87d6 in __interceptor_realloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3
    #1 0x7fbc41a9c872 in Texture::allocate(bool, int, int) /gecko/gfx/wr/swgl/src/gl.cc:509:32
    #2 0x7fbc41a825d7 in set_tex_storage(Texture&, unsigned int, int, int, void*, int, int, int) /gecko/gfx/wr/swgl/src/gl.cc:1716:10
    #3 0x7fbc41a820be in TexStorage2D /gecko/gfx/wr/swgl/src/gl.cc:1732:3
    #4 0x7fbc41a83349 in TexImage2D /gecko/gfx/wr/swgl/src/gl.cc:1822:3
    #5 0x7fbc41a6401a in _$LT$swgl..swgl_fns..Context$u20$as$u20$gleam..gl..Gl$GT$::tex_image_2d::hd2143d53dc386835 /gecko/gfx/wr/swgl/src/swgl_fns.rs:997:13
    #6 0x7fbc40efe897 in webrender::device::gl::Device::create_texture::hd1c2e346282d7926 /gecko/gfx/wr/webrender/src/device/gl.rs:2529:13
    #7 0x7fbc4134acc1 in webrender::renderer::Renderer::update_texture_cache::_$u7b$$u7b$closure$u7d$$u7d$::h18679fcfc1740cf6 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2379:29
    #8 0x7fbc4134acc1 in core::option::Option$LT$T$GT$::unwrap_or_else::he0535446ceb1660e /builds/worker/fetches/rust/library/core/src/option.rs:802:21
    #9 0x7fbc4134acc1 in webrender::renderer::Renderer::update_texture_cache::h321af9a1eba3ffc9 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2378:43
    #10 0x7fbc4132c40c in webrender::renderer::Renderer::render_impl::had18dff80f58dd00 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1975:13
    #11 0x7fbc4132841e in webrender::renderer::Renderer::render::hfcbfece57088587f /gecko/gfx/wr/webrender/src/renderer/mod.rs:1737:30
    #12 0x7fbc4071276f in wr_renderer_render /gecko/gfx/webrender_bindings/src/bindings.rs:616:11
    #13 0x7fbc32277c1e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /gecko/gfx/webrender_bindings/RendererOGL.cpp:185:8
    #14 0x7fbc3227606a in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /gecko/gfx/webrender_bindings/RenderThread.cpp:537:31
    #15 0x7fbc322751c9 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /gecko/gfx/webrender_bindings/RenderThread.cpp:387:3
    #16 0x7fbc322901b6 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool>, 0UL, 1UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
    #17 0x7fbc322901b6 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
    #18 0x7fbc322901b6 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
    #19 0x7fbc2f86aade in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1174:16
    #20 0x7fbc2f87441c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #21 0x7fbc30f73651 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:330:5
    #22 0x7fbc30de9841 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #23 0x7fbc30de9841 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #24 0x7fbc30de9841 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #25 0x7fbc2f8626ab in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:378:10
    #26 0x7fbc54bd857e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #27 0x7fbc55877608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8

Thread T30 (Renderer) created by T0 here:
    #0 0x564c475a1a6c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7fbc54bc862c in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7fbc54bb99ce in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7fbc2f865955 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:604:18
    #4 0x7fbc2f8720ff in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /gecko/xpcom/threads/nsThreadManager.cpp:534:12
    #5 0x7fbc2f87ded1 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:161:57
    #6 0x7fbc3227154f in NS_NewNamedThread<9UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
    #7 0x7fbc3227154f in mozilla::wr::RenderThread::Start(unsigned int) /gecko/gfx/webrender_bindings/RenderThread.cpp:94:17
    #8 0x7fbc31fd4ad7 in gfxPlatform::InitLayersIPC() /gecko/gfx/thebes/gfxPlatform.cpp:1295:7
    #9 0x7fbc31fd0d5b in gfxPlatform::Init() /gecko/gfx/thebes/gfxPlatform.cpp:955:3
    #10 0x7fbc31fd46c6 in GetPlatform /gecko/gfx/thebes/gfxPlatform.cpp:465:5
    #11 0x7fbc31fd46c6 in gfxPlatform::InitializeCMS() /gecko/gfx/thebes/gfxPlatform.cpp:2088:9
    #12 0x7fbc37c90e04 in EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:975:7
    #13 0x7fbc37c90e04 in gfxPlatform::GetCMSMode() /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:523:5
    #14 0x7fbc37c9066d in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /gecko/widget/nsXPLookAndFeel.cpp:879:9
    #15 0x7fbc37c947ce in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /gecko/widget/nsXPLookAndFeel.cpp:1279:47
    #16 0x7fbc37bff40c in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:444:12
    #17 0x7fbc37bff40c in ThemedAccentColor /gecko/widget/ThemeColors.cpp:88:37
    #18 0x7fbc37bff40c in mozilla::widget::ThemeColors::RecomputeAccentColors() /gecko/widget/ThemeColors.cpp:197:20
    #19 0x7fbc37bff055 in mozilla::widget::Theme::LookAndFeelChanged() /gecko/widget/Theme.cpp:179:3
    #20 0x7fbc37c8ea46 in nsXPLookAndFeel::GetInstance() /gecko/widget/nsXPLookAndFeel.cpp:361:3
    #21 0x7fbc37c9516d in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /gecko/widget/nsXPLookAndFeel.cpp:1392:3
    #22 0x7fbc2f6c38fa in nsSystemInfo::Init() /gecko/xpcom/base/nsSystemInfo.cpp:1047:5
    #23 0x7fbc2f7d2fe4 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11960:7
    #24 0x7fbc2f816c80 in CreateInstance /gecko/xpcom/components/nsComponentManager.cpp:185:46
    #25 0x7fbc2f816c80 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor> >&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /gecko/xpcom/components/nsComponentManager.cpp:1290:17
    #26 0x7fbc2f817728 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /gecko/xpcom/components/nsComponentManager.cpp:1380:10
    #27 0x7fbc2f7ecead in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12287:50
    #28 0x7fbc2f67afb1 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /gecko/xpcom/base/nsCOMPtr.cpp:109:7
    #29 0x7fbc3128027f in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
    #30 0x7fbc3128027f in GetServiceImpl /gecko/js/xpconnect/src/JSServices.cpp:83:32
    #31 0x7fbc3128027f in GetService /gecko/js/xpconnect/src/JSServices.cpp:130:8
    #32 0x7fbc3128027f in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /gecko/js/xpconnect/src/JSServices.cpp:153:25
    #33 0x7fbc3d13c9d7 in CallResolveOp /gecko/js/src/vm/NativeObject-inl.h:640:8
    #34 0x7fbc3d13c9d7 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /gecko/js/src/vm/NativeObject-inl.h:760:14
    #35 0x7fbc3d13c9d7 in NativeGetPropertyInline<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2124:10
    #36 0x7fbc3d13c9d7 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2172:10
    #37 0x7fbc3ce57d19 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:120:10
    #38 0x7fbc3ce57d19 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/ObjectOperations-inl.h:127:10
    #39 0x7fbc3e82834b in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:4668:10
    #40 0x7fbc3e800c24 in GetPropertyOperation /gecko/js/src/vm/Interpreter.cpp:203:10
    #41 0x7fbc3e800c24 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:2984:12
    #42 0x7fbc3e7f2fc1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:389:13
    #43 0x7fbc3e82128f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:539:13
    #44 0x7fbc3e822e1a in InternalCall /gecko/js/src/vm/Interpreter.cpp:574:10
    #45 0x7fbc3e822e1a in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:605:8
    #46 0x7fbc3cf5c41c in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:53:10
    #47 0x7fbc312c5e25 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:981:17
    #48 0x7fbc2f8badb2 in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #49 0x7fbc2f8b9b0a in SharedStub xptcstubs_x86_64_linux.cpp
    #50 0x7fbc2f80d1dd in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /gecko/xpcom/components/nsCategoryManager.cpp:687:19
    #51 0x7fbc3cb235a9 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:936:11
    #52 0x7fbc3cb00920 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5483:18
    #53 0x7fbc3cb031d5 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5925:8
    #54 0x7fbc3cb03f13 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5992:21
    #55 0x564c475f66cd in do_main /gecko/browser/app/nsBrowserApp.cpp:225:22
    #56 0x564c475f66cd in main /gecko/browser/app/nsBrowserApp.cpp:397:16
    #57 0x7fbc553430b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Tyson Smith [:tsmith]]

Attachment: prefs.js

Comment 2

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/xoP9-QEjTBHmNkqKhYDgRg/index.html

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220510035031-f1e87b2a9a25.
The bug appears to have been introduced in the following build range:

Start: 7f0c7c21dbfaddd8b0afa6d372368d98b373e69a (20220219214049)
End: 2b42abbdb0df38f31dfa1178fe3b5f773f8e4812 (20220220185923)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7f0c7c21dbfaddd8b0afa6d372368d98b373e69a&tochange=2b42abbdb0df38f31dfa1178fe3b5f773f8e4812

Comment 4

[Daniel Veditz [:dveditz]]

Calling it sec-moderate for now because it looks like it has under-indexed a texture and will read back into it's own stuff, but where does it get the -1 ? It's possible this is worse than it initially looks.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Setting regressed_by field after analyzing regression range found by bugmon.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1749380

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

:gw, since you are the author of the regressor, bug 1749380, could you take a look?
For more information, please visit auto_nag documentation.

Comment 8

[Lee Salzman [:lsalzman]]

(In reply to Daniel Veditz [:dveditz] from comment #4)

Calling it sec-moderate for now because it looks like it has under-indexed a texture and will read back into it's own stuff, but where does it get the -1 ? It's possible this is worse than it initially looks.

It's just an Nx1 texture, and it's clamping the bounds for linear filtering expecting it to have at least a width of 2, which ends up at -1. So it will only potentially underread the texture buffer by -1. So I would agree this is not very serious. I have a fix regardless.

Comment 9

[Lee Salzman [:lsalzman]]

Attachment: Bug 1768578 - Use nearest filter on short rows. r?jrmuizel

Comment 10

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Use nearest filter on short rows. r=gfx-reviewers,nical
https://hg.mozilla.org/integration/autoland/rev/3f80499560560a17fa7da44ae9e55dc949568838
https://hg.mozilla.org/mozilla-central/rev/3f8049956056

Comment 11

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220613215309-b79cd8279108.

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:lsalzman, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox102 to wontfix.

For more information, please visit auto_nag documentation.

Comment 13

[Lee Salzman [:lsalzman]]

Comment on attachment 9280843 [details]
Bug 1768578 - Use nearest filter on short rows. r?jrmuizel

Beta/Release Uplift Approval Request

• User impact if declined: Potential memory underreads when using Software WebRender.
• Is this code covered by automated tests?: Unknown
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky):
• String changes made/needed:
• Is Android affected?: Yes

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration:
• User impact if declined:
• Fix Landed on Version: 103
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky):

Comment 14

[Pascal Chevrel:pascalc]

Comment on attachment 9280843 [details]
Bug 1768578 - Use nearest filter on short rows. r?jrmuizel

Approved for 102 beta 8, thanks.

Comment 15

[Pascal Chevrel:pascalc]

https://hg.mozilla.org/releases/mozilla-beta/rev/84411a92fefd