1780567 - Hit MOZ_CRASH(assertion failed: target.is_active) at gfx/wr/webrender/src/resource_cache.rs:1744

Status: VERIFIED FIXED

(Core :: Graphics: WebRender, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 78a43d5ba28e (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 78a43d5ba28e --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(assertion failed: target.is_active) at gfx/wr/webrender/src/resource_cache.rs:1744

    ==805879==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd0bfe87685 bp 0x7fd0206c8810 sp 0x7fd0206c8800 T806026)
    ==805879==The signal is caused by a WRITE memory access.
    ==805879==Hint: address points to the zero page.
        #0 0x7fd0bfe87685 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7fd0bfe87685 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7fd0bfe87608 in mozglue_static::panic_hook::hc73c6ec992377969 /mozglue/static/rust/lib.rs:91:9
        #3 0x7fd0bfe8708b in core::ops::function::Fn::call::h3d3ab1c02c30d6c6 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/ops/function.rs:77:5
        #4 0x7fd0c0e4bd95 in std::panicking::rust_panic_with_hook::hc82286af2030e925 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:702:17
        #5 0x7fd0c0e4bb58 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h1c15057c2f09081f /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:586:13
        #6 0x7fd0c0e48d53 in std::sys_common::backtrace::__rust_end_short_backtrace::h65de906a5330f8da /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/sys_common/backtrace.rs:138:18
        #7 0x7fd0c0e4b8c8 in rust_begin_unwind /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:584:5
        #8 0x7fd0b65abc12 in core::panicking::panic_fmt::h741cfbfc95bc6112 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/panicking.rs:142:14
        #9 0x7fd0b65abadc in core::panicking::panic::hab046c3856b52f65 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/panicking.rs:48:5
        #10 0x7fd0bfa3d63f in webrender::resource_cache::ResourceCache::return_render_target_to_pool::h40ce928acf561603 /gfx/wr/webrender/src/resource_cache.rs:1744:9
        #11 0x7fd0bfa3d63f in webrender::render_task_graph::RenderTaskGraphBuilder::end_frame::h46b0e42d15e66e78 /gfx/wr/webrender/src/render_task_graph.rs:577:17
        #12 0x7fd0bf9a1d11 in webrender::frame_builder::FrameBuilder::build::hc1b04a8c566a7527 /gfx/wr/webrender/src/frame_builder.rs:537:28
        #13 0x7fd0bfa19ca6 in webrender::render_backend::Document::build_frame::hfb280504c8d5ab17 /gfx/wr/webrender/src/render_backend.rs:514:25
        #14 0x7fd0bfa2a227 in webrender::render_backend::RenderBackend::update_document::h255be2f7e78d5f05 /gfx/wr/webrender/src/render_backend.rs:1412:41
        #15 0x7fd0bfa1ed36 in webrender::render_backend::RenderBackend::prepare_transactions::h116aa515e71970c0 /gfx/wr/webrender/src/render_backend.rs:1256:28
        #16 0x7fd0bfa1ed36 in webrender::render_backend::RenderBackend::process_api_msg::h6230c01eec39d553 /gfx/wr/webrender/src/render_backend.rs:1109:17
        #17 0x7fd0bf7ff9e9 in webrender::render_backend::RenderBackend::run::h6d42cdcd98969c9a /gfx/wr/webrender/src/render_backend.rs:772:21
        #18 0x7fd0bf7ff9e9 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h6662880f3e499298 /gfx/wr/webrender/src/renderer/mod.rs:1337:13
        #19 0x7fd0bf7ff9e9 in std::sys_common::backtrace::__rust_begin_short_backtrace::h599885b87044bd19 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/sys_common/backtrace.rs:122:18
        #20 0x7fd0bf81e6ee in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h19f74eee8f4d5e78 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/thread/mod.rs:501:17
        #21 0x7fd0bf81e6ee in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h5857132ef498b775 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/panic/unwind_safe.rs:271:9
        #22 0x7fd0bf81e6ee in std::panicking::try::do_call::h5aeeff843183c1b5 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:492:40
        #23 0x7fd0bf81e6ee in std::panicking::try::h1059d2546469108d /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:456:19
        #24 0x7fd0bf81e6ee in std::panic::catch_unwind::hac4896ac7ba38d42 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panic.rs:137:14
        #25 0x7fd0bf81e6ee in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h5e2e06b09e352443 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/thread/mod.rs:500:30
        #26 0x7fd0bf81e6ee in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h31d21793266a9386 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/ops/function.rs:248:5
        #27 0x7fd0c0e55cc2 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hcbca3baf872b7fe4 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/alloc/src/boxed.rs:1872:9
        #28 0x7fd0c0e55cc2 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h18790338ce1743e2 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/alloc/src/boxed.rs:1872:9
        #29 0x7fd0c0e55cc2 in std::sys::unix::thread::Thread::new::thread_start::hb1067183bad48893 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/sys/unix/thread.rs:108:17
        #30 0x7fd0cd5ed608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
        #31 0x7fd0cd1b4132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    ==805879==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220721154747-e4ec56a9e42a.
The bug appears to have been introduced in the following build range:

Start: 11fdacebbf141b963debb50ce0095945b43f0f8c (20220720215619)
End: 78a43d5ba28e7c42c8380465a793dfa1eb6bf9f2 (20220721000434)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=11fdacebbf141b963debb50ce0095945b43f0f8c&tochange=78a43d5ba28e7c42c8380465a793dfa1eb6bf9f2

Comment 3

[Mayank Bansal]

https://crash-stats.mozilla.org/report/index/3ae7705a-f1d7-4cc0-a038-40bdb0220721

Comment 4

[Mayank Bansal]

Slightly better STR:

1. Set DPI to 1. Load the testcase
2. Use the zoom button in hamburger menu to set zoom to 133%
3. Pinch-zoom to maximum possible
4. Click on the "reset zoom" button in the URL bar
   Crash

Comment 5

[Glenn Watson [:gw]]

Attachment: Bug 1780567 - Fix shared target allocation for tasks with Existing mode

Comment 6

[Pulsebot]

Pushed by gwatson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f17e315eda26
Fix shared target allocation for tasks with Existing mode r=gfx-reviewers,jgilbert

Comment 7

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/f17e315eda26

Comment 8

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220722085933-be11d2aa123a.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.