1804998 - src/gl.cc:558:16: runtime error: applying non-zero offset 2196480 to null pointer

Status: RESOLVED FIXED

(Core :: Graphics: WebRender, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing 20221208-5b38548871de (--enable-address-sanitizer --enable-undefined-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing --cpu x86 -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

This test case requires a 32-bit Linux builds to trigger the issue. Pernosco does not support 32 bit builds.
This can take up to 45 seconds to trigger.

To debug with GDB and Grizzly try using:

$ python -m grizzly.replay ./firefox/firefox testcase.html --timeout 0 --post-launch-delay 300 --repeat 10

I am marking this as s-s because the offset 2196480 is large and I'm not sure how controllable it is.

src/gl.cc:558:16: runtime error: applying non-zero offset 2196480 to null pointer
    #0 0xecc1b7c5 in Texture::sample_ptr(int, int) const /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc
    #1 0xed13ece9 in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:902:42
    #2 0xecc35db5 in draw_quad(int, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1621:5
    #3 0xecc31b8e in void draw_elements<unsigned short>(int, int, unsigned int, VertexArray&, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1651:5
    #4 0xecc3179c in DrawElementsInstanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2744:7
    #5 0xecbf3c86 in _$LT$swgl..swgl_fns..Context$u20$as$u20$gleam..gl..Gl$GT$::draw_elements_instanced::h92d3b763ec7559ad /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_fns.rs:1551:13
    #6 0xeca5a835 in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::hcd959812b67ba58b /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:3704:9
    #7 0xeca5a835 in webrender::renderer::Renderer::draw_instanced_batch::h86b28998388b666a /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1981:17
    #8 0xeca5d502 in webrender::renderer::Renderer::draw_alpha_batch_container::ha3d9b05e9fcdbd4c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2515:21
    #9 0xeca70728 in webrender::renderer::Renderer::draw_color_target::hed6a8fdd79830b9e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:3344:13
    #10 0xeca70728 in webrender::renderer::Renderer::draw_frame::h4a4479113987f888 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4481:17
    #11 0xeca48f06 in webrender::renderer::Renderer::render_impl::h2e12df6d81901921 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1477:17
    #12 0xeca46d5c in webrender::renderer::Renderer::render::h940415b376764ba5 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1199:30
    #13 0xec73c7fc in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:614:11
    #14 0xdb36bd52 in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186:19
    #15 0xdb368abd in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:581:31
    #16 0xdb3674ec in mozilla::wr::RenderThread::HandleFrameOneDocInner(mozilla::wr::WrWindowId, bool, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:440:3
    #17 0xdb36693e in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:392:3
    #18 0xdb39115c in decltype(*fp.*fp0(Get<0u>(fp1).PassAsParameter(), Get<1u>(fp1).PassAsParameter(), Get<2u>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, bool, bool>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool>, StoreCopyPassByConstLRef<bool>, 0u, 1u, 2u>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool, bool), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool>, StoreCopyPassByConstLRef<bool>>&, std::integer_sequence<unsigned int, 0u, 1u, 2u>) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
    #19 0xdb390cb2 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
    #20 0xdb390cb2 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
    #21 0xd7bdf3a8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
    #22 0xd7bee66a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:474:10
    #23 0xd994e7bc in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
    #24 0xd9758f07 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #25 0xd9758f07 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #26 0xd9758f07 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #27 0xd7bd412c in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:383:10
    #28 0xf76a212f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #29 0x5672d989 in __asan::AsanThread::ThreadStart(unsigned long long) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277:25
    #30 0x56708c9e in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:199:13
    #31 0xf7978b90  (/lib/i386-linux-gnu/libc.so.6+0x86b90) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)
    #32 0xf7a1564b  (/lib/i386-linux-gnu/libc.so.6+0x12364b) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)

Comment 1

[Lee Salzman [:lsalzman]]

This is not a sec bug since the pointer is never accessed at all. All such accesses are still guarded by the check of the initial nullptr itself. It's harmless other than the ubsan warning.

Comment 2

[Lee Salzman [:lsalzman]]

Attachment: Bug 1804998 - Silence ubsan warning. r?aosmond

Comment 3

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Silence ubsan warning. r=aosmond
https://hg.mozilla.org/integration/autoland/rev/0133538f7bc5f38ec1ce09b447aa4dc192b17f9f
https://hg.mozilla.org/mozilla-central/rev/0133538f7bc5

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:lsalzman, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox109 to wontfix.

For more information, please visit auto_nag documentation.