1813601 - Hit MOZ_CRASH(assertion failed: mem::size_of::<T>() <= slice.len()) at gfx/webrender_bindings/src/moz2d_renderer.rs:91

Status: RESOLVED WORKSFORME

(Core :: Graphics: WebRender, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 49ac19f1e046 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 49ac19f1e046 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(assertion failed: mem::size_of::<T>() <= slice.len()) at gfx/webrender_bindings/src/moz2d_renderer.rs:91

    ==594327==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4140bce525 bp 0x7f411c108380 sp 0x7f411c108370 T594423)
    ==594327==The signal is caused by a WRITE memory access.
    ==594327==Hint: address points to the zero page.
        #0 0x7f4140bce525 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7f4140bce525 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7f4140bce49f in mozglue_static::panic_hook::h8aaeca453eaddea4 /mozglue/static/rust/lib.rs:91:9
        #3 0x7f4140bcdecb in core::ops::function::Fn::call::h8c839fef988e6243 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/ops/function.rs:161:5
        #4 0x7f4141bcd7fc in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::ha7dbb2d260f78172 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/alloc/src/boxed.rs:2032:9
        #5 0x7f4141bcd7fc in std::panicking::rust_panic_with_hook::hdb4da1ae79c845a5 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:692:13
        #6 0x7f4141bcd531 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h02b5b35b126d5cf2 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:577:13
        #7 0x7f4141bca95b in std::sys_common::backtrace::__rust_end_short_backtrace::h6c6853376cf416d1 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/sys_common/backtrace.rs:137:18
        #8 0x7f4141bcd281 in rust_begin_unwind /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:575:5
        #9 0x7f4141c296a2 in core::panicking::panic_fmt::hfd9e949092070b66 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/panicking.rs:64:14
        #10 0x7f4141c2977c in core::panicking::panic::h341545107301821d /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/panicking.rs:111:5
        #11 0x7f41404c33a7 in webrender_bindings::moz2d_renderer::Moz2dBlobImageHandler::prepare_request::process_fonts::h174e094fd59514cc /gfx/webrender_bindings/src/moz2d_renderer.rs
        #12 0x7f41404c33a7 in webrender_bindings::moz2d_renderer::Moz2dBlobImageHandler::prepare_request::h2fa35a32a2c53d36 /gfx/webrender_bindings/src/moz2d_renderer.rs:862:17
        #13 0x7f41404c33a7 in _$LT$webrender_bindings..moz2d_renderer..Moz2dBlobImageHandler$u20$as$u20$webrender_api..image..BlobImageHandler$GT$::prepare_resources::h255d815a157c61fa /gfx/webrender_bindings/src/moz2d_renderer.rs:735:13
        #14 0x7f414083d96b in webrender::api_resources::ApiResources::create_blob_scene_builder_requests::h4e83d355a67cd90f /gfx/wr/webrender/src/api_resources.rs:279:9
        #15 0x7f414083d96b in webrender::api_resources::ApiResources::update::h43c7e2146bb095f7 /gfx/wr/webrender/src/api_resources.rs:145:38
        #16 0x7f414083d96b in webrender::render_api::RenderApi::send_transaction::h69ff5d20310f72e1 /gfx/wr/webrender/src/render_api.rs:1249:9
        #17 0x7f41404b3d32 in wr_api_send_transaction /gfx/webrender_bindings/src/bindings.rs:2178:5
        #18 0x7f4138539317 in mozilla::layers::WebRenderBridgeParent::SetDisplayList(mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::ipc::ByteBuf&&, mozilla::ipc::ByteBuf&&, mozilla::ipc::ByteBuf&&, mozilla::wr::BuiltDisplayListDescriptor const&, nsTArray<mozilla::layers::OpUpdateResource> const&, nsTArray<mozilla::layers::RefCountedShmem> const&, nsTArray<mozilla::ipc::Shmem> const&, mozilla::TimeStamp const&, mozilla::wr::TransactionBuilder&, mozilla::wr::Epoch, bool) /gfx/layers/wr/WebRenderBridgeParent.cpp:1132:9
        #19 0x7f413853963d in mozilla::layers::WebRenderBridgeParent::ProcessDisplayListData(mozilla::layers::DisplayListData&, mozilla::wr::Epoch, mozilla::TimeStamp const&, bool, bool) /gfx/layers/wr/WebRenderBridgeParent.cpp:1163:15
        #20 0x7f413853a673 in mozilla::layers::WebRenderBridgeParent::RecvSetDisplayList(mozilla::layers::DisplayListData&&, nsTArray<mozilla::layers::OpDestroy>&&, unsigned long const&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType> const&, bool const&, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTSubstring<char> const&, mozilla::TimeStamp const&, nsTArray<mozilla::layers::CompositionPayload>&&) /gfx/layers/wr/WebRenderBridgeParent.cpp:1222:18
        #21 0x7f4138384dcf in mozilla::layers::PWebRenderBridgeParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebRenderBridgeParent.cpp:461:52
        #22 0x7f413834feba in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:194:32
        #23 0x7f4137d3b72a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1800:25
        #24 0x7f4137d383a7 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1725:9
        #25 0x7f4137d38ed5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
        #26 0x7f4137d3a20f in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
        #27 0x7f4137138538 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1191:16
        #28 0x7f413713e79d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
        #29 0x7f4137d42922 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #30 0x7f4137c63258 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #31 0x7f4137c63161 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #32 0x7f4137c63161 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #33 0x7f4137133a37 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:383:10
        #34 0x7f414bc71c86 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #35 0x7f414c512b42 in start_thread nptl/pthread_create.c:442:8
        #36 0x7f414c5a49ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    ==594327==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230130214413-8eb2c58dc415.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 4bff0b888cd9a91b7cb4dc3d35951160e39aa0ae (20220201093942)
End: 49ac19f1e04696769d37ba1b347a5b5e73d1bec7 (20230130035123)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:gw, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 4

[Glenn Watson [:gw]]

Nical, do you know what could cause this?

Comment 5

[Bugmon [:jkratzer for issues]]

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 6

[Jason Kratzer [:jkratzer]]

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Comment 7

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20230130035123-49ac19f1e046) but not with tip (mozilla-central 20230623092529-750c24176cc2.)

The bug appears to have been fixed in the following build range:

Start: af07ced273d9f48af0409c2addff9adbc230374f (20230617205658)
End: e0262ee6a9a7a642c11266a1e9cfa4bc3fbd4b3b (20230617153859)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=af07ced273d9f48af0409c2addff9adbc230374f&tochange=e0262ee6a9a7a642c11266a1e9cfa4bc3fbd4b3b

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 8

[Jason Kratzer [:jkratzer]]

I don't see anything in this range that immediately stands out as being responsible for the fix. :gw, do you see anything?

Comment 9

[Glenn Watson [:gw]]

Nothing obvious to me there either.

Comment 10

[Jason Kratzer [:jkratzer]]

I verified the bisection range locally. I suppose we can just close as WFM and reopen if we see this again.

Comment 11

[Jeff Muizelaar [:jrmuizel]]

It was probably bug 1838762 that caused this change.

Comment 12

[Jeff Muizelaar [:jrmuizel]]

It's unclear why it would've though