1818808 - High CPU and memory consumption while printing canvas

Status: NEW

(Core :: Print Preview, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230224-4fba5295dc19 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ ASAN_OPTIONS=hard_rss_limit_mb=6144 python -m grizzly.replay ./firefox/firefox testcase.html

NOTE: Set a reasonable memory limit via ASAN_OPTIONS=hard_rss_limit_mb=# to avoid system OOMs.

When the test case is opened high CPU usage and memory consumption is triggered, leading to an OOM.

This might not be a bug but it may highlight an area that could benefit from optimization. The test case may be magnifying an issue that would otherwise go unnoticed in many cases. Addressing this will help make the browser more fuzzing friendly.

The heap profile was collected when the memory limit was reached.

HEAP PROFILE at RSS 6190Mb
Live Heap Allocations: 268065679 bytes in 75518 chunks; quarantined: 249732665 bytes in 20263 chunks; 324896 other chunks; total chunks: 420677; showing top 90% (at most 20 unique contexts)
245486224 byte(s) (91%) in 1 allocation(s)
    #0 0x557f6ccb4db8 in calloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
    #1 0x7fc2d5346c67 in sk_calloc_canfail /builds/worker/checkouts/gecko/gfx/skia/skia/include/private/SkMalloc.h:74:12
    #2 0x7fc2d5346c67 in SkMallocPixelRef::MakeAllocate(SkImageInfo const&, unsigned long) /builds/worker/checkouts/gecko/gfx/skia/skia/src/core/SkMallocPixelRef.cpp:59:18
    #3 0x7fc2d50c0541 in SkSurface::MakeRaster(SkImageInfo const&, unsigned long, SkSurfaceProps const*) /builds/worker/checkouts/gecko/gfx/skia/skia/src/image/SkSurface_Raster.cpp:201:28
    #4 0x7fc2cb00a7de in mozilla::gfx::DrawTargetSkia::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) /builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp:1745:25
    #5 0x7fc2cb00a290 in mozilla::gfx::DrawTargetSkia::CreateSimilarDrawTarget(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) const /builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp:1583:16
    #6 0x7fc2d24de10d in nsLayoutUtils::SurfaceFromElement(mozilla::dom::HTMLCanvasElement*, unsigned int, RefPtr<mozilla::gfx::DrawTarget>&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:7337:16
    #7 0x7fc2d24debd1 in nsLayoutUtils::SurfaceFromElement(mozilla::dom::Element*, mozilla::Maybe<int> const&, mozilla::Maybe<int> const&, unsigned int, RefPtr<mozilla::gfx::DrawTarget>&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:7423:12
    #8 0x7fc2ce45a504 in nsLayoutUtils::SurfaceFromElement(mozilla::dom::Element*, unsigned int, RefPtr<mozilla::gfx::DrawTarget>&) /builds/worker/workspace/obj-build/dist/include/nsLayoutUtils.h:2223:12
    #9 0x7fc2ce479140 in mozilla::dom::CanvasRenderingContext2D::DrawImage(mozilla::dom::HTMLImageElementOrSVGImageElementOrHTMLCanvasElementOrHTMLVideoElementOrOffscreenCanvasOrImageBitmap const&, double, double, double, double, double, double, double, double, unsigned char, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:5023:15
    #10 0x7fc2cf18accf in mozilla::dom::HTMLCanvasElement::CopyInnerTo(mozilla::dom::HTMLCanvasElement*) /builds/worker/checkouts/gecko/dom/html/HTMLCanvasElement.cpp:675:20
    #11 0x7fc2cf18a7ae in mozilla::dom::HTMLCanvasElement::Clone(mozilla::dom::NodeInfo*, nsINode**) const /builds/worker/checkouts/gecko/dom/html/HTMLCanvasElement.cpp:512:1
    #12 0x7fc2cc5c9314 in nsINode::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:3240:26
    #13 0x7fc2cc5c9f59 in nsINode::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:3421:11
    #14 0x7fc2cc5c9f59 in nsINode::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:3421:11
    #15 0x7fc2cc5c858c in Clone /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:3533:10
    #16 0x7fc2cc5c858c in nsINode::CloneNode(bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:3118:10
    #17 0x7fc2cc255495 in mozilla::dom::Document::CreateStaticClone(nsIDocShell*, nsIContentViewer*, nsIPrintSettings*, bool*) /builds/worker/checkouts/gecko/dom/base/Document.cpp:13234:34
    #18 0x7fc2cbfff6ef in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5275:42
    #19 0x7fc2cbf9b30f in nsGlobalWindowInner::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:3940:3
    #20 0x7fc2cda42085 in mozilla::dom::Window_Binding::printPreview(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3784:59
    #21 0x7fc2ce294c6c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3318:13
    #22 0x7fc22ff77ece  (<unknown module>)
    #23 0x7fc22ff5054b  (<unknown module>)
    #24 0x7fc22ff464ed  (<unknown module>)
    #25 0x7fc2d86edd64 in EnterJit /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:104:5
    #26 0x7fc2d86edd64 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:205:10
    #27 0x7fc2d714c7dc in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:421:32
    #28 0x7fc2d7179820 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
    #29 0x7fc2d717b4df in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #30 0x7fc2d717b4df in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
    #31 0x7fc2d72849cd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #32 0x7fc2cde62982 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
    #33 0x7fc2ceda7d45 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12