Open Bug 1821487 Opened 2 years ago Updated 7 months ago

Hit MOZ_CRASH(capacity overflow) at library/alloc/src/raw_vec.rs:518

Categories

(Core :: Graphics: WebRender, defect)

x86
Linux
defect

Tracking

()

Tracking Status
firefox112 --- affected

People

(Reporter: tsmith, Assigned: gw)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Attached file testcase.html

Found while fuzzing m-c 20230210-54d29db98836 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --cpu x86 --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

The attached test case requires a 32-bit build to reproduce the issue.

Hit MOZ_CRASH(capacity overflow) at library/alloc/src/raw_vec.rs:518

#0 0xee97df50 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0xee97df50 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0xee97de9d in mozglue_static::panic_hook::h21d8c8e5de89e669 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0xee97d898 in core::ops::function::Fn::call::h899c3066024126f7 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/ops/function.rs:161:5
#4 0xef9444b5 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::hc691b8c93e379e82 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/alloc/src/boxed.rs:2032:9
#5 0xef9444b5 in std::panicking::rust_panic_with_hook::h34ebac2e9f407c10 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:692:13
#6 0xef9441d1 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h4cd2543434785ef3 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:577:13
#7 0xef9417c9 in std::sys_common::backtrace::__rust_end_short_backtrace::h5d19e13e25d473f9 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/sys_common/backtrace.rs:137:18
#8 0xef943ee1 in rust_begin_unwind /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:575:5
#9 0xef9a0f94 in core::panicking::panic_fmt::h08f64394ea862721 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/panicking.rs:64:14
#10 0xef99419e in alloc::raw_vec::capacity_overflow::h26b7c7cc413d5f28 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/alloc/src/raw_vec.rs:518:5
#11 0xee67d26d in alloc::raw_vec::RawVec$LT$T$C$A$GT$::allocate_in::ha695671e2b56b32f /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/alloc/src/raw_vec.rs:178:27
#12 0xee67d26d in alloc::raw_vec::RawVec$LT$T$C$A$GT$::with_capacity_zeroed_in::hbb559f958dbd5e42 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/alloc/src/raw_vec.rs:139:9
#13 0xee67d26d in _$LT$u8$u20$as$u20$alloc..vec..spec_from_elem..SpecFromElem$GT$::from_elem::h080fe29118b17fa0 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/alloc/src/vec/spec_from_elem.rs:52:31
#14 0xee67d26d in alloc::vec::from_elem::hac12dc8b0dcb9d10 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/alloc/src/vec/mod.rs:2557:5
#15 0xee67d26d in wr_glyph_rasterizer::platform::unix::font::FontContext::rasterize_glyph::hce5eaedfad2ee357 /builds/worker/checkouts/gecko/gfx/wr/wr_glyph_rasterizer/src/platform/unix/font.rs:948:32
#16 0xee666760 in wr_glyph_rasterizer::rasterizer::GlyphRasterizer::flush_glyph_requests::_$u7b$$u7b$closure$u7d$$u7d$::h0e5ac9294006afea /builds/worker/checkouts/gecko/gfx/wr/wr_glyph_rasterizer/src/rasterizer.rs:136:25
#17 0xee6543be in wr_glyph_rasterizer::rasterizer::GlyphRasterizer::flush_glyph_requests::_$u7b$$u7b$closure$u7d$$u7d$::h3dde0e56ad364631 /builds/worker/checkouts/gecko/gfx/wr/wr_glyph_rasterizer/src/rasterizer.rs:202:35
#18 0xee6543be in rayon_core::thread_pool::ThreadPool::install::_$u7b$$u7b$closure$u7d$$u7d$::h309ab5c2663e136a /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/thread_pool/mod.rs:110:40
#19 0xee661d14 in rayon_core::registry::Registry::in_worker_cold::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h81d93a95483787ef /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:506:21
#20 0xee661d14 in rayon_core::job::JobResult$LT$T$GT$::call::_$u7b$$u7b$closure$u7d$$u7d$::hc8cb4cb2c43087aa /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:212:41
#21 0xee661d14 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb41de1da27b45e14 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/panic/unwind_safe.rs:271:9
#22 0xee661d14 in std::panicking::try::do_call::hcc58800f0c9c49e1 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:483:40
#23 0xee661d14 in std::panicking::try::h80b9843d2f39c084 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:447:19
#24 0xee661d14 in std::panic::catch_unwind::h1e7f6d2cc5f7d45e /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panic.rs:137:14
#25 0xee661d14 in rayon_core::unwind::halt_unwinding::h9c30e50d18eb1a89 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
#26 0xee661d14 in rayon_core::job::JobResult$LT$T$GT$::call::h1c46b8063a104707 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:212:15
#27 0xee661d14 in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::h46ebdaff25d6c8b1 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:114:32
#28 0xef834282 in rayon_core::job::JobRef::execute::h5556c6b54673505f /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:58:9
#29 0xef834282 in rayon_core::registry::WorkerThread::execute::h672e0ebb9a0a2cb9 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:804:9
#30 0xef834282 in rayon_core::registry::WorkerThread::wait_until_cold::h8c3cc285b3d995a3 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:781:17
#31 0xef8311bf in rayon_core::registry::WorkerThread::wait_until::hfc78fb1c89d64c5e /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:755:13
#32 0xef8311bf in rayon_core::registry::main_loop::h35409a8035b80a4d /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:889:5
#33 0xef8311bf in rayon_core::registry::ThreadBuilder::run::h3c69bf4ef5825c89 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:53:18
#34 0xef826ae4 in _$LT$rayon_core..registry..DefaultSpawn$u20$as$u20$rayon_core..registry..ThreadSpawn$GT$::spawn::_$u7b$$u7b$closure$u7d$$u7d$::h31cbbce17e214426 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:98:20
#35 0xef826ae4 in std::sys_common::backtrace::__rust_begin_short_backtrace::hb83736b90b78fb00 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/sys_common/backtrace.rs:121:18
#36 0xef82907e in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h786282b86a026677 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/thread/mod.rs:550:17
#37 0xef82907e in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h3eb7df62d9b43122 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/panic/unwind_safe.rs:271:9
#38 0xef82907e in std::panicking::try::do_call::hfe99acf2985c1aba /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:483:40
#39 0xef82907e in std::panicking::try::ha1ab55ce783c5287 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:447:19
#40 0xef82907e in std::panic::catch_unwind::h3b4e0f932f71b44e /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panic.rs:137:14
#41 0xef82907e in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h7cebd610248e6b94 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/thread/mod.rs:549:30
#42 0xef82907e in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::he14cb9277f46cf4a /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/ops/function.rs:507:5
#43 0xef94e75a in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hb51297c8b22393da /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/alloc/src/boxed.rs:2000:9
#44 0xef94e75a in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h460468ab81b917b7 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/alloc/src/boxed.rs:2000:9
#45 0xef94e75a in std::sys::unix::thread::Thread::new::thread_start::h0dfb0102421346a5 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/sys/unix/thread.rs:108:17
#46 0xf7a29b90  (/lib/i386-linux-gnu/libc.so.6+0x86b90) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)
#47 0xf7ac664b  (/lib/i386-linux-gnu/libc.so.6+0x12364b) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)
Flags: in-testsuite?
Blocks: gfx-triage
OS: Unspecified → Linux
Hardware: Unspecified → x86
Assignee: nobody → gwatson
No longer blocks: gfx-triage

The severity field is not set for this bug.
:gw, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(gwatson)
Severity: -- → S3
Flags: needinfo?(gwatson)
Blocks: wr-fuzz
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: