Closed Bug 1870072 Opened 1 year ago Closed 1 year ago

SEGV in firefox nightly

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: wh0tlif3, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

log_ffp_asan_2779753.log.2786985.txt
19.30 KB, text/plain
Details
test_0084.html
769.21 KB, text/html
Details

=================================================================
==2786985==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f80ffb04fc0 bp 0x52d000f8c400 sp 0x7f80e28c9cb8 T41)
==2786985==The signal is caused by a READ memory access.
==2786985==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used.
#0 0x7f80ffb04fc0 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x704fc0) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#1 0x7f80ffb07fe8 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x707fe8) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#2 0x7f80ffaf60dd (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x6f60dd) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#3 0x7f80ffaf49e7 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x6f49e7) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#4 0x7f80ffaf4a74 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x6f4a74) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#5 0x7f80ff685bbb (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x285bbb) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#6 0x7f80ff775a22 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x375a22) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#7 0x7f80ff54f91a (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x14f91a) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#8 0x7f80ff5615fa (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1615fa) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#9 0x7f80ff53468e (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x13468e) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#10 0x7f80ff5380c8 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1380c8) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#11 0x7f80ff53e898 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x13e898) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#12 0x7f81205d5515 in gleam::ffi_gl::Gl::TexSubImage2D::h0c89f5bbc5aabae6 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/gleam-c6799b5af5d1def7/out/gl_bindings.rs:4731:290
#13 0x7f81205d5515 in _$LT$gleam..gl..GlFns$u20$as$u20$gleam..gl..Gl$GT$::tex_sub_image_2d_pbo::h217deae995f9f547 /builds/worker/checkouts/gecko/third_party/rust/gleam/src/gl_fns.rs:754:26
#14 0x7f811f4d24a0 in webrender::device::gl::TextureUploader::update_impl::hdca0155cc0f9907a /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:4771:17
#15 0x7f811f4cfc7f in webrender::device::gl::PixelBuffer::flush_chunks::h0a41029631fca77f /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:4186:13
#16 0x7f811f4cfc7f in webrender::device::gl::TextureUploader::flush_buffer::ha42969cc6078a38d /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:4724:9
#17 0x7f811f4d1321 in webrender::device::gl::TextureUploader::flush::ha88c64d50bd26162 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:4733:13
#18 0x7f811f8650b0 in webrender::renderer::vertex::VertexDataTextures::update::hdd3958e34fbdfa51 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/vertex.rs:997:9
#19 0x7f811f8650b0 in webrender::renderer::Renderer::bind_frame_data::h67b13dd67273d1d5 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4385:9
#20 0x7f811f8650b0 in webrender::renderer::Renderer::draw_frame::h524142bfcf953e77 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4477:9
#21 0x7f811f7f2dda in webrender::renderer::Renderer::render_impl::hdcc20b4f3a8de3b3 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1518:17
#22 0x7f811f7ecb8a in webrender::renderer::Renderer::render::h09109bcea7811396 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1235:30
#23 0x7f811e98a56e in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:619:11
#24 0x7f810c4429b4 in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:190:19
#25 0x7f810c44074b in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:781:31
#26 0x7f810c43ef4c in mozilla::wr::RenderThread::HandleFrameOneDocInner(mozilla::wr::WrWindowId, bool, bool, mozilla::Maybe<mozilla::wr::FramePublishId>) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:624:3
#27 0x7f810c43d6a3 in HandleFrameOneDoc /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:573:3
#28 0x7f810c43d6a3 in WrNotifierEvent_HandleNewFrameReady /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:534:3
#29 0x7f810c43d6a3 in mozilla::wr::RenderThread::HandleWrNotifierEvents(mozilla::wr::WrWindowId) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:496:9
#30 0x7f810c45ea47 in operator()<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#31 0x7f810c45ea47 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#32 0x7f810c45ea47 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#33 0x7f810c45ea47 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> > &, 0UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#34 0x7f810c45ea47 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> > &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#35 0x7f810c45ea47 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::)(mozilla::wr::WrWindowId)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#36 0x7f810c45ea47 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::)(mozilla::wr::WrWindowId), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#37 0x7f8108e12f6d in nsThread::ProcessNextEvent(bool, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#38 0x7f8108e2082a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#39 0x7f810aaa4ba9 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#40 0x7f810a8cb57a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#41 0x7f810a8cb57a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#42 0x7f810a8cb57a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#43 0x7f8108e097c0 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10
#44 0x7f81310eb11f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#45 0x55953af8010a in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:225:31
#46 0x7f8130e94ac2 in start_thread nptl/pthread_create.c:442:8

Flags: sec-bounty?
Attached file test_0084.html
Group: firefox-core-security → gfx-core-security
Component: Security → Graphics
Product: Firefox → Core

ping ?

is there anyone to handler this bug?

(In reply to wh0tlif3 from comment #3)

is there anyone to handler this bug?

We're starting to head into the end-of-year holiday season so bug responses may be getting slower as people go on vacation.

Ashley, you've been dealing with graphics driver issues, do you know what the next steps are here or who might look at this? I'm not sure how graphics triage works. Thanks.

Flags: needinfo?(ahale)

Can you include the graphics section from about:support so we know what driver and version we're dealing with here? This looks like yet another MESA bug

Flags: needinfo?(wh0tlif3)

WebGL 2 Driver Renderer Intel -- Mesa Intel(R) Graphics (RPL-S)
WebGL 2 Driver Version 4.6 (Core Profile) Mesa 23.0.4-0ubuntu1~22.04.1

Flags: needinfo?(wh0tlif3)

I can't reproduce now, I may updated my system.

Re: triage - this bug being in this component without a severity assigned is enough for it to show up in triage duty, and the main thing we ask for is about:support to determine the GPU driver and such.

Re: Mesa - this appears to be a crash in swrast_dri.so, so this implies that it is software rendering, however the cited WebGL 2 Driver Renderer indicates it is hardware rendering on Intel on a Raptor Lake-S cpu (which is a desktop model, not a laptop model), my guess is that the driver was updated to support this GPU after the crash was found in swrast_dri.so, and it would be reproducible by setting the env variable LIBGL_ALWAYS_SOFTWARE=1 if the swrast_dri.so bug still exists

Flags: needinfo?(ahale)

I can't repro a SIGSEGV on Ubuntu 23.04 in VMware with LIBGL_ALWAYS_SOFTWARE=1, so the swrast_dri.so bug may have been fixed.

More specifics on which part of the (rather large) poc html are relevant would help, if you can repro with that env variable set.

I can see the crash itself occurs in glTexSubImage2D with a pbo bound, judging by the backtrace, and in particular it is uploading to one of the vertex data texture atlases (i.e. it is probably gpu_cache data), it's possible there is a thread race (I think we have some degree of threading enabled for Mesa on Intel but I don't recall for certain), but if the bug is reproducible it would be helpful to know how much the html can be pared down to point to the specific problem, as there are a lot of reasons WebRender will upload a texture, and it is async so it's not clear which page elements contributed to that texture upload.

Flags: needinfo?(wh0tlif3)

Also would be nice to know what version of Firefox you were testing back when you could reproduce it. Presumably a "nightly" since it's an ASAN build, but how old were the sources?

from comment 0:

==2786985==Hint: this fault was caused by a dereference of a high value address (see register values below).

In future bug reports, please include the full ASAN output, including those register values. There should be a "==========" line at the end that matches the top one.

Update: I see the full log is in an attachment -- Thanks! It ends without a "Summary:" section at the end so it looks like ASAN itself is having some problems recording this crash (I'm not saying ASAN problems are the cause of this crash; probably two distinct problems)

(In reply to Daniel Veditz [:dveditz] from comment #10)

Also would be nice to know what version of Firefox you were testing back when you could reproduce it. Presumably a "nightly" since it's an ASAN build, but how old were the sources?

sorry, I am removed it.

Flags: needinfo?(wh0tlif3)

I have not been able to reproduce the issue using new or old builds and I've tested on multiple machines.

This looks like a domato test case which we do run internally and we are not seeing reports of this issue (machine configs could differ).

Let's see if bugmon can repro.

Keywords: bugmon

Unable to reproduce bug 1870072 using build mozilla-central 20231214095424-3af75f3310fc. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

We believe this was a driver bug that has been fixed, and users should update their OS/drivers.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
Group: gfx-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: