Open Bug 1870418 Opened 11 months ago Updated 8 months ago

Hit MOZ_CRASH(attempt to add with overflow) at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962\library\core\src\iter\traits\accum.rs:149

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Platform:
x86
Unspecified
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox122 --- affected

People

(Reporter: tsmith, Assigned: bradwerth)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
440 bytes, text/html
Details
Bug 1870418: Avoid usize underflow in gc_render_targets.
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20231020-9c4a85b9e8b5 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing --cpu x86 -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(attempt to add with overflow) at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962\library\core\src\iter\traits\accum.rs:149

25|0|xul.dll|RustMozCrash(char const*, int, char const*)|hg:hg.mozilla.org/mozilla-central:mozglue/static/rust/wrappers.cpp:efffe49c7c1c0f6b54d9f752224880e07e588f36|17|0x20
25|1|xul.dll|mozglue_static::panic_hook(core::panic::panic_info::PanicInfo*)|hg:hg.mozilla.org/mozilla-central:mozglue/static/rust/lib.rs:efffe49c7c1c0f6b54d9f752224880e07e588f36|96|0x135
25|2|xul.dll|core::ops::function::Fn::call<void (*)(ref$<core::panic::panic_info::PanicInfo>),tuple$<ref$<core::panic::panic_info::PanicInfo> > >(void (**)(core::panic::panic_info::PanicInfo*), core::panic::panic_info::PanicInfo*)|/rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/ops/function.rs|79|0xa
25|3|xul.dll|std::panicking::rust_panic_with_hook()|git:github.com/rust-lang/rust:library/std/src/panicking.rs:79e9716c980570bfd1f666e3b16ac583f0168962|735|0x249
25|4|xul.dll|std::panicking::begin_panic_handler::closure$0()|git:github.com/rust-lang/rust:library/std/src/panicking.rs:79e9716c980570bfd1f666e3b16ac583f0168962|601|0x90
25|5|xul.dll|std::sys_common::backtrace::__rust_end_short_backtrace<std::panicking::begin_panic_handler::closure_env$0,never$>()|git:github.com/rust-lang/rust:library/std/src/sys_common/backtrace.rs:79e9716c980570bfd1f666e3b16ac583f0168962|170|0x4
25|6|xul.dll|std::panicking::begin_panic_handler()|git:github.com/rust-lang/rust:library/std/src/panicking.rs:79e9716c980570bfd1f666e3b16ac583f0168962|597|0x53
25|7|xul.dll|core::panicking::panic_fmt()|git:github.com/rust-lang/rust:library/core/src/panicking.rs:79e9716c980570bfd1f666e3b16ac583f0168962|72|0x30
25|8|xul.dll|core::panicking::panic()|git:github.com/rust-lang/rust:library/core/src/panicking.rs:79e9716c980570bfd1f666e3b16ac583f0168962|127|0x46
25|9|xul.dll|webrender::resource_cache::ResourceCache::end_frame(webrender::profiler::TransactionProfile*)|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/resource_cache.rs:efffe49c7c1c0f6b54d9f752224880e07e588f36|1606|0xc18
25|10|xul.dll|webrender::frame_builder::FrameBuilder::build(webrender::scene::BuiltScene*, webrender::resource_cache::ResourceCache*, webrender::gpu_cache::GpuCache*, webrender::render_task_graph::RenderTaskGraphBuilder*, webrender::internal_types::FrameStamp, euclid::point::Point2D<i32,webrender_api::units::DevicePixel>, webrender::scene::SceneProperties*, webrender::render_backend::DataStores*, webrender::render_backend::ScratchBuffer*, webrender_api::DebugFlags, std::collections::hash::map::HashMap<webrender::picture::SliceId,alloc::boxed::Box<webrender::picture::TileCacheInstance,alloc::alloc::Global>,core::hash::BuildHasherDefault<fxhash::FxHasher> >*, webrender::spatial_tree::SpatialTree*, bool, webrender::profiler::TransactionProfile*)|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/frame_builder.rs:efffe49c7c1c0f6b54d9f752224880e07e588f36|679|0x4346
25|11|xul.dll|webrender::render_backend::Document::build_frame(webrender::resource_cache::ResourceCache*, webrender::gpu_cache::GpuCache*, webrender_api::DebugFlags, std::collections::hash::map::HashMap<webrender::picture::SliceId,alloc::boxed::Box<webrender::picture::TileCacheInstance,alloc::alloc::Global>,core::hash::BuildHasherDefault<fxhash::FxHasher> >*, enum2$<core::option::Option<webrender::renderer::FullFrameStats> >, webrender_api::RenderReasons)|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/render_backend.rs:efffe49c7c1c0f6b54d9f752224880e07e588f36|515|0x112
25|12|xul.dll|webrender::render_backend::RenderBackend::update_document(webrender_api::DocumentId, alloc::vec::Vec<enum2$<webrender::render_api::ResourceUpdate>,alloc::alloc::Global>, alloc::vec::Vec<enum2$<webrender::render_api::FrameMsg>,alloc::alloc::Global>, alloc::vec::Vec<webrender_api::NotificationRequest,alloc::alloc::Global>, bool, webrender_api::RenderReasons, enum2$<core::option::Option<u64> >, bool, unsigned int*, bool, enum2$<core::option::Option<u64> >)|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/render_backend.rs:efffe49c7c1c0f6b54d9f752224880e07e588f36|1429|0x1f82
25|13|xul.dll|webrender::render_backend::RenderBackend::process_api_msg(enum2$<webrender::render_api::ApiMsg>, unsigned int*)|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/render_backend.rs:efffe49c7c1c0f6b54d9f752224880e07e588f36|1126|0x1b02
25|14|xul.dll|std::sys_common::backtrace::__rust_begin_short_backtrace<webrender::renderer::init::create_webrender_instance::closure_env$5,tuple$<> >(webrender::renderer::init::create_webrender_instance::closure_env$5)|/rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs|154|0xad4
25|15|xul.dll|core::ops::function::FnOnce::call_once<std::thread::impl$0::spawn_unchecked_::closure_env$1<webrender::renderer::init::create_webrender_instance::closure_env$5,tuple$<> >,tuple$<> >(std::thread::impl$0::spawn_unchecked_::closure_env$1<webrender::renderer::init::create_webrender_instance::closure_env$5,tuple$<> >*)|/rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/ops/function.rs|250|0x78
25|16|xul.dll|std::sys::windows::thread::impl$0::new::thread_start()|git:github.com/rust-lang/rust:library/std/src/sys/windows/thread.rs:79e9716c980570bfd1f666e3b16ac583f0168962|57|0x65
25|17|kernel32.dll||||
25|18|mozglue.dll|patched_BaseThreadInitThunk(int, void*, void*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:efffe49c7c1c0f6b54d9f752224880e07e588f36|561|0x56
25|19|ntdll.dll||||
25|20|ntdll.dll||||
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20231215214115-8fd04cb03fbd.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 59c15c902a18e4ba5998f9dc6235c226cf58bc9a (20221217093017)
End: 9c4a85b9e8b51e92f7d696029ff923fb41423122 (20231020212448)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

This is an odd one. I'm unable to reproduce the crash on macOS Nightly, and I can't get the grizzly framework commands to run on my setup either, possibly because of the --cpu x86 argument. Setting that aside for now...

Looking at the crash stack, the implementation of ResourceCache::end_frame does not have any obvious accumulation. But it does call self.gc_render_targets which does unchecked repeat subtractions from a usize. That looks bad. I'll build a patch to correct that and see if it resolves things.

Assignee: nobody → bwerth
Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: