1873866 - UndefinedBehaviorSanitizer: mozilla/Range.h:32:33: runtime error: applying non-zero offset 261120 to null pointer with HostWebGLContext::InvalidateFramebuffer

Status: RESOLVED FIXED

(Core :: Graphics: CanvasWebGL, defect)

Description

[Christian Holler (:decoder)]

In experimental IPC fuzzing, we found the following crash on mozilla-central revision 20240108-fa142c3f71b8 (fuzzing-asan-nyx-opt build):

/builds/worker/workspace/obj-build/dist/include/mozilla/Range.h:32:33: runtime error: applying non-zero offset 261120 to null pointer
    #0 0x7fffe0625d88 in mozilla::Range<unsigned int const>::Range(unsigned int const*, unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/Range.h:32:33
    #1 0x7fffe0625d88 in mozilla::RawBuffer<unsigned int const>::Data() const /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WebGLTypes.h:881:40
    #2 0x7fffe0625d88 in mozilla::Range<unsigned int const const> mozilla::MakeRange<unsigned int const>(mozilla::RawBuffer<unsigned int const> const&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WebGLTypes.h:1141:15
    #3 0x7fffe0625d88 in mozilla::HostWebGLContext::InvalidateFramebuffer(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const /dom/canvas/HostWebGLContext.h:503:55
    #4 0x7fffe07ea345 in auto bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 66ul, void (mozilla::HostWebGLContext::*)(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const, &mozilla::HostWebGLContext::InvalidateFramebuffer(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...)::operator()<unsigned int, mozilla::RawBuffer<unsigned int const>>(auto&...) const /dom/canvas/WebGLCommandQueue.h:253:13
    #5 0x7fffe0792944 in mozilla::HostWebGLContext std::__invoke_impl<bool, bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 66ul, void (mozilla::HostWebGLContext::*)(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const, &mozilla::HostWebGLContext::InvalidateFramebuffer(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...), unsigned int&, mozilla::RawBuffer<unsigned int const>&>(std::__invoke_other, bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 66ul, void (mozilla::HostWebGLContext::*)(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const, &mozilla::HostWebGLContext::InvalidateFramebuffer(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...)&&, unsigned int&, mozilla::RawBuffer<unsigned int const>&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #6 0x7fffe0792944 in std::__invoke_result<mozilla::HostWebGLContext, unsigned int&, mozilla::RawBuffer<unsigned int const>&>::type std::__invoke<bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 66ul, void (mozilla::HostWebGLContext::*)(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const, &mozilla::HostWebGLContext::InvalidateFramebuffer(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...), unsigned int&, mozilla::RawBuffer<unsigned int const>&>(mozilla::HostWebGLContext&&, unsigned int&, mozilla::RawBuffer<unsigned int const>&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #7 0x7fffe0792944 in decltype(auto) std::__apply_impl<bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 66ul, void (mozilla::HostWebGLContext::*)(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const, &mozilla::HostWebGLContext::InvalidateFramebuffer(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...), std::tuple<unsigned int, mozilla::RawBuffer<unsigned int const>>&, 0ul, 1ul>(mozilla::HostWebGLContext&&, std::tuple<unsigned int, mozilla::RawBuffer<unsigned int const>>&, std::integer_sequence<unsigned long, 0ul, 1ul>) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
    #8 0x7fffe0792944 in decltype(auto) std::apply<bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 66ul, void (mozilla::HostWebGLContext::*)(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const, &mozilla::HostWebGLContext::InvalidateFramebuffer(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...), std::tuple<unsigned int, mozilla::RawBuffer<unsigned int const>>&>(mozilla::HostWebGLContext&&, std::tuple<unsigned int, mozilla::RawBuffer<unsigned int const>>&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
    #9 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 66ul, void (mozilla::HostWebGLContext::*)(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const, &mozilla::HostWebGLContext::InvalidateFramebuffer(unsigned int, mozilla::RawBuffer<unsigned int const> const&) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:244:14
    #10 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 65ul, void (mozilla::HostWebGLContext::*)(int, int, int, int, int, int, int, int, unsigned int, unsigned int) const, &mozilla::HostWebGLContext::BlitFramebuffer(int, int, int, int, int, int, int, int, unsigned int, unsigned int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #11 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 64ul, void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long, mozilla::RawBuffer<unsigned char> const&, bool) const, &mozilla::HostWebGLContext::BufferSubData(unsigned int, unsigned long, mozilla::RawBuffer<unsigned char> const&, bool) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #12 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 63ul, void (mozilla::HostWebGLContext::*)(unsigned int, mozilla::RawBuffer<unsigned char> const&, unsigned int) const, &mozilla::HostWebGLContext::BufferData(unsigned int, mozilla::RawBuffer<unsigned char> const&, unsigned int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #13 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 62ul, void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned long, unsigned long, unsigned long) const, &mozilla::HostWebGLContext::CopyBufferSubData(unsigned int, unsigned int, unsigned long, unsigned long, unsigned long) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #14 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 61ul, void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned long, unsigned long, unsigned long) const, &mozilla::HostWebGLContext::BindBufferRange(unsigned int, unsigned int, unsigned long, unsigned long, unsigned long) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #15 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 60ul, void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long) const, &mozilla::HostWebGLContext::BindBuffer(unsigned int, unsigned long) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #16 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 59ul, void (mozilla::HostWebGLContext::*)(int, int, int, int) const, &mozilla::HostWebGLContext::Viewport(int, int, int, int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #17 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 58ul, void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, unsigned int) const, &mozilla::HostWebGLContext::StencilOpSeparate(unsigned int, unsigned int, unsigned int, unsigned int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #18 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 57ul, void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int) const, &mozilla::HostWebGLContext::StencilMaskSeparate(unsigned int, unsigned int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #19 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 56ul, void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, int, unsigned int) const, &mozilla::HostWebGLContext::StencilFuncSeparate(unsigned int, unsigned int, int, unsigned int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #20 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 55ul, void (mozilla::HostWebGLContext::*)(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) const, &mozilla::HostWebGLContext::ShaderSource(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #21 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 54ul, void (mozilla::HostWebGLContext::*)(int, int, int, int) const, &mozilla::HostWebGLContext::Scissor(int, int, int, int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #22 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 53ul, void (mozilla::HostWebGLContext::*)(float, bool) const, &mozilla::HostWebGLContext::SampleCoverage(float, bool) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #23 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 52ul, void (mozilla::HostWebGLContext::*)(unsigned long, mozilla::layers::TextureType, bool, mozilla::webgl::SwapChainOptions const&) const, &mozilla::HostWebGLContext::Present(unsigned long, mozilla::layers::TextureType, bool, mozilla::webgl::SwapChainOptions const&) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #24 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 51ul, void (mozilla::HostWebGLContext::*)(mozilla::webgl::ProvokingVertex) const, &mozilla::HostWebGLContext::ProvokingVertex(mozilla::webgl::ProvokingVertex) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #25 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 50ul, void (mozilla::HostWebGLContext::*)(float, float) const, &mozilla::HostWebGLContext::PolygonOffset(float, float) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #26 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 49ul, void (mozilla::HostWebGLContext::*)(unsigned long) const, &mozilla::HostWebGLContext::LinkProgram(unsigned long) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #27 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 48ul, void (mozilla::HostWebGLContext::*)(float) const, &mozilla::HostWebGLContext::LineWidth(float) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #28 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 47ul, void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int) const, &mozilla::HostWebGLContext::Hint(unsigned int, unsigned int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #29 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 46ul, void (mozilla::HostWebGLContext::*)(unsigned int) const, &mozilla::HostWebGLContext::FrontFace(unsigned int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #30 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 45ul, void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, unsigned long, int, int, int) const, &mozilla::HostWebGLContext::FramebufferAttach(unsigned int, unsigned int, unsigned int, unsigned long, int, int, int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #31 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 44ul, void (mozilla::HostWebGLContext::*)() const, &mozilla::HostWebGLContext::Flush() const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #32 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 43ul, void (mozilla::HostWebGLContext::*)(unsigned long, unsigned long) const, &mozilla::HostWebGLContext::DetachShader(unsigned long, unsigned long) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #33 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 42ul, void (mozilla::HostWebGLContext::*)(float, float) const, &mozilla::HostWebGLContext::DepthRange(float, float) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #34 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 41ul, void (mozilla::HostWebGLContext::*)(bool) const, &mozilla::HostWebGLContext::DepthMask(bool) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #35 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 40ul, void (mozilla::HostWebGLContext::*)(unsigned int) const, &mozilla::HostWebGLContext::DepthFunc(unsigned int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #36 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 39ul, void (mozilla::HostWebGLContext::*)(unsigned int) const, &mozilla::HostWebGLContext::CullFace(unsigned int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #37 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 38ul, void (mozilla::HostWebGLContext::*)(unsigned long) const, &mozilla::HostWebGLContext::CompileShader(unsigned long) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #38 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 37ul, void (mozilla::HostWebGLContext::*)(mozilla::Maybe<unsigned int>, unsigned char) const, &mozilla::HostWebGLContext::ColorMask(mozilla::Maybe<unsigned int>, unsigned char) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #39 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 36ul, void (mozilla::HostWebGLContext::*)(int) const, &mozilla::HostWebGLContext::ClearStencil(int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #40 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 35ul, void (mozilla::HostWebGLContext::*)(float) const, &mozilla::HostWebGLContext::ClearDepth(float) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #41 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 34ul, void (mozilla::HostWebGLContext::*)(float, float, float, float) const, &mozilla::HostWebGLContext::ClearColor(float, float, float, float) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #42 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 33ul, void (mozilla::HostWebGLContext::*)(unsigned int) const, &mozilla::HostWebGLContext::Clear(unsigned int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #43 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 32ul, void (mozilla::HostWebGLContext::*)(mozilla::Maybe<unsigned int>, unsigned int, unsigned int, unsigned int, unsigned int) const, &mozilla::HostWebGLContext::BlendFuncSeparate(mozilla::Maybe<unsigned int>, unsigned int, unsigned int, unsigned int, unsigned int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #44 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 31ul, void (mozilla::HostWebGLContext::*)(mozilla::Maybe<unsigned int>, unsigned int, unsigned int) const, &mozilla::HostWebGLContext::BlendEquationSeparate(mozilla::Maybe<unsigned int>, unsigned int, unsigned int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #45 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 30ul, void (mozilla::HostWebGLContext::*)(float, float, float, float) const, &mozilla::HostWebGLContext::BlendColor(float, float, float, float) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #46 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 29ul, void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long) const, &mozilla::HostWebGLContext::BindFramebuffer(unsigned int, unsigned long) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #47 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 28ul, void (mozilla::HostWebGLContext::*)(unsigned long, unsigned int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) const, &mozilla::HostWebGLContext::BindAttribLocation(unsigned long, unsigned int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #48 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 27ul, void (mozilla::HostWebGLContext::*)(unsigned long, unsigned long) const, &mozilla::HostWebGLContext::AttachShader(unsigned long, unsigned long) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #49 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 26ul, void (mozilla::HostWebGLContext::*)(), &mozilla::HostWebGLContext::DidRefresh()>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #50 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 25ul, void (mozilla::HostWebGLContext::*)(mozilla::WebGLExtensionID), &mozilla::HostWebGLContext::RequestExtension(mozilla::WebGLExtensionID)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #51 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 24ul, void (mozilla::HostWebGLContext::*)(mozilla::avec2<unsigned int> const&), &mozilla::HostWebGLContext::Resize(mozilla::avec2<unsigned int> const&)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #52 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 23ul, void (mozilla::HostWebGLContext::*)(unsigned int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) const, &mozilla::HostWebGLContext::GenerateError(unsigned int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #53 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 22ul, void (mozilla::HostWebGLContext::*)(unsigned int, mozilla::Maybe<unsigned int>, bool) const, &mozilla::HostWebGLContext::SetEnabled(unsigned int, mozilla::Maybe<unsigned int>, bool) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #54 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 21ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::DeleteVertexArray(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #55 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 20ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::DeleteTransformFeedback(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #56 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 19ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::DeleteTexture(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #57 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 18ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::DeleteSync(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #58 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 17ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::DeleteShader(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #59 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 16ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::DeleteSampler(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #60 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 15ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::DeleteRenderbuffer(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #61 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 14ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::DeleteQuery(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #62 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 13ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::DeleteProgram(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #63 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 12ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::DeleteFramebuffer(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #64 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 11ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::DeleteBuffer(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #65 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 10ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::CreateVertexArray(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #66 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 9ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::CreateTransformFeedback(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #67 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 8ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::CreateTexture(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #68 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 7ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::CreateSync(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #69 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 6ul, void (mozilla::HostWebGLContext::*)(unsigned long, unsigned int), &mozilla::HostWebGLContext::CreateShader(unsigned long, unsigned int)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #70 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 5ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::CreateSampler(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #71 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 4ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::CreateRenderbuffer(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #72 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 3ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::CreateQuery(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #73 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 2ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::CreateProgram(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #74 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 1ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::CreateFramebuffer(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #75 0x7fffe0792944 in bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 0ul, void (mozilla::HostWebGLContext::*)(unsigned long), &mozilla::HostWebGLContext::CreateBuffer(unsigned long)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&) /dom/canvas/WebGLCommandQueue.h:258:12
    #76 0x7fffe0792944 in mozilla::dom::WebGLParent::RecvDispatchCommands(mozilla::ipc::BigBuffer&&, unsigned long) /dom/canvas/WebGLParent.cpp:64:21
    #77 0x7fffe09054f4 in mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp:236:79
    #78 0x7fffdc2dc6d5 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:279:32
    [...]

I was not able to reproduce this outside of fuzzing so far, but my guess is this is due to this running through WebGLParent::RecvDispatchCommands. We are either truncating an existing command buffer or swapping it out entirely for another Shmem that already exists. In its current state, the fuzzer neither understands the special semantics of passing a Shmem nor can it create or alter contents of a Shmem. This will change likely in Q1 with some more specialized fuzzing.

From the stack, it looks like this is creating an invalid range through HostWebGLContext::InvalidateFramebuffer and I've seen other crashes where the offset was much larger (we should assume the offset is arbitrary, in which case this could lead to OOB issues even if a nullptr is the base). I've also seen similar crashes with HostWebGLContext::BufferSubData and some others. There is likely an argument validation missing.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Christian Holler (:decoder)]

Actually I was able to reproduce this locally. It is likely that the fuzzer is using a BigBuffer not backed by shmem.

Comment 4

[Erich Gubler [:ErichDonGubler] (he/him)]

Triaging as S2, since having an arbitrary offset into invalid base address in memory seems a nontrivial security problem. NI'ing :jgilbert to confirm.

Comment 5

[Christian Holler (:decoder)]

I manually created a pernosco session for this because Nyx isn't supported yet in bugmon:

https://pernos.co/debug/tWX_M6_9JuJoEjKOiJLt2w/index.html

Comment 6

[Christian Holler (:decoder)]

Attachment: Bug 1873866 - Add CheckedRawBuffer to protect IPC methods. r?#gfx-reviewers

Comment 7

[Christian Holler (:decoder)]

Fuzzing with my patch seems to confirm that this issue + all the different other issues I've been seeing in the last fuzzing run are gone.

Comment 8

[Kelsey Gilbert [:jgilbert]]

I'm looking into an alternative approach rather than duplicating the serialization code.

Comment 9

[Bob Hood [:bhood]]

Soft freeze for Fx123 is a little over two weeks away. Do you think we'll be able to land a fix prior to that?

Comment 10

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1873866 - RawBuffer now forbids null/size-only.

Comment 11

[Kelsey Gilbert [:jgilbert]]

This isn't csec-nullptr because it's content-controlled offset.

Comment 12

[Kelsey Gilbert [:jgilbert]]

Would it be a good idea to try a fuzzing run with my patch before landing?

Comment 13

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 9377059 [details]
Bug 1873866 - RawBuffer now forbids null/size-only.

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Kinda difficult. The fix is kinda oblique to the issue.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?: all
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: They should be easy or trivial.
• How likely is this patch to cause regressions; how much testing does it need?: Unlikely to get past CI, but it would be good to double-check that this satisfies the fuzzers, since this originated from them!
• Is Android affected?: Yes

Comment 14

[Christian Holler (:decoder)]

I've been fuzzing this for a few hours no without any issues. Will continue today but we shouldn't block landing on that.

Comment 15

[Tom Ritter [:tjr]]

Comment on attachment 9377059 [details]
Bug 1873866 - RawBuffer now forbids null/size-only.

Approved to land and request uplift

Comment 16

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1873866 - RawBuffer now forbids null/size-only.

Original Revision: https://phabricator.services.mozilla.com/D199939

Comment 17

[Phabricator Automation]

Uplift Approval Request

• Code covered by automated testing: yes
• Steps to reproduce for manual QE testing: Run fuzzers
• User impact if declined: sec-high found by fuzzing
• Explanation of risk level: CI coverage should be good, but there's always risk of incompleteness.
• String changes made/needed: none
• Is Android affected?: yes
• Needs manual QE test: no
• Fix verified in Nightly: no
• Risk associated with taking this patch: Low

Comment 18

[Kelsey Gilbert [:jgilbert]]

[Tracking Requested - why for this release]: sec-high found by fuzzers

Comment 19

[Phabricator Automation]

Uplift Approval Request

• Risk associated with taking this patch: Low
• Needs manual QE test: no
• Fix verified in Nightly: no
• Is Android affected?: yes
• String changes made/needed: none
• Explanation of risk level: CI coverage should be good, but there's always risk of incompleteness.
• User impact if declined: sec-high found by fuzzing
• Steps to reproduce for manual QE testing: Testcase in bug
• Code covered by automated testing: yes

Comment 20

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1873866 - RawBuffer now forbids null/size-only.

Original Revision: https://phabricator.services.mozilla.com/D199939

Comment 21

[Phabricator Automation]

Uplift Approval Request

• Is Android affected?: yes
• Needs manual QE test: no
• Fix verified in Nightly: no
• String changes made/needed: none
• Risk associated with taking this patch: Low
• Steps to reproduce for manual QE testing: testcase in bug
• User impact if declined: sec-high found by fuzzers
• Code covered by automated testing: yes
• Explanation of risk level: CI is solid, but unknown unknowns are possible

Comment 22

[Pulsebot]

Pushed by jgilbert@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e6afeb411481
RawBuffer now forbids null/size-only. r=gfx-reviewers,ahale

Comment 23

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/e6afeb411481

Comment 24

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/fdc4382bbff9

Comment 25

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr115/rev/2c8561c8e416

Comment 26

[Pascal Chevrel:pascalc]

https://hg.mozilla.org/releases/mozilla-esr115/rev/36aa98281db4
Backed out 1 changesets (bug 1873866) for causing build failures on esr115 a=backout

Kelsey, could you have a look please? Beta is OK. Thanks.

Comment 27

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1873866 - [esr115] RawBuffer now forbids null/size-only.

Comment 28

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1873866 - [esr115] RawBuffer now forbids null/size-only.

Original Revision: https://phabricator.services.mozilla.com/D200841

Comment 29

[Phabricator Automation]

Uplift Approval Request

• String changes made/needed: none
• Code covered by automated testing: yes
• Fix verified in Nightly: no
• Is Android affected?: yes
• User impact if declined: sec-high from fuzzing
• Steps to reproduce for manual QE testing: Run the webgl cts
• Risk associated with taking this patch: low
• Needs manual QE test: no
• Explanation of risk level: CI should be reassuring to us here

Comment 30

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr115/rev/7ac5892b5f09