1877600 - Assertion failure: mSegment->Size() - (2 * pageSize) >= mSize (illegal size in shared memory segment), at /builds/worker/checkouts/gecko/ipc/glue/Shmem.cpp:241

Status: NEW

(Core :: Graphics: WebGPU, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20240123-83483e973267 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing --cpu x86 -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Note: This has only been reported by fuzzers on Windows running 32-bit builds.

Assertion failure: mSegment->Size() - (2 * pageSize) >= mSize (illegal size in shared memory segment), at /builds/worker/checkouts/gecko/ipc/glue/Shmem.cpp:241

33|0|xul.dll|mozilla::ipc::Shmem::Shmem(mozilla::ipc::SharedMemory*, int)|hg:hg.mozilla.org/mozilla-central:ipc/glue/Shmem.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|240|0x231
33|1|xul.dll|mozilla::ipc::IToplevelProtocol::CreateSharedMemory(unsigned int, bool, int*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/ProtocolUtils.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|730|0x79
33|2|xul.dll|mozilla::ipc::IProtocol::AllocShmem(unsigned int, mozilla::ipc::Shmem*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/ProtocolUtils.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|454|0x35
33|3|xul.dll|mozilla::webgpu::WebGPUParent::GetFrontBufferSnapshot(mozilla::ipc::IProtocol*, mozilla::layers::RemoteTextureOwnerId const&, mozilla::Maybe<mozilla::ipc::Shmem>&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>&)|hg:hg.mozilla.org/mozilla-central:dom/webgpu/ipc/WebGPUParent.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|1124|0x171
33|4|xul.dll|mozilla::gfx::CanvasManagerParent::RecvGetSnapshot(unsigned int const&, int const&, mozilla::Maybe<mozilla::layers::RemoteTextureOwnerId> const&, mozilla::webgl::FrontBufferSnapshotIpc*)|hg:hg.mozilla.org/mozilla-central:gfx/ipc/CanvasManagerParent.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|220|0x217
33|5|xul.dll|mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&, mozilla::UniquePtr<IPC::Message,mozilla::DefaultDelete<IPC::Message> >&)|s3:gecko-generated-sources:f0f92794d59ce211f13900af1347d7644d03d6aefb2c3506c31d5cf7d17cdaf4d0ed23d4efbb1ac569448c252819bfd6ac27d880567c4125b46fe97a40f86e97/ipc/ipdl/PCanvasManagerParent.cpp:|565|0x2bb
33|6|xul.dll|mozilla::ipc::MessageChannel::DispatchSyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&, mozilla::UniquePtr<IPC::Message,mozilla::DefaultDelete<IPC::Message> >&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|1780|0xef
33|7|xul.dll|mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message,mozilla::DefaultDelete<IPC::Message> >)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|1730|0x20b
33|8|xul.dll|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|1525|0x155
33|9|xul.dll|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|1623|0xba
33|10|xul.dll|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|1193|0x9be
33|11|xul.dll|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|480|0x41
33|12|xul.dll|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|300|0xe0
33|13|xul.dll|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|370|0x82
33|14|xul.dll|MessageLoop::RunHandler()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|363|0x72
33|15|xul.dll|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|345|0x55
33|16|xul.dll|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|370|0x18f
33|17|nss3.dll|_PR_NativeRunThread(void*)|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/threads/combined/pruthr.c:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|399|0xe3
33|18|nss3.dll|pr_root(void*)|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/md/windows/w95thred.c:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|139|0x15
33|19|ucrtbase.dll||||
33|20|kernel32.dll||||
33|21|mozglue.dll|patched_BaseThreadInitThunk(int, void*, void*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:49f49182fc503c7ebfff0af484b8f21c9a6ac29f|561|0x56
33|22|ntdll.dll||||
33|23|ntdll.dll||||

Comment 1

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1877600 using build mozilla-central 20240123223102-83483e973267. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 2

[Sotaro Ikeda [:sotaro]]

The assert seemed to relaxed to "mSegment->Size() >= mSize," by Bug 1873295.
https://searchfox.org/mozilla-central/rev/47db1be98f8069b387ce07dcbea22d09f1854515/ipc/glue/Shmem.cpp#162