1879985 - Assertion failure: aSize < std::numeric_limits<uint32_t>::max() (Tried to create Shmem with size larger than 4GB), at /builds/worker/checkouts/gecko/ipc/glue/Shmem.cpp:29

Status: NEW

(Core :: Graphics: WebRender, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20240206-1995789cfffa (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: aSize < std::numeric_limits<uint32_t>::max() (Tried to create Shmem with size larger than 4GB), at /builds/worker/checkouts/gecko/ipc/glue/Shmem.cpp:29

#0 0x7fd0de9ffae7 in ShmemCreated /builds/worker/checkouts/gecko/ipc/glue/Shmem.cpp:28:5
#1 0x7fd0de9ffae7 in mozilla::detail::UniqueSelector<mozilla::ipc::ShmemCreated>::SingleObject mozilla::MakeUnique<mozilla::ipc::ShmemCreated, int&, int&, unsigned long&>(int&, int&, unsigned long&) /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:606:27
#2 0x7fd0de9ff866 in mozilla::ipc::Shmem::MkCreatedMessage(int) /builds/worker/checkouts/gecko/ipc/glue/Shmem.cpp:191:14
#3 0x7fd0de9eaca0 in mozilla::ipc::IToplevelProtocol::CreateSharedMemory(unsigned long, bool, int*) /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:721:41
#4 0x7fd0de9eb92c in CreateSharedMemory /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:358:21
#5 0x7fd0de9eb92c in mozilla::ipc::IProtocol::AllocShmem(unsigned long, mozilla::ipc::Shmem*) /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:443:31
#6 0x7fd0df2645de in mozilla::wr::ShmSegmentsWriter::AllocLargeChunk(unsigned long) /builds/worker/checkouts/gecko/gfx/layers/wr/IpcResourceUpdateQueue.cpp:130:23
#7 0x7fd0df2642a6 in mozilla::wr::ShmSegmentsWriter::Write(mozilla::Range<unsigned char>) /builds/worker/checkouts/gecko/gfx/layers/wr/IpcResourceUpdateQueue.cpp:55:18
#8 0x7fd0df265ebc in mozilla::wr::IpcResourceUpdateQueue::AddBlobImage(mozilla::wr::BlobImageKey, mozilla::wr::ImageDescriptor const&, mozilla::Range<unsigned char>, mozilla::gfx::IntRectTyped<mozilla::ImagePixel>) /builds/worker/checkouts/gecko/gfx/layers/wr/IpcResourceUpdateQueue.cpp:331:24
#9 0x7fd0df2b1700 in mozilla::layers::WebRenderCommandBuilder::GenerateFallbackData(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float>&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2632:23
#10 0x7fd0df2ab4d3 in mozilla::layers::WebRenderCommandBuilder::PushItemAsImage(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2897:48
#11 0x7fd0df2a9b62 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2130:7
#12 0x7fd0e3a92142 in CreateWebRenderCommandsNewClipListOption /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4591:30
#13 0x7fd0e3a92142 in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4944:12
#14 0x7fd0e3a92142 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5217:22
#15 0x7fd0df2ab3a6 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1864:41
#16 0x7fd0df2a9b62 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2130:7
#17 0x7fd0df2a80e6 in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1785:5
#18 0x7fd0df2bdce8 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:364:30
#19 0x7fd0e3a80af7 in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2274:18
#20 0x7fd0e36e47b1 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3432:9
#21 0x7fd0e364d9af in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6481:5
#22 0x7fd0e31d1782 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
#23 0x7fd0e31d120e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22
#24 0x7fd0e31d286d in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:916:5
#25 0x7fd0e3602555 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2819:11
#26 0x7fd0e360b971 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
#27 0x7fd0e360b971 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
#28 0x7fd0e360b870 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
#29 0x7fd0e360b70d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
#30 0x7fd0e360a9ac in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
#31 0x7fd0e3609c19 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#32 0x7fd0e2927a5b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#33 0x7fd0e2c17a1d in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:237:78
#34 0x7fd0e2aff730 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8273:32
#35 0x7fd0de9d2c6f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
#36 0x7fd0de9cf9c2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
#37 0x7fd0de9d0642 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#38 0x7fd0de9d178f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#39 0x7fd0ddcdbcb7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#40 0x7fd0ddcd1426 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#41 0x7fd0ddccfc07 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#42 0x7fd0ddcd0085 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#43 0x7fd0ddcdfcc9 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:235:37
#44 0x7fd0ddcdfcc9 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#45 0x7fd0ddcf4fc2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#46 0x7fd0ddcfc10d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#47 0x7fd0de9d8b83 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#48 0x7fd0de8f2e71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#49 0x7fd0de8f2e71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#50 0x7fd0e323c1d8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#51 0x7fd0e32f9818 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#52 0x7fd0e511788b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#53 0x7fd0de9d9ab6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#54 0x7fd0de8f2e71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#55 0x7fd0de8f2e71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#56 0x7fd0e51170f2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#57 0x55b25588f3b6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#58 0x55b25588f3b6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#59 0x7fd0f2629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#60 0x7fd0f2629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#61 0x55b2558650e8 in _start (/home/user/workspace/browsers/m-c-20240211213657-fuzzing-debug/firefox-bin+0x590e8) (BuildId: ee876ea058ef8318ad7efeb7b4af40cedc32cad4)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240213052011-995a3050d70c.
The bug appears to have been introduced in the following build range:

Start: 59d6c667ab6651a0b219d1936cae9c8a8dab22ee (20230316075359)
End: 188dde9143643fa510a7e336c2f8d6555ca783ca (20230316115635)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=59d6c667ab6651a0b219d1936cae9c8a8dab22ee&tochange=188dde9143643fa510a7e336c2f8d6555ca783ca

Comment 2

[Timothy Nikkel (:tnikkel)]

(In reply to Bugmon [:jkratzer for issues] from comment #1)

Verified bug as reproducible on mozilla-central 20240213052011-995a3050d70c.
The bug appears to have been introduced in the following build range:

Start: 59d6c667ab6651a0b219d1936cae9c8a8dab22ee (20230316075359)
End: 188dde9143643fa510a7e336c2f8d6555ca783ca (20230316115635)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=59d6c667ab6651a0b219d1936cae9c8a8dab22ee&tochange=188dde9143643fa510a7e336c2f8d6555ca783ca

Guessing that its

188dde9143643fa510a7e336c2f8d6555ca783ca Tiaan Louw — Bug 1813481 - Allow 'none' keyword in color components r=emilio,supply-chain-reviewers,devtools-reviewers

because the testcase uses none in color. But I suspect that is not material to the actual bug.

Comment 3

[Timothy Nikkel (:tnikkel)]

Tiaan, feel free to resolve the needinfo, I suspect that your patch isn't causing the issue, just that before your patch the css didn't parse so the issue didn't happen.

Comment 4

[Timothy Nikkel (:tnikkel)]

I suspect a testcase that doesn't use none in colors can be created.

Comment 5

[Tiaan Louw [:tlouw]]

After a quick look:

• As you mention changing the colors to not have "none" has the same crash.
• The whole testcase can stay the same, except when you change the 2095262627.5198538 value at the end to something smaller, the crashes stop.
• Unsure how that number is even taken into account, because this is the result of parsing a linear gradient, and nothing in there suggests that the gradient will use more memory according to that value.

linear-gradient: Linear {
    direction: Vertical(Bottom),
    color_interpolation_method: ColorInterpolationMethod { space: Srgb, hue: Shorter },
    items: [
        ComplexColorStop { color: Absolute(Absolute { color: AbsoluteColor { components: ColorComponents(1.0, 0.0, 0.0), alpha: 1.0, color_space: Srgb, flags: ColorFlags(16) }, authored: Some("red") }), position: Length(Absolute(Pt(214.0))) },
        InterpolationHint(Length(FontRelative(Ex(-24.0)))),
        SimpleColorStop(Absolute(Absolute { color: AbsoluteColor { components: ColorComponents(0.0, 0.5019608, 0.0), alpha: 1.0, color_space: Srgb, flags: ColorFlags(16) }, authored: Some("green") })),
        InterpolationHint(Length(ViewportPercentage(Vmax(-70.0)))),
        SimpleColorStop(Absolute(Absolute { color: AbsoluteColor { components: ColorComponents(0.0, 0.0, 1.0), alpha: 1.0, color_space: Srgb, flags: ColorFlags(16) }, authored: Some("blue") })),
        ComplexColorStop { color: Absolute(Absolute { color: AbsoluteColor { components: ColorComponents(0.0, 0.39215687, 0.0), alpha: 1.0, color_space: Srgb, flags: ColorFlags(16) }, authored: Some("darkgreen") }), position: Percentage(Percentage(0.48)) },
        ComplexColorStop { color: Absolute(Absolute { color: AbsoluteColor { components: ColorComponents(1.0, 0.64705884, 0.0), alpha: 1.0, color_space: Srgb, flags: ColorFlags(16) }, authored: Some("orange") }), position: Percentage(Percentage(0.61)) }
    ],
    flags: GradientFlags(3),
    compat_mode: Modern
}

Clearing the NI, but if you need me to check something around the parsing, etc. please let me know.

Comment 6

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20240206095115-1995789cfffa) but not with tip (mozilla-central 20241227212105-16d572654502.)

Unable to bisect testcase (Testcase reproduces on start build!):

Start: 9660032084db64efbe9cbbf4c47a38d0a6c36c9f (20231230094435)
End: 1995789cfffa08b612d3571d2e8596837f772a49 (20240206095115)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.