Open
Bug 1882418
Opened 2 years ago
Updated 1 year ago
Hit MOZ_CRASH(index out of bounds: the len is 4 but the index is 4) at gfx/wr/webrender_api/src/display_list.rs:2238
Categories
(Core :: Graphics: WebRender, defect)
Core
Graphics: WebRender
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | wontfix |
| firefox123 | --- | wontfix |
| firefox124 | --- | wontfix |
| firefox125 | --- | fix-optional |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 2 open bugs)
Details
(5 keywords, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(2 files)
Found while fuzzing m-c 20240227-74094dc4022c (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Hit MOZ_CRASH(index out of bounds: the len is 4 but the index is 4) at gfx/wr/webrender_api/src/display_list.rs:2238
#0 0x7f7f13c2d287 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:301:3
#1 0x7f7f13c2d287 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f7f13c2b1d2 in mozglue_static::panic_hook::h4acda0fafd6b2bb6 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96:9
#3 0x7f7f13c2b1d2 in core::ops::function::Fn::call::hba8866c48a14622a /builds/worker/fetches/rust/library/core/src/ops/function.rs:79:5
#4 0x7f7f17b2defd in std::panicking::rust_panic_with_hook::h0a971cc57198493c std.2dbd840835d58f4-cgu.01
#5 0x7f7f17b72db9 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hcf1926875cd38ef4 std.2dbd840835d58f4-cgu.12
#6 0x7f7f17b729a5 in std::sys_common::backtrace::__rust_end_short_backtrace::h5a6257cfe1770c3c std.2dbd840835d58f4-cgu.12
#7 0x7f7f17b2dacf in rust_begin_unwind std.2dbd840835d58f4-cgu.01
#8 0x7f7f17bb3874 in core::panicking::panic_fmt::h96e14d5bfffd3602 core.77b43fb9d2cad1e6-cgu.05
#9 0x7f7f17bb3ab1 in core::panicking::panic_bounds_check::hed657bc6ec6e772d core.77b43fb9d2cad1e6-cgu.05
#10 0x7f7f1305f1f9 in _$LT$usize$u20$as$u20$core..slice..index..SliceIndex$LT$$u5b$T$u5d$$GT$$GT$::index::h20e9bc36f31e0b1f /builds/worker/fetches/rust/library/core/src/slice/index.rs:255:10
#11 0x7f7f1305f1f9 in core::slice::index::_$LT$impl$u20$core..ops..index..Index$LT$I$GT$$u20$for$u20$$u5b$T$u5d$$GT$::index::h06b55d7182cd3668 /builds/worker/fetches/rust/library/core/src/slice/index.rs:18:9
#12 0x7f7f1305f1f9 in _$LT$alloc..vec..Vec$LT$T$C$A$GT$$u20$as$u20$core..ops..index..Index$LT$I$GT$$GT$::index::h5988281014c58bdf /builds/worker/fetches/rust/library/alloc/src/vec/mod.rs:2770:9
#13 0x7f7f1305f1f9 in webrender_api::display_list::DisplayListBuilder::current_offset::hbd3e5ec59344380e /builds/worker/checkouts/gecko/gfx/wr/webrender_api/src/display_list.rs:2238:47
#14 0x7f7f1305f1f9 in webrender_api::display_list::DisplayListBuilder::define_clip_rect::hfc1d1c58d369a590 /builds/worker/checkouts/gecko/gfx/wr/webrender_api/src/display_list.rs:1997:30
#15 0x7f7f11bdb33c in wr_dp_define_rect_clip /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:2741:19
#16 0x7f7eff43b391 in mozilla::layers::ClipManager::DefineClipChain(mozilla::DisplayItemClipChain const*, int) /builds/worker/checkouts/gecko/gfx/layers/wr/ClipManager.cpp:430:19
#17 0x7f7eff43ebf6 in mozilla::layers::ClipManager::SwitchItem(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayItem*) /builds/worker/checkouts/gecko/gfx/layers/wr/ClipManager.cpp:264:24
#18 0x7f7eff4eb055 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2109:43
#19 0x7f7f08cdcb6d in CreateWebRenderCommandsNewClipListOption /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4604:30
#20 0x7f7f08cdcb6d in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4944:12
#21 0x7f7f08cdcb6d in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5230:22
#22 0x7f7eff4ef3a7 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1864:41
#23 0x7f7eff4ebb74 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2130:7
#24 0x7f7eff4e81f7 in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1785:5
#25 0x7f7eff5155a5 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:364:30
#26 0x7f7f08ca7a9a in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2287:18
#27 0x7f7f083b01d6 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3315:9
#28 0x7f7f0827363a in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6481:5
#29 0x7f7f077991e3 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
#30 0x7f7f077984bb in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22
#31 0x7f7f0779b997 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:916:5
#32 0x7f7f081c6792 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2819:11
#33 0x7f7f081dc8d6 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
#34 0x7f7f081dc8d6 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
#35 0x7f7f081dc5ae in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
#36 0x7f7f081dc201 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
#37 0x7f7f081db0b4 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
#38 0x7f7f081d9bf4 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:758:5
#39 0x7f7f081d91f2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#40 0x7f7f081d8da5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9
#41 0x7f7f0651138b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#42 0x7f7f06b29fad in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:237:78
#43 0x7f7f068d753a in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8276:32
#44 0x7f7efe0bf0d5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
#45 0x7f7efe0baadb in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
#46 0x7f7efe0bbe89 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#47 0x7f7efe0bd403 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#48 0x7f7efc3d0cba in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#49 0x7f7efc3b6b3b in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#50 0x7f7efc3b3718 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#51 0x7f7efc3b3e19 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#52 0x7f7efc3d8de4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:235:37
#53 0x7f7efc3d8de4 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#54 0x7f7efc400d2f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#55 0x7f7efc40ea6a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#56 0x7f7efe0c86d3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#57 0x7f7efdee76ba in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#58 0x7f7efdee76ba in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#59 0x7f7efdee76ba in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#60 0x7f7f078d2fe9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#61 0x7f7f07ade302 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#62 0x7f7f0c8e1e6e in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#63 0x7f7efdee76ba in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#64 0x7f7efdee76ba in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#65 0x7f7efdee76ba in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#66 0x7f7f0c8e1413 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#67 0x55b673a3d53c in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#68 0x55b673a3d53c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#69 0x7f7f24c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#70 0x7f7f24c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#71 0x55b673961848 in _start (/home/user/workspace/browsers/m-c-20240226091922-fuzzing-asan-opt/firefox+0xdc848) (BuildId: bc4f3631415369d8d5cdfad99356ae185919c6be)
Flags: in-testsuite?
|
||
Comment 1•2 years ago
|
||
Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/28f338e7-dd25-4b74-bf91-dfc5c0240228
Crash Signature: [@ webrender_api::display_list::DisplayListBuilder::current_offset ]
Keywords: crash
|
|
||
Comment 2•2 years ago
|
||
Bisection points to :
Bug 1835066 - [css-nesting] Enable on nightly. r=dholbert
Differential Revision: https://phabricator.services.mozilla.com/D179271
But this is probably just so that the testcase works.
|
||
Comment 3•2 years ago
|
||
(In reply to Mayank Bansal from comment #2)
But this is probably just so that the testcase works.
Thanks -- yeah, the testcase uses CSS nesting syntax, but it's unrelated to the actual features that are crashing here. We should get a second testcase with the css nesting "flattened"/removed, and then we can mozregression-bisect with that one to get a more "real" regression range.
I'm about to head to bed, so I won't attempt that at the moment, but if anyone else is up for doing that, I think that's the best next-step here.
|
||
Comment 4•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20240228043028-06645f775e47.
The bug appears to have been introduced in the following build range:
Start: b8f06acca6bf62e32647496ed613012fa4c27e9e (20230604092146)
End: 00802389f336283602445d4f08e53b8bd09b43eb (20230604115344)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b8f06acca6bf62e32647496ed613012fa4c27e9e&tochange=00802389f336283602445d4f08e53b8bd09b43eb
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 5•2 years ago
|
||
|
|
||
Comment 6•2 years ago
|
||
|
||
Comment 7•2 years ago
|
||
status-firefox123:
--- → wontfix
status-firefox124:
--- → wontfix
status-firefox-esr115:
--- → wontfix
|
|
||
Updated•2 years ago
|
Attachment #9388055 -
Attachment description: bug1882418.html with css nesting → bug1882418.html (testcase without using css nesting)
|
||
Comment 8•2 years ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #0)
Created attachment 9387960 [details]
bp-43d5b8d7-3dc6-4e53-9110-96c430240302 [@ <usize as core::slice::index::SliceIndex<[T]>>::index ]
(In reply to Timothy Nikkel (:tnikkel) from comment #5)
bp-6a99b666-1790-4802-a2e7-d17d80240302 [@ <usize as core::slice::index::SliceIndex<[T]>>::index ]
Crash Signature: [@ webrender_api::display_list::DisplayListBuilder::current_offset ] → [@ webrender_api::display_list::DisplayListBuilder::current_offset ]
[@ <usize as core::slice::index::SliceIndex<[T]>>::index ]
|
||
Comment 9•2 years ago
|
||
I think S3 is appropriate here but please do bump it up to S2 if I underestimated the severity.
Severity: -- → S3
|
|
||
Comment 10•1 year ago
|
||
Crash from latest nightly on the testcase: https://crash-stats.mozilla.org/report/index/364b8067-28a0-4945-92f0-1c0290240525#tab-bugzilla
Crash Signature: [@ webrender_api::display_list::DisplayListBuilder::current_offset ]
[@ <usize as core::slice::index::SliceIndex<[T]>>::index ] → [@ webrender_api::display_list::DisplayListBuilder::current_offset ]
[@ <usize as core::slice::index::SliceIndex<[T]>>::index ]
[@ core::option::expect_failed | webrender::scene_building::SceneBuilder::get_space ]
You need to log in
before you can comment on or make changes to this bug.
Description
•