1891142 - Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at /third_party/rust/euclid/src/point.rs:429

Status: NEW

(Core :: Graphics: WebRender, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 008989a6a743 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 008989a6a743 --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at /third_party/rust/euclid/src/point.rs:429

    ==30593==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7beeba96d2f5 bp 0x7bed947f0430 sp 0x7bed947f0420 T30746)
    ==30593==The signal is caused by a WRITE memory access.
    ==30593==Hint: address points to the zero page.
        #0 0x7beeba96d2f5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
        #1 0x7beeba96d2f5 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7beeba96c7ad in mozglue_static::panic_hook::h43f486fae4fa321d /mozglue/static/rust/lib.rs:98:9
        #3 0x7beeba96c7ad in core::ops::function::Fn::call::h5492db3e4b89e7be /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/core/src/ops/function.rs:79:5
        #4 0x7beebba5a5a5 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::hce488f674cf5618d /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/alloc/src/boxed.rs:2029:9
        #5 0x7beebba5a5a5 in std::panicking::rust_panic_with_hook::hed79743dc8b4b969 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/std/src/panicking.rs:785:13
        #6 0x7beebba5a2b8 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::ha437b5d58f431abf /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/std/src/panicking.rs:651:13
        #7 0x7beebba577e5 in std::sys_common::backtrace::__rust_end_short_backtrace::hd98e82d5b39ec859 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/std/src/sys_common/backtrace.rs:171:18
        #8 0x7beebba5a043 in rust_begin_unwind /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/std/src/panicking.rs:647:5
        #9 0x7beebbaa6254 in core::panicking::panic_fmt::hc69c4d258fe11477 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/core/src/panicking.rs:72:14
        #10 0x7beebbaa6312 in core::panicking::panic::h90e84101c01877ef /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/core/src/panicking.rs:144:5
        #11 0x7beebbaa5f95 in core::option::unwrap_failed::hac39b9b7507453f8 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/core/src/option.rs:1978:5
        #12 0x7beeba47dfc7 in core::option::Option$LT$T$GT$::unwrap::h86bea7659156c363 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/core/src/option.rs:931:21
        #13 0x7beeba47dfc7 in euclid::point::Point2D$LT$T$C$U$GT$::cast::h64c792b710e1ebd6 /third_party/rust/euclid/src/point.rs:429:25
        #14 0x7beeba47dfc7 in euclid::box2d::Box2D$LT$T$C$U$GT$::cast::hd6d279b2069d2ffd /third_party/rust/euclid/src/box2d.rs:533:29
        #15 0x7beeba47dfc7 in euclid::box2d::Box2D$LT$T$C$U$GT$::to_i32::h37a660cd33258277 /third_party/rust/euclid/src/box2d.rs:589:9
        #16 0x7beeba47dfc7 in webrender::quad::push_quad::h0599bdfa030eb0a0 /gfx/wr/webrender/src/quad.rs:288:27
        #17 0x7beeba47dfc7 in webrender::prepare::prepare_interned_prim_for_render::h06cc34fca07b8a73 /gfx/wr/webrender/src/prepare.rs:618:17
        #18 0x7beeba473951 in webrender::prepare::prepare_prim_for_render::ha6d51b307aa447d6 /gfx/wr/webrender/src/prepare.rs:261:5
        #19 0x7beeba473951 in webrender::prepare::prepare_primitives::hd333c94431e532f1 /gfx/wr/webrender/src/prepare.rs:81:17
        #20 0x7beeba4378a6 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::ha20cf3f412846520 /gfx/wr/webrender/src/frame_builder.rs:462:17
        #21 0x7beeba4378a6 in webrender::frame_builder::FrameBuilder::build::hed115b99c5f4b2bd /gfx/wr/webrender/src/frame_builder.rs:566:9
        #22 0x7beeba497c3e in webrender::render_backend::Document::build_frame::h79e7d1630ec9c354 /gfx/wr/webrender/src/render_backend.rs:521:25
        #23 0x7beeba4ae4ce in webrender::render_backend::RenderBackend::update_document::hece3adb68acfbd7a /gfx/wr/webrender/src/render_backend.rs:1437:41
        #24 0x7beeba4a4ecd in webrender::render_backend::RenderBackend::prepare_transactions::h157ff1d3e4b46e90 /gfx/wr/webrender/src/render_backend.rs:1281:28
        #25 0x7beeba4a4ecd in webrender::render_backend::RenderBackend::process_api_msg::h2eb726a3f94f1dbd /gfx/wr/webrender/src/render_backend.rs:1134:17
        #26 0x7beeba22645a in webrender::render_backend::RenderBackend::run::he40a7629c49eb33e /gfx/wr/webrender/src/render_backend.rs:785:21
        #27 0x7beeba22645a in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::he36b63f043a44a0a /gfx/wr/webrender/src/renderer/init.rs:685:9
        #28 0x7beeba22645a in std::sys_common::backtrace::__rust_begin_short_backtrace::h8729f89afcc6fba6 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/std/src/sys_common/backtrace.rs:155:18
        #29 0x7beeba22f042 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hcda94e577ecfa11f /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/std/src/thread/mod.rs:529:17
        #30 0x7beeba22f042 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hf9a3b77926323e14 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/core/src/panic/unwind_safe.rs:272:9
        #31 0x7beeba22f042 in std::panicking::try::do_call::heaab66065498d6d2 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/std/src/panicking.rs:554:40
        #32 0x7beeba22f042 in std::panicking::try::h01d69cf4184fd94b /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/std/src/panicking.rs:518:19
        #33 0x7beeba22f042 in std::panic::catch_unwind::h6c5e5482222d7199 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/std/src/panic.rs:142:14
        #34 0x7beeba22f042 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h489ca24a3efcb052 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/std/src/thread/mod.rs:528:30
        #35 0x7beeba22f042 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h141dae0a9403a698 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/core/src/ops/function.rs:250:5
        #36 0x7beebba63c44 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h32ae492e80523c39 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/alloc/src/boxed.rs:2015:9
        #37 0x7beebba63c44 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hd05b2dc112b7a972 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/alloc/src/boxed.rs:2015:9
        #38 0x7beebba63c44 in std::sys::pal::unix::thread::Thread::new::thread_start::h40e6fd3f8ce15a14 /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97/library/std/src/sys/pal/unix/thread.rs:108:17
        #39 0x7beec54c1ac2 in start_thread nptl/pthread_create.c:442:8
        #40 0x7beec555384f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3 in MOZ_Crash
    ==30593==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240411213648-036ac9a41b52.
The bug appears to have been introduced in the following build range:

Start: 00d7f0e95970baefacab200daf3486ddd862cb0f (20240314140430)
End: 60a6ed6de4aee86649aea9d7b89a3ccbea947ca8 (20240314154001)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=00d7f0e95970baefacab200daf3486ddd862cb0f&tochange=60a6ed6de4aee86649aea9d7b89a3ccbea947ca8

Comment 3

[Mayank Bansal]

:nical, the regression range has some of your bugs.

Comment 4

[Teodor Tanasoaia [:teoxoy]]

1883873 looks like could cause these issues.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

This bug has been marked as a regression. Setting status flag for Nightly to affected.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

:nical, since you are the author of the regressor, bug 1883873, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:gw, could you have a look please?

For more information, please visit BugBot documentation.

Comment 8

[Tyson Smith [:tsmith]]

There was a bug spike in reports as of m-c 20240522-3eacabfd2f53.

gw: Can you please increase the priority?

Comment 9

[Tyson Smith [:tsmith]]

Attachment: testcase_2.html

This is now our top fuzzblocker. It is hit by many DOM fuzzers thousands of times a day. Please address this issue as soon as possible as it is blocking more that just WR fuzzing.

Comment 10

[Glenn Watson [:gw]]

This appears to be fixed by the patch in https://phabricator.services.mozilla.com/D211686, in local testing, for me. I pushed that yesterday but there doesn't seem to have been a merge yet.

Comment 11

[Tyson Smith [:tsmith]]

Attachment: testcase_3.html

This test case triggers the assertion with the patch applied.

Comment 12

[Tyson Smith [:tsmith]]

This is still happening but at a much lower rate since the fix for bug 1898569 landed. Removing [fuzzblocker].