1898569 - Hit MOZ_CRASH(attempt to subtract with overflow) at gfx/wr/webrender/src/quad.rs:244

Status: VERIFIED FIXED

(Core :: Graphics: WebRender, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 5f3215269002 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 5f3215269002 --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(attempt to subtract with overflow) at gfx/wr/webrender/src/quad.rs:244

    ==199495==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7b82e359c425 bp 0x7b8240ba27c0 sp 0x7b8240ba27b0 T199672)
    ==199495==The signal is caused by a WRITE memory access.
    ==199495==Hint: address points to the zero page.
        #0 0x7b82e359c425 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
        #1 0x7b82e359c425 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7b82e359b8dd in mozglue_static::panic_hook::h736f2f45dfec90ba /mozglue/static/rust/lib.rs:98:9
        #3 0x7b82e359b8dd in core::ops::function::Fn::call::h472ef71f9b236fd3 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/core/src/ops/function.rs:79:5
        #4 0x7b82e46bfdf5 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h4dd5cc3b5605ae1a /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/alloc/src/boxed.rs:2029:9
        #5 0x7b82e46bfdf5 in std::panicking::rust_panic_with_hook::hb164d19c0c1e71d4 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panicking.rs:785:13
        #6 0x7b82e46bfb08 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h0369088c533c20e9 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panicking.rs:651:13
        #7 0x7b82e46bd035 in std::sys_common::backtrace::__rust_end_short_backtrace::hc11d910daf35ac2e /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/sys_common/backtrace.rs:171:18
        #8 0x7b82e46bf893 in rust_begin_unwind /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panicking.rs:647:5
        #9 0x7b82e470baa4 in core::panicking::panic_fmt::ha6effc2775a0749c /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/core/src/panicking.rs:72:14
        #10 0x7b82e470bb62 in core::panicking::panic::h44790a89027c670f /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/core/src/panicking.rs:144:5
        #11 0x7b82e3095d93 in webrender::quad::push_quad::ha6b2fe9670e5d449 /gfx/wr/webrender/src/quad.rs:244:22
        #12 0x7b82e306f4ff in webrender::prepare::prepare_interned_prim_for_render::hdad637c5bfd85683 /gfx/wr/webrender/src/prepare.rs
        #13 0x7b82e306d62b in webrender::prepare::prepare_prim_for_render::h4b2c5a9b0980b275 /gfx/wr/webrender/src/prepare.rs:291:5
        #14 0x7b82e306d62b in webrender::prepare::prepare_primitives::hd664bd02a28756bb /gfx/wr/webrender/src/prepare.rs:81:17
        #15 0x7b82e302e167 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::h5a4c946787dd2f87 /gfx/wr/webrender/src/frame_builder.rs:463:17
        #16 0x7b82e302e167 in webrender::frame_builder::FrameBuilder::build::h92ddb4834083bb6f /gfx/wr/webrender/src/frame_builder.rs:567:9
        #17 0x7b82e309881e in webrender::render_backend::Document::build_frame::hbc38331e3605a823 /gfx/wr/webrender/src/render_backend.rs:523:25
        #18 0x7b82e30afbbe in webrender::render_backend::RenderBackend::update_document::h13b3789547d728be /gfx/wr/webrender/src/render_backend.rs:1439:41
        #19 0x7b82e30a629d in webrender::render_backend::RenderBackend::prepare_transactions::hc68fa1350bb6fb00 /gfx/wr/webrender/src/render_backend.rs:1283:28
        #20 0x7b82e30a629d in webrender::render_backend::RenderBackend::process_api_msg::ha251ca8b7c9e2287 /gfx/wr/webrender/src/render_backend.rs:1136:17
        #21 0x7b82e2e0b1fa in webrender::render_backend::RenderBackend::run::ha42f61fd1429adb9 /gfx/wr/webrender/src/render_backend.rs:787:21
        #22 0x7b82e2e0b1fa in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::h0dfc155a0ea364df /gfx/wr/webrender/src/renderer/init.rs:685:9
        #23 0x7b82e2e0b1fa in std::sys_common::backtrace::__rust_begin_short_backtrace::h24fe89d11ab494f6 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/sys_common/backtrace.rs:155:18
        #24 0x7b82e2e15532 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h5971f99ce8f5f3c7 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/thread/mod.rs:529:17
        #25 0x7b82e2e15532 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h4a0c1e1f0af44bcd /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/core/src/panic/unwind_safe.rs:272:9
        #26 0x7b82e2e15532 in std::panicking::try::do_call::hff7f6c092ce463bd /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panicking.rs:554:40
        #27 0x7b82e2e15532 in std::panicking::try::h5fed9eb8d196654a /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panicking.rs:518:19
        #28 0x7b82e2e15532 in std::panic::catch_unwind::habd62b5c7581b50c /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/panic.rs:142:14
        #29 0x7b82e2e15532 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::hfdfc69e7d4041daa /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/thread/mod.rs:528:30
        #30 0x7b82e2e15532 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h0998d80d0631d927 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/core/src/ops/function.rs:250:5
        #31 0x7b82e46c9494 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h6b630278c760b971 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/alloc/src/boxed.rs:2015:9
        #32 0x7b82e46c9494 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h70462b441b6c0e1f /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/alloc/src/boxed.rs:2015:9
        #33 0x7b82e46c9494 in std::sys::pal::unix::thread::Thread::new::thread_start::h3631815ad38387d6 /rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04/library/std/src/sys/pal/unix/thread.rs:108:17
        #34 0x7b82ee15cac2 in start_thread nptl/pthread_create.c:442:8
        #35 0x7b82ee1ee84f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3 in MOZ_Crash
    ==199495==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Detailed Crash Information

Comment 2

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240523205926-a9f0952d79a4.
The bug appears to have been introduced in the following build range:

Start: 80ae2c7908e4cc558336a6f6a78097d9c2c9317d (20240522041258)
End: 3eacabfd2f53de306d070d5407b9123cdb54403f (20240522060416)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=80ae2c7908e4cc558336a6f6a78097d9c2c9317d&tochange=3eacabfd2f53de306d070d5407b9123cdb54403f

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1891903

:gw, since you are the author of the regressor, bug 1891903, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 5

[Sotaro Ikeda [:sotaro]]

:gw, can you comment to the bug?

Comment 6

[Glenn Watson [:gw]]

Attachment: Bug 1898569 - Fix overflow bug found by fuzzer in quad.rs

Comment 7

[Pulsebot]

Pushed by gwatson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f738a52c7ed5
Fix overflow bug found by fuzzer in quad.rs r=gfx-reviewers,aosmond

Comment 8

[Serban Stanca [:SerbanS]]

https://hg.mozilla.org/mozilla-central/rev/f738a52c7ed5

Comment 9

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20240528214532-aec1be189f68.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.