Closed Bug 1931885 Opened 1 year ago Closed 1 year ago

Assertion failure: buf (mozilla::StyleOffsetPath serialization failed), at /builds/worker/workspace/obj-build/dist/include/mozilla/layers/LayersMessageUtils.h:1182

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1861999

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Testcase
369 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev 67b3e32e08bb (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 67b3e32e08bb --asan --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: buf (mozilla::StyleOffsetPath serialization failed), at /builds/worker/workspace/obj-build/dist/include/mozilla/layers/LayersMessageUtils.h:1182

    =================================================================
    ==40729==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7a3f465f0b66 bp 0x7ffee75c4360 sp 0x7ffee75c4280 T0)
    ==40729==The signal is caused by a WRITE memory access.
    ==40729==Hint: address points to the zero page.
        #0 0x7a3f465f0b66 in IPC::ParamTraits<mozilla::StyleGenericOffsetPath<mozilla::StyleGenericOffsetPathFunction<mozilla::StyleGenericBasicShape<mozilla::StyleAngle, mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>, mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion, mozilla::StyleGenericInsetRect<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleGenericRayFunction<mozilla::StyleAngle, mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleComputedUrl>>>::Write(IPC::MessageWriter*, mozilla::StyleGenericOffsetPath<mozilla::StyleGenericOffsetPathFunction<mozilla::StyleGenericBasicShape<mozilla::StyleAngle, mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>, mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion, mozilla::StyleGenericInsetRect<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleGenericRayFunction<mozilla::StyleAngle, mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleComputedUrl>> const&) /builds/worker/workspace/obj-build/dist/include/mozilla/layers/LayersMessageUtils.h:1182:1
        #1 0x7a3f46566838 in WriteParam<const mozilla::layers::Animatable &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:449:3
        #2 0x7a3f46566838 in IPC::ParamTraits<mozilla::layers::Animation>::Write(IPC::MessageWriter*, mozilla::layers::Animation const&) /builds/worker/workspace/obj-build/ipc/ipdl/LayersMessages.cpp:2167:5
        #3 0x7a3f465f995a in WriteParam<const mozilla::layers::Animation &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:449:3
        #4 0x7a3f465f995a in void IPC::WriteSequenceParam<mozilla::layers::Animation const&>(IPC::MessageWriter*, std::remove_reference<mozilla::layers::Animation const&>::type*, unsigned long) /ipc/chromium/src/chrome/common/ipc_message_utils.h:601:7
        #5 0x7a3f46569d1e in Write /builds/worker/workspace/obj-build/dist/include/ipc/IPCMessageUtilsSpecializations.h:165:5
        #6 0x7a3f46569d1e in WriteParam<const nsTArray<mozilla::layers::Animation> &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:449:3
        #7 0x7a3f46569d1e in IPC::ParamTraits<mozilla::layers::CompositorAnimations>::Write(IPC::MessageWriter*, mozilla::layers::CompositorAnimations const&) /builds/worker/workspace/obj-build/ipc/ipdl/LayersMessages.cpp:2429:5
        #8 0x7a3f4651064a in WriteParam<const mozilla::layers::WebRenderParentCommand &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:449:3
        #9 0x7a3f4651064a in void IPC::WriteSequenceParam<mozilla::layers::WebRenderParentCommand const&>(IPC::MessageWriter*, std::remove_reference<mozilla::layers::WebRenderParentCommand const&>::type*, unsigned long) /ipc/chromium/src/chrome/common/ipc_message_utils.h:601:7
        #10 0x7a3f4647b31e in mozilla::ipc::IPDLParamTraits<mozilla::layers::DisplayListData>::Write(IPC::MessageWriter*, mozilla::ipc::IProtocol*, mozilla::layers::DisplayListData&&) /gfx/layers/wr/RenderRootTypes.cpp:18:3
        #11 0x7a3f460f8e29 in Write<mozilla::layers::DisplayListData> /ipc/chromium/src/chrome/common/ipc_message_utils.h:697:5
        #12 0x7a3f460f8e29 in WriteParam<mozilla::layers::DisplayListData> /ipc/chromium/src/chrome/common/ipc_message_utils.h:449:3
        #13 0x7a3f460f8e29 in mozilla::layers::PWebRenderBridgeChild::SendSetDisplayList(mozilla::layers::DisplayListData&&, mozilla::Span<mozilla::layers::OpDestroy const, 18446744073709551615ul>, unsigned long const&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType> const&, bool const&, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTSubstring<char> const&, mozilla::TimeStamp const&, mozilla::Span<mozilla::layers::CompositionPayload const, 18446744073709551615ul>) /builds/worker/workspace/obj-build/ipc/ipdl/PWebRenderBridgeChild.cpp:303:5
        #14 0x7a3f46481a18 in mozilla::layers::WebRenderBridgeChild::EndTransaction(mozilla::layers::DisplayListData&&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType>, bool, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTString<char> const&) /gfx/layers/wr/WebRenderBridgeChild.cpp:126:20
        #15 0x7a3f4653db54 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /gfx/layers/wr/WebRenderLayerManager.cpp:461:28
        #16 0x7a3f4f0d9912 in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /layout/painting/nsDisplayList.cpp:2296:18
        #17 0x7a3f4e9c4338 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /layout/base/nsLayoutUtils.cpp:3217:9
        #18 0x7a3f4e8bff50 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /layout/base/PresShell.cpp:6580:5
        #19 0x7a3f4e07d403 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /view/nsViewManager.cpp:406:18
        #20 0x7a3f4e07c85b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /view/nsViewManager.cpp:341:22
        #21 0x7a3f4e07f2f7 in nsViewManager::ProcessPendingUpdates() /view/nsViewManager.cpp:888:5
        #22 0x7a3f4e833c8d in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2875:11
        #23 0x7a3f4e846d87 in TickDriver /layout/base/nsRefreshDriver.cpp:368:13
        #24 0x7a3f4e846d87 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /layout/base/nsRefreshDriver.cpp:346:7
        #25 0x7a3f4e846a9a in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:362:5
        #26 0x7a3f4e846711 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:948:5
        #27 0x7a3f4e845777 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:858:5
        #28 0x7a3f4e844308 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:759:5
        #29 0x7a3f4e843918 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:593:14
        #30 0x7a3f4e843555 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:550:9
        #31 0x7a3f4d22464b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:66:15
        #32 0x7a3f4d6d0f74 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:235:78
        #33 0x7a3f4524f617 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5249:32
        #34 0x7a3f4519d335 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1726:25
        #35 0x7a3f4519956f in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1653:9
        #36 0x7a3f4519a491 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1444:3
        #37 0x7a3f4519b9e3 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1544:14
        #38 0x7a3f43ba81ba in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:618:16
        #39 0x7a3f43b9448e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:945:26
        #40 0x7a3f43b91ca8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:768:15
        #41 0x7a3f43b922c6 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:554:36
        #42 0x7a3f43baf4b4 in operator() /xpcom/threads/TaskController.cpp:271:37
        #43 0x7a3f43baf4b4 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #44 0x7a3f43bcf89f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1155:16
        #45 0x7a3f43bda568 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #46 0x7a3f451a52d3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #47 0x7a3f4508a114 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #48 0x7a3f4508a114 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #49 0x7a3f4508a114 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #50 0x7a3f4e1638b9 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #51 0x7a3f4e30563a in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:469:33
        #52 0x7a3f4ff99f3d in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:651:20
        #53 0x7a3f4508a114 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #54 0x7a3f4508a114 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #55 0x7a3f4508a114 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #56 0x7a3f4ff983ec in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:586:34
        #57 0x614956b019f9 in main /browser/app/nsBrowserApp.cpp:397:22
        #58 0x7a3f6555c1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #59 0x7a3f6555c28a in __libc_start_main csu/../csu/libc-start.c:360:3
        #60 0x614956a29858 in _start (/home/jkratzer/builds/m-c-20241118092854-fuzzing-asan-opt/firefox+0xd5858) (BuildId: a10636a778ce25a16c7255c68255849c0072d6f4)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/layers/LayersMessageUtils.h:1182:1 in IPC::ParamTraits<mozilla::StyleGenericOffsetPath<mozilla::StyleGenericOffsetPathFunction<mozilla::StyleGenericBasicShape<mozilla::StyleAngle, mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>, mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion, mozilla::StyleGenericInsetRect<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleGenericRayFunction<mozilla::StyleAngle, mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleComputedUrl>>>::Write(IPC::MessageWriter*, mozilla::StyleGenericOffsetPath<mozilla::StyleGenericOffsetPathFunction<mozilla::StyleGenericBasicShape<mozilla::StyleAngle, mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>, mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion, mozilla::StyleGenericInsetRect<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleGenericRayFunction<mozilla::StyleAngle, mozilla::StyleGenericPosition<mozilla::StyleLengthPercentageUnion, mozilla::StyleLengthPercentageUnion>>, mozilla::StyleComputedUrl>> const&)
    ==40729==ABORTING
Attached file Testcase

Got a crash from the testcase with the latest Nightly: https://crash-stats.mozilla.org/report/index/d612dea2-a4b6-4cac-acc4-8c47a0241118#tab-bugzilla

Keywords: crash
Crash Signature: [@ IPC::ParamTraits<mozilla::StyleGenericOffsetPath<T> >::Write | IPC::ParamTraits<mozilla::layers::Animatable>::Write | IPC::ParamTraits<mozilla::layers::Animation>::Write | IPC::WriteSequenceParam | IPC::ParamTraits<nsTArray<T> >::Write | IPC::ParamTrai…

Verified bug as reproducible on mozilla-central 20241118092854-67b3e32e08bb.
The bug appears to have been introduced in the following build range:

Start: 270bbf1afd7e8d5a9d9ea473ee2031891a47e589 (20241004095321)
End: 4dc792519bbcef7254a49bbe6592363c696ba83c (20241004075427)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=270bbf1afd7e8d5a9d9ea473ee2031891a47e589&tochange=4dc792519bbcef7254a49bbe6592363c696ba83c

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Regressed by: 1922351

Set release status flags based on info from the regressing bug 1922351

:emilio, since you are the author of the regressor, bug 1922351, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox132: --- → unaffected
status-firefox133: --- → affected
status-firefox134: --- → affected
status-firefox-esr128: --- → unaffected
Flags: needinfo?(emilio)

Before that patch the assertion was debug-only, but was there as well, right? Jason do you know how the bisection happens? I suspect this should crash on a debug build before my patch.

Flags: needinfo?(emilio)

Yeah this is effectively the same issue as bug 1861999.

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1861999
Resolution: --- → DUPLICATE

(In reply to Emilio Cobos Álvarez (:emilio) from comment #5)

Before that patch the assertion was debug-only, but was there as well, right? Jason do you know how the bisection happens? I suspect this should crash on a debug build before my patch.

It also "semi-crashes" on older nightly builds.
Semi-crash means that the windows flashes white, but the "oops your tab crashed" message is not displayed.

I see, that means it fails when deserializing (in the GPU process), rather than when serializing (in the content process).

See Also: → 1929723

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

(In reply to Emilio Cobos Álvarez (:emilio) from comment #5)

Before that patch the assertion was debug-only, but was there as well, right? Jason do you know how the bisection happens? I suspect this should crash on a debug build before my patch.

Bugmon will first try to determine the build flags based on comment 0. If that crashes, that's the build configuration it'll continue to use. The only way to bypass this behavior, assuming you think it'll crash on a debug build after your patch is applied, is to set the origRev=... in the whiteboard.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: