1941838 - Hit MOZ_CRASH(Bad Prim render task size: 0x400) at gfx/wr/webrender/src/render_task.rs:1071

Status: VERIFIED FIXED

(Core :: Graphics: WebRender, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 5904a2d552f2 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 5904a2d552f2 --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Bad Prim render task size: 0x400) at gfx/wr/webrender/src/render_task.rs:1071

    ==503401==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7c005b878205 bp 0x7bffffdf5980 sp 0x7bffffdf5970 T503673)
    ==503401==The signal is caused by a WRITE memory access.
    ==503401==Hint: address points to the zero page.
        #0 0x7c005b878205 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:337:3
        #1 0x7c005b878205 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7c005b877d44 in mozglue_static::panic_hook::h3f0dd62cb0821297 /mozglue/static/rust/lib.rs:102:9
        #3 0x7c005b8777fb in core::ops::function::Fn::call::h482068ce256e5ae6 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:79:5
        #4 0x7c005cc2fd97 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h80408f032954f187 /rustc/9fc6b43126469e3858e2fe86cafb4f0fd5068869/library/alloc/src/boxed.rs:1986:9
        #5 0x7c005cc2fd97 in std::panicking::rust_panic_with_hook::he21644cc2707f2c4 /rustc/9fc6b43126469e3858e2fe86cafb4f0fd5068869/library/std/src/panicking.rs:809:13
        #6 0x7c005cc2fb59 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h42f7c414fed3cad9 /rustc/9fc6b43126469e3858e2fe86cafb4f0fd5068869/library/std/src/panicking.rs:674:13
        #7 0x7c005cc2ed98 in std::sys::backtrace::__rust_end_short_backtrace::ha26cf5766b4e8c65 /rustc/9fc6b43126469e3858e2fe86cafb4f0fd5068869/library/std/src/sys/backtrace.rs:170:18
        #8 0x7c005cc2f7eb in rust_begin_unwind /rustc/9fc6b43126469e3858e2fe86cafb4f0fd5068869/library/std/src/panicking.rs:665:5
        #9 0x7c005cc57c6f in core::panicking::panic_fmt::h74866b78e934b1c0 /rustc/9fc6b43126469e3858e2fe86cafb4f0fd5068869/library/core/src/panicking.rs:76:14
        #10 0x7c005b2da96d in webrender::render_task::RenderTask::new_dynamic::hcc999392329ff329 /gfx/wr/webrender/src/render_task.rs:1071:9
        #11 0x7c005b2da96d in webrender::quad::add_render_task_with_mask::hc7c720d0892d8bf1 /gfx/wr/webrender/src/quad.rs:810:41
        #12 0x7c005b2d97aa in webrender::quad::prepare_quad::habf2283965c2e203 /gfx/wr/webrender/src/quad.rs:481:39
        #13 0x7c005b2b38b6 in webrender::prepare::prepare_interned_prim_for_render::h6e1310f2a53c90c9 /gfx/wr/webrender/src/prepare.rs
        #14 0x7c005b2b1f6b in webrender::prepare::prepare_prim_for_render::h6549fda1166f51c9 /gfx/wr/webrender/src/prepare.rs:320:5
        #15 0x7c005b2b1f6b in webrender::prepare::prepare_primitives::h6a51f8b1cedad0b8 /gfx/wr/webrender/src/prepare.rs:140:17
        #16 0x7c005b2b1f6b in webrender::prepare::prepare_picture::hfc55f2ee9ccba3ec /gfx/wr/webrender/src/prepare.rs:79:5
        #17 0x7c005b26cf00 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::h06e9135a2449562e /gfx/wr/webrender/src/frame_builder.rs:586:13
        #18 0x7c005b26cf00 in webrender::frame_builder::FrameBuilder::build::hc979481c64b7851f /gfx/wr/webrender/src/frame_builder.rs:683:9
        #19 0x7c005b2dd965 in webrender::render_backend::Document::build_frame::h16b1fadb0b89405f /gfx/wr/webrender/src/render_backend.rs:530:25
        #20 0x7c005b2ee8a8 in webrender::render_backend::RenderBackend::update_document::h465c222745c5786f /gfx/wr/webrender/src/render_backend.rs:1466:41
        #21 0x7c005b2e6a2f in webrender::render_backend::RenderBackend::prepare_transactions::he370e0ec4081fa69 /gfx/wr/webrender/src/render_backend.rs:1306:28
        #22 0x7c005b2e6a2f in webrender::render_backend::RenderBackend::process_api_msg::h713381f655848d60 /gfx/wr/webrender/src/render_backend.rs:1153:17
        #23 0x7c005afd23dd in webrender::render_backend::RenderBackend::run::h2f554219d80c30e6 /gfx/wr/webrender/src/render_backend.rs:802:21
        #24 0x7c005afd23dd in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::h4dbd387fb2204439 /gfx/wr/webrender/src/renderer/init.rs:728:9
        #25 0x7c005afd23dd in std::sys::backtrace::__rust_begin_short_backtrace::hbe95363ae852035e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys/backtrace.rs:154:18
        #26 0x7c005afe182b in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h9951443f0e87b35c /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:561:17
        #27 0x7c005afe182b in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h7cba11f743b09b11 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/panic/unwind_safe.rs:272:9
        #28 0x7c005afe182b in std::panicking::try::do_call::he5a8c49ad7cb272a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:557:40
        #29 0x7c005afe182b in std::panicking::try::h3602657222c41dde /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:520:19
        #30 0x7c005afe182b in std::panic::catch_unwind::hd6ab9741542c7379 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:358:14
        #31 0x7c005afe182b in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::hf195083274b821f1 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:559:30
        #32 0x7c005afe182b in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hc11c6e1582d93998 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5
        #33 0x7c005cc3348a in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h9578f6ea1d4e1c4b /rustc/9fc6b43126469e3858e2fe86cafb4f0fd5068869/library/alloc/src/boxed.rs:1972:9
        #34 0x7c005cc3348a in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hf4a2f438d8019348 /rustc/9fc6b43126469e3858e2fe86cafb4f0fd5068869/library/alloc/src/boxed.rs:1972:9
        #35 0x7c005cc3348a in std::sys::pal::unix::thread::Thread::new::thread_start::h14f1eb868ff90fc9 /rustc/9fc6b43126469e3858e2fe86cafb4f0fd5068869/library/std/src/sys/pal/unix/thread.rs:105:17
        #36 0x7c00667cfa93 in start_thread nptl/pthread_create.c:447:8
        #37 0x7c006685cc3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
    
    ==503401==Register values:
    rax = 0x0000631ba454ba20  rbx = 0x00007bffffdf5ba0  rcx = 0x0000000000000000  rdx = 0x00007c0066937563  
    rdi = 0x00007c0066938700  rsi = 0x0000000000000000  rbp = 0x00007bffffdf5980  rsp = 0x00007bffffdf5970  
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293  
    r12 = 0x240a693be4ce9ff4  r13 = 0x5fe7ff1f7b1fdffd  r14 = 0x000000000000042f  r15 = 0x00007bffffdf5ba0  
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:337:3 in MOZ_Crash
    ==503401==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20250115215720-f7524feb52aa.
The bug appears to have been introduced in the following build range:

Start: 046da0f065e90bcf67ec9fd58aa8f84c1a8f80be (20240528001238)
End: 182c1293f1aec6a620d9fa9e2ab34b2d0541eb00 (20240527222057)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=046da0f065e90bcf67ec9fd58aa8f84c1a8f80be&tochange=182c1293f1aec6a620d9fa9e2ab34b2d0541eb00

Comment 3

[Mayank Bansal]

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/265f3871-4e98-4b71-b15a-cbfbd0250116#tab-bugzilla

Comment 4

[Ashley Hale [:ahale]]

I know this code and was the last person to touch it so I'll take this one.

Comment 5

[Ashley Hale [:ahale]]

Code is at https://searchfox.org/mozilla-central/rev/cbc10b90d92e10fd695cd75f966756ea28596308/gfx/wr/webrender/src/picture.rs#8081

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:ahale, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Comment 7

[Ashley Hale [:ahale]]

Attachment: Bug 1941838 - more robust render task size clamping to resolve a rare panic r?gw,#gfx-reviewers

Comment 8

[Pulsebot]

Pushed by ahale@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ba2f20565277
more robust render task size clamping to resolve a rare panic r=gw,gfx-reviewers

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

The bug is linked to a topcrash signature, which matches the following criterion:

• Top 5 desktop browser crashes on Mac on release

For more information, please visit BugBot documentation.

Comment 10

[amarc]

https://hg.mozilla.org/mozilla-central/rev/ba2f20565277

Comment 11

[Bugmon [:jkratzer for issues]]

Bug marked as FIXED but still reproduces on mozilla-central 20250129170612-a950ed4804c0. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.

Comment 12

[Ashley Hale [:ahale]]

I'm still investigating this, the repro case still crashes, though I think other cases in the wild are likely resolved.

Comment 13

[Ashley Hale [:ahale]]

The actual cause of the panic in the repro case is completely different than what I was addressing with the get_surface_rects changes.

Glenn, https://searchfox.org/mozilla-central/source/gfx/wr/webrender/src/quad.rs#481 seems to be hit here with clipped_surface_rect being from 8636513,0 to 8636514,1024 which is appreciably close to the limits of precision of f32, do you have thoughts on what to do about that logic?

Comment 14

[Ashley Hale [:ahale]]

Attachment: Bug 1941838 - Fix a panic in prepare_quad when f32 rounding produces zero-size tasks r?gw,#gfx-reviewers

Comment 15

[Pulsebot]

Pushed by ahale@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/04e40870ce3e
Fix a panic in prepare_quad when f32 rounding produces zero-size tasks r=gfx-reviewers,nical

Comment 16

[Serban Stanca [:SerbanS]]

Backed out for causing mochitests failures in 1941838.html.

• Backout link
• Push with failures
• Failure Log
• Failure line: REFTEST TEST-UNEXPECTED-FAIL | layout/svg/crashtests/1941838.html | assertion count 20 is more than expected 5 assertions

Comment 18

[Pulsebot]

Pushed by ahale@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/519a60897139
Fix a panic in prepare_quad when f32 rounding produces zero-size tasks r=gfx-reviewers,nical

Comment 19

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/519a60897139

Comment 20

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20250204044601-e073391a5799.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 21

[Donal Meehan [:dmeehan]]

:ahale the first patch landed during Fx136 nightly but the second patch landed during Fx137 nightly.
Does https://hg.mozilla.org/mozilla-central/rev/519a60897139 need a beta uplift request?

Comment 22

[Ashley Hale [:ahale]]

(In reply to Donal Meehan [:dmeehan] from comment #21)

:ahale the first patch landed during Fx136 nightly but the second patch landed during Fx137 nightly.
Does https://hg.mozilla.org/mozilla-central/rev/519a60897139 need a beta uplift request?

Uplift would make sense, as I think some user-reported bugs have cited the error it fixes.

Note that the crashtest that patch adds seems to cause more asserts in Layout code than expected, but that doesn't reflect poorly on the fix itself, and is the only reason it was backed out before beta.

Comment 23

[Donal Meehan [:dmeehan]]

Could you add an uplift request when you have a moment?

Comment 24

[Ashley Hale [:ahale]]

Comment on attachment 9463031 [details]
Bug 1941838 - Fix a panic in prepare_quad when f32 rounding produces zero-size tasks r?gw,#gfx-reviewers

Beta/Release Uplift Approval Request

• User impact if declined/Reason for urgency: This fixes a rare GPU process panic on a crashtest page generated by fuzzing that uses an extremely large page element, it is very possible that this never occurs in the wild but there may be pages that hit this case, the fix is low-risk.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Logic is very simple; this only adds a check to avoid creating a zero-size render task in certain circumstances to avoid a GPU process panic, it does nothing in any other situation.
• String changes made/needed:
• Is Android affected?: Yes

Comment 25

[Donal Meehan [:dmeehan]]

Comment on attachment 9463031 [details]
Bug 1941838 - Fix a panic in prepare_quad when f32 rounding produces zero-size tasks r?gw,#gfx-reviewers

Approved for 136.0b5

Comment 26

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/f05834a26535