stack overflow in [@ PredictorAdd1_AVX2]
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | --- | unaffected |
| firefox141 | --- | unaffected |
| firefox142 | + | fixed |
| firefox143 | --- | fixed |
People
(Reporter: tsmith, Assigned: tnikkel)
References
(Blocks 1 open bug, Regression, )
Details
(Keywords: crash, regression)
Crash Data
Found with m-c 20250729-d7eb324b222d
This was found by visiting a live website with a 32-bit build.
STR:
- Launch browser and visit:
http://m.forebet.com/with a 32-bit build
17|0|libxul.so|PredictorAdd1_AVX2|hg:hg.mozilla.org/mozilla-central:media/libwebp/src/dsp/lossless_avx2.c:d7eb324b222d504f43ff0edbc431daac6df35581|87|0xa8
17|1|libxul.so|PredictorAdd1_AVX2|hg:hg.mozilla.org/mozilla-central:media/libwebp/src/dsp/lossless_avx2.c:d7eb324b222d504f43ff0edbc431daac6df35581|87|0xad
17|2|libxul.so|PredictorAdd1_AVX2|hg:hg.mozilla.org/mozilla-central:media/libwebp/src/dsp/lossless_avx2.c:d7eb324b222d504f43ff0edbc431daac6df35581|87|0xad
17|3|libxul.so|PredictorAdd1_AVX2|hg:hg.mozilla.org/mozilla-central:media/libwebp/src/dsp/lossless_avx2.c:d7eb324b222d504f43ff0edbc431daac6df35581|87|0xad
17|4|libxul.so|PredictorAdd1_AVX2|hg:hg.mozilla.org/mozilla-central:media/libwebp/src/dsp/lossless_avx2.c:d7eb324b222d504f43ff0edbc431daac6df35581|87|0xad
17|5|libxul.so|PredictorAdd1_AVX2|hg:hg.mozilla.org/mozilla-central:media/libwebp/src/dsp/lossless_avx2.c:d7eb324b222d504f43ff0edbc431daac6df35581|87|0xad
17|6|libxul.so|PredictorAdd1_AVX2|hg:hg.mozilla.org/mozilla-central:media/libwebp/src/dsp/lossless_avx2.c:d7eb324b222d504f43ff0edbc431daac6df35581|87|0xad
|
Assignee | |
Comment 1•4 months ago
|
||
This is probably a regression by bug 1976596 since that function was newly added in that bug.
Unfortunately I am not able to reproduce. (My linux machine seems unable to run 32 bit Firefox nightlie complaining about not finding libgkt.so. A 32 bit build on Windows has not reproduced for me yet.) The problem might be an ad, so it could depend on what ads you get served which could depend on the region. We do have one crash with this signature on crash stats and it was on Windows (32 bit build), no url so we can't tell if it's the same website.
I will report this upstream to libwebp. It would be nice if we had a specific webp file that triggered it though.
Is it 100% reproducible or only some of the time? Can you maybe take some steps to get a reproducibly testcase? Maybe load the url in a month old nightly (so it doesn't crash) and then save as web page complete and check if that saved copy crashes in the current nightly? Or figure out which image is causing it some other way.
|
||
Comment 2•4 months ago
|
||
Set release status flags based on info from the regressing bug 1976596
|
Reporter | |
Comment 3•4 months ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #1)
(My linux machine seems unable to run 32 bit Firefox nightlie complaining about not finding libgkt.so. A 32 bit build on Windows has not reproduced for me yet.)
You can run 32 bit binaries on 64 bit OSes but you will need to install the 32 bit libs. On Ubuntu sudo dpkg --add-architecture i386 then apt installing the required libs is what I did. Ping me if you want a list of all the libs I installed.
The problem might be an ad, so it could depend on what ads you get served which could depend on the region. We do have one crash with this signature on crash stats and it was on Windows (32 bit build), no url so we can't tell if it's the same website.
I am also unable to reproduce the issue. Another report (different url) has come in via site-scout but it is also not reproducible. So the ad theory seems plausible. I will continue to monitor the bucket and try to reproduce the issue as results come in.
|
|
Assignee | |
Comment 4•4 months ago
|
||
Thanks. I reported the issue upstream. Their theory is that it is an initialization race, so if that is the case it sounds like there wouldn't be a specific webp file causing this, just an issue that would be randomly run into when encountering any webp file. So probably don't expend more effort towards getting a reproducible testcase at this point.
I will likely follow their suggested fix of disabling avx2 now until a full fix is available.
|
|
Assignee | |
Updated•4 months ago
|
|
|
||
Comment 5•3 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criteria:
- Top 20 desktop browser crashes on beta
- Top 10 content process crashes on beta
:tnikkel, could you consider increasing the severity of this top-crash bug?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 6•3 months ago
|
||
Oops, the disable avx2 patch didn't actually disable avx2. I'll put a patch in bug 1981149 to do that properly.
|
||
Updated•3 months ago
|
|
|
||
Comment 7•3 months ago
|
||
The bug is marked as tracked for firefox142 (beta). We have limited time to fix this, the soft freeze is in 8 days. However, the bug still isn't assigned and has low severity.
:bhood, could you please find an assignee and increase the severity for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 8•3 months ago
|
||
Fix already landed in bug 1981149 and uplift request is waiting.
|
|
Assignee | |
Updated•3 months ago
|
|
|
||
Updated•3 months ago
|
|
|
||
Comment 9•3 months ago
|
||
MArked as fixed by 1981149 in nightly and 142.0b9
|
|
||
Comment 10•3 months ago
|
||
Based on the topcrash criteria, the crash signatures linked to this bug are not in the topcrash signatures anymore.
For more information, please visit BugBot documentation.
Description
•