Open Bug 2006682 Opened 3 months ago Updated 1 month ago

Assertion failure: filter (missing input), at /gfx/2d/FilterNodeSoftware.cpp:866

Categories

(Core :: Graphics, defect, P3)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
4.41 KB, application/zip
Details

Testcase found while fuzzing mozilla-central rev 66a2bb093b81 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework pipx --upgrade
$ python -m pipx ensurepath
$ fuzzfetch --build 66a2bb093b81 --debug --fuzzing  -n firefox
$ grizzly-replay-bugzilla ./firefox/firefox <bugid>

Assertion failure: filter (missing input), at /gfx/2d/FilterNodeSoftware.cpp:866

    ==3865963==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7a6f69e8d634 bp 0x7a6ed8e94df0 sp 0x7a6ed8e94c20 T3866076)
    ==3865963==The signal is caused by a WRITE memory access.
    ==3865963==Hint: address points to the zero page.
        #0 0x7a6f69e8d634 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
        #1 0x7a6f69e8d634 in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:866:3
        #2 0x7a6f69e8ec6f in mozilla::gfx::FilterNodeTransformSoftware::SourceRectForOutputRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:1140:10
        #3 0x7a6f69e8f465 in mozilla::gfx::FilterNodeTransformSoftware::GetOutputRectInRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:1220:21
        #4 0x7a6f69e8d4d9 in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:870:18
        #5 0x7a6f69e8d4d9 in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:870:18
        #6 0x7a6f69e8d4d9 in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:870:18
        #7 0x7a6f69e8c749 in mozilla::gfx::FilterNodeSoftware::RequestInputRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:707:33
        #8 0x7a6f69eab33d in mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::(anonymous namespace)::PointLightSoftware, mozilla::gfx::(anonymous namespace)::DiffuseLightingSoftware>::RequestFromInputsForRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:3525:3
        #9 0x7a6f69e8c766 in mozilla::gfx::FilterNodeSoftware::RequestInputRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:707:13
        #10 0x7a6f69e9c7c5 in mozilla::gfx::FilterNodeCropSoftware::RequestFromInputsForRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:3131:3
        #11 0x7a6f69e8c766 in mozilla::gfx::FilterNodeSoftware::RequestInputRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:707:13
        #12 0x7a6f69e9a379 in mozilla::gfx::FilterNodeDisplacementMapSoftware::RequestFromInputsForRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:2685:3
        #13 0x7a6f69e8c766 in mozilla::gfx::FilterNodeSoftware::RequestInputRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:707:13
        #14 0x7a6f69e9c7c5 in mozilla::gfx::FilterNodeCropSoftware::RequestFromInputsForRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:3131:3
        #15 0x7a6f69e8c766 in mozilla::gfx::FilterNodeSoftware::RequestInputRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:707:13
        #16 0x7a6f69e8c766 in mozilla::gfx::FilterNodeSoftware::RequestInputRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:707:13
        #17 0x7a6f69e8c766 in mozilla::gfx::FilterNodeSoftware::RequestInputRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:707:13
        #18 0x7a6f69e8b9d4 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/FilterNodeSoftware.cpp:623:5
        #19 0x7a6f69e6c061 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /gfx/2d/FilterNodeSoftware.cpp:571:14
        #20 0x7a6f69e41f06 in mozilla::gfx::RecordedDrawFilter::PlayEvent(mozilla::gfx::Translator*) const /gfx/2d/RecordedEventImpl.h:3404:7
        #21 0x7a6f69e44b88 in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:622:14
        #22 0x7a6f69e44b88 in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::MemReader>(mozilla::gfx::MemReader&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) /gfx/2d/RecordedEventImpl.h:4723:5
        #23 0x7a6f6a12f2ac in mozilla::layers::CanvasTranslator::TranslateRecording() /gfx/layers/ipc/CanvasTranslator.cpp:776:20
        #24 0x7a6f6a1308d2 in mozilla::layers::CanvasTranslator::SetDataSurfaceBuffer(unsigned int, mozilla::ipc::shared_memory::Handle<(mozilla::ipc::shared_memory::Type)0>&&) /gfx/layers/ipc/CanvasTranslator.cpp:433:10
        #25 0x7a6f6a131eb1 in mozilla::layers::CanvasTranslator::HandleCanvasTranslatorEvents() /gfx/layers/ipc/CanvasTranslator.cpp:893:29
        #26 0x7a6f6a179d25 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:18
        #27 0x7a6f6a179d25 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
        #28 0x7a6f6a179d25 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:95:14
        #29 0x7a6f6a179d25 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/tuple:1740:14
        #30 0x7a6f6a179d25 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/tuple:1751:14
        #31 0x7a6f6a179d25 in apply<mozilla::layers::CanvasTranslator, void (mozilla::layers::CanvasTranslator::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1081:12
        #32 0x7a6f6a179d25 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CanvasTranslator*, void (mozilla::layers::CanvasTranslator::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1132:13
        #33 0x7a6f68cdde42 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1158:16
        #34 0x7a6f68ce456f in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:461:10
        #35 0x7a6f698df5e0 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:299:20
        #36 0x7a6f698380a1 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #37 0x7a6f698380a1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #38 0x7a6f68cd9a7e in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:373:10
        #39 0x7a6f7dfb83ac in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:191:3
        #40 0x7a6f7e86caa3 in start_thread ./nptl/pthread_create.c:447:8
        #41 0x7a6f7e8f9c6b in clone3 ./misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78:0
    
    ==3865963==Register values:
    rax = 0x0000000000000000  rbx = 0x0000000000000000  rcx = 0x0000000000000362  rdx = 0x00007a6f7e9d4563
    rdi = 0x00007a6f7e9d5700  rsi = 0x0000000000000000  rbp = 0x00007a6ed8e94df0  rsp = 0x00007a6ed8e94c20
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000002  r11 = 0x0000000000000293
    r12 = 0x0000000000000003  r13 = 0x00007a6f652e861f  r14 = 0x00007a6ed8e94e70  r15 = 0x00007a6e60331c98
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV (/home/jkratzer/builds/m-c-20251217091959-fuzzing-debug/libxul.so+0x56e8634) (BuildId: ed2c1d55f3a46852d2a91eb5e7515cc003580278)
    ==3865963==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20251217214341-26b8f5c9bc78.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 8075adecfc1f3e78222e4a228df49decbca67632 (20241219212153)
End: 66a2bb093b81686973b18f82f747f20ca020c487 (20251217091959)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Can't reproduce this on my macOS setup. We'll discuss in triage and find someone who can reproduce. For now, setting as S3 since this is a debug build assert which has a sane fallback in release builds.

Blocks: gfx-triage
Severity: -- → S3
Priority: -- → P3

Per triage discussion, Lee will take a look.

Flags: needinfo?(lsalzman)

This is essentially a type of OOM. It is trying to create a surface with size 360 x 42401. In some (accelerated) debug paths the assert is hit when creating this surface input fails, but even when it doesn't in release (or in unaccelerated canvas), this still creates critical errors when it ultimately fails to create such a surface.

I don't think this poses an imminent problem that needs to be fixed in te absence of problems in the wild, but if it does in the future, we might want to do a larger investigation of having some sensible fallbacks for these excessively large surface cases that returns some kind of renderable result.

Severity: S3 → S4
Flags: needinfo?(lsalzman)
No longer blocks: gfx-triage

Testcase crashes using the initial build (mozilla-central 20251217091959-66a2bb093b81) but not with tip (mozilla-central 20260131091743-1be4ab5933df.)

The bug appears to have been fixed in the following build range:

Start: 20b1a1e6c530f3506d5378bf5f4da504b6f03661 (20260130092147)
End: d6f0f1a9b6dea1ba2e43506a14a4eac5315b2fb6 (20260130061039)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=20b1a1e6c530f3506d5378bf5f4da504b6f03661&tochange=d6f0f1a9b6dea1ba2e43506a14a4eac5315b2fb6

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(jkratzer)
Keywords: bugmon

Lee was this fixed by bug 1911583?

Flags: needinfo?(jkratzer) → needinfo?(lsalzman)

The downstream symptom is not fixed but the upstream OOM scenario that caused us to get there is "fixed". You can always create a large enough surface that the test case would fail again.

Flags: needinfo?(lsalzman)

Understood. I'll leave bugmon disabled. Please NI me if you need anything else.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: