Closed Bug 2028539 Opened 4 days ago Closed 1 day ago

Assertion failure: shmemView.size() == 1 + destView->size(), at /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp:3680

Categories

(Core :: Graphics: CanvasWebGL, defect, P1)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
151 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr140 --- unaffected
firefox149 --- unaffected
firefox150 --- unaffected
firefox151 --- fixed

People

(Reporter: tsmith, Assigned: jrmuizel)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords, Whiteboard: [fuzzblocker][bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
266 bytes, text/html
Details
Bug 2028539. Serialize Shmem size as uint64_t to fix truncation for >4GB shared memory.
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20260328-35981cd93dfb (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: shmemView.size() == 1 + destView->size(), at /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp:3680

#0 0x7bffd757d44d in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:235:3
#1 0x7bffd757d44d in operator() /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp:3680:5
#2 0x7bffd757d44d in CallProcessor<(lambda at /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp:3629:34)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:594:12
#3 0x7bffd757d44d in ProcessFixedData<true, (lambda at /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp:3629:34)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:700:12
#4 0x7bffd757d44d in mozilla::ClientWebGLContext::GetBufferSubData(unsigned int, long, mozilla::dom::ArrayBufferView_base<&JS_GetArrayBufferViewType(JSObject*)> const&, unsigned int, unsigned int) /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp:3629:11
#5 0x7bffd6924113 in mozilla::dom::WebGL2RenderingContext_Binding::getBufferSubData(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WebGL2RenderingContextBinding.cpp:1443:24
#6 0x7bffd72f86fd in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3378:13
#7 0x7bffdffe6f6d in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:490:13
#8 0x7bffdffe6f6d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:586:12
#9 0x7bffdf20e900 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1701:10
#10 0x276d07c9a913  ([anon:js-executable-memory]+0x2913)
Flags: in-testsuite?

This is reported frequently by browser fuzzers, please prioritize it appropriately.

Whiteboard: [fuzzblocker]

It will have to take its number behind all the security reports. :/

Placing into Triage for the team to evaluate.

Blocks: gfx-triage
Severity: -- → S3
Priority: -- → P1

Verified bug as reproducible on mozilla-central 20260401160113-a5514d76e0e7.
The bug appears to have been introduced in the following build range:

Start: 645a679897b5fd39787aeee1d1840564fccb63c1 (20260327161114)
End: 440de3bdb579cfd0038dff9bcd6fb368ad01fe99 (20260327204121)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=645a679897b5fd39787aeee1d1840564fccb63c1&tochange=440de3bdb579cfd0038dff9bcd6fb368ad01fe99

Keywords: regression
Whiteboard: [fuzzblocker] → [fuzzblocker][bugmon:bisected,confirmed]

:jrmuizel, since you are the author of the regressor, bug 1838218, could you take a look?

For more information, please visit BugBot documentation.

Flags: needinfo?(jmuizelaar)

This is happening because of the truncation here:
https://searchfox.org/firefox-main/rev/98bf4b92d3f5d7a9855281df4bf333210bcfbbc4/ipc/glue/Shmem.cpp#174

Flags: needinfo?(jmuizelaar)

The Shmem IPC serialization was casting mSize to uint32_t, truncating
sizes above 4GB.

Bug 1838218 exposed this problem by letting WebGL use large typed arrays.

Use a uint64_t but check if it fits in size_t so that things don't
silently break in mixed 32/64 IPC environments.

Assignee: nobody → jmuizelaar
Status: NEW → ASSIGNED
Pushed by jmuizelaar@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/e264f2c0b498 https://hg.mozilla.org/integration/autoland/rev/bc0e752d6d07 Serialize Shmem size as uint64_t to fix truncation for >4GB shared memory. r=nika

https://hg.mozilla.org/mozilla-central/rev/bc0e752d6d07

Status: ASSIGNED → RESOLVED
Closed: 1 day ago
status-firefox151: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 151 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: