Closed Bug 1553552 Opened 6 years ago Closed 3 years ago

Hit MOZ_CRASH(attempt to multiply with overflow) at gfx/wr/webrender/src/resource_cache.rs:1221

Categories

(Core :: Graphics: WebRender, defect, P3)

defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox-esr68 --- disabled
firefox-esr78 --- disabled
firefox69 --- wontfix
firefox78 --- wontfix
firefox79 --- wontfix
firefox80 --- fix-optional
firefox81 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 3 open bugs)

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(2 files)

Attached file testcase.html (deleted) —

Testcase found while fuzzing mozilla-central rev 5f95b3f2ea44.

Hit MOZ_CRASH(attempt to multiply with overflow) at gfx/wr/webrender/src/resource_cache.rs:1221

rax = 0x000055582af8ae40   rdx = 0x0000000000000000
rcx = 0x0000000000000b40   rbx = 0x00007f722fcf787a
rsi = 0x00007f725e11c8b0   rdi = 0x00007f725e11b680
rbp = 0x00007f722fcf7860   rsp = 0x00007f722fcf7850
r8 = 0x00007f725e11c8b0    r9 = 0x00007f722fcfd700
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00000000000004c5   r13 = 0x0000000000000026
r14 = 0x00007f722778a220   r15 = 0x0000000000000021
rip = 0x00007f72506ad24a
OS|Linux|0.0.0 Linux 4.18.0-17-generic #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|54
54|0|libxul.so|GeckoCrash|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:5f95b3f2ea44723ba6a8c41a4b27c88032df709f|5084|0xf
54|1|libxul.so|gkrust_shared::panic_hook|hg:hg.mozilla.org/mozilla-central:toolkit/library/rust/shared/lib.rs:5f95b3f2ea44723ba6a8c41a4b27c88032df709f|243|0x9
54|2|libxul.so|core::ops::function::Fn::call|git:github.com/rust-lang/rust:src/libcore/ops/function.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf|69|0x9
54|3|libxul.so|rust_panic_with_hook|git:github.com/rust-lang/rust:src/libstd/panicking.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf|482|0x6
54|4|libxul.so|continue_panic_fmt|git:github.com/rust-lang/rust:src/libstd/panicking.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf|385|0x18
54|5|libxul.so|rust_begin_unwind|||0x6
54|6|libxul.so|panic_fmt|git:github.com/rust-lang/rust:src/libcore/panicking.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf|85|0x6
54|7|libxul.so|panic|git:github.com/rust-lang/rust:src/libcore/panicking.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf|49|0x4d
54|8|libxul.so|webrender::resource_cache::ResourceCache::create_blob_scene_builder_requests|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/resource_cache.rs:5f95b3f2ea44723ba6a8c41a4b27c88032df709f|1221|0xd
54|9|libxul.so|core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &mut F>::call_once|git:github.com/rust-lang/rust:src/libcore/ops/function.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf|279|0xd66
54|10|libxul.so|<alloc::vec::Vec<T> as alloc::vec::SpecExtend<T, I>>::from_iter|git:github.com/rust-lang/rust:src/liballoc/vec.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf|1809|0x15e
54|11|libxul.so|webrender::render_backend::RenderBackend::process_api_msg|git:github.com/rust-lang/rust:src/liballoc/vec.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf|1721|0x8
54|12|libxul.so|webrender::render_backend::RenderBackend::run|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/render_backend.rs:5f95b3f2ea44723ba6a8c41a4b27c88032df709f|946|0x99
54|13|libxul.so|std::sys_common::backtrace::__rust_begin_short_backtrace|git:github.com/rust-lang/rust:src/libstd/sys_common/backtrace.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf|135|0x583
54|14|libxul.so|std::panicking::try::do_call|git:github.com/rust-lang/rust:src/libstd/thread/mod.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf|469|0x16
54|15|libxul.so|__rust_maybe_catch_panic|||0x9
54|16|libxul.so|<F as alloc::boxed::FnBox<A>>::call_box|git:github.com/rust-lang/rust:src/liballoc/boxed.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf|749|0x91
54|17|libxul.so|thread_start|git:github.com/rust-lang/rust:src/libstd/sys/unix/thread.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf|81|0x84
54|18|libpthread-2.27.so||||0x76db
54|19|libc-2.27.so||||0x12188f
Flags: in-testsuite?
Blocks: wr-fuzz
Priority: -- → P3
Attached file aboutsupport (deleted) —
Got a white window when I opened the testcase and large memory increase. Firefox tried to render the page thrice, after which it gave up. Post that, this was my about:support

Got a white window when I opened the testcase and large memory increase. Firefox tried to render the page thrice, after which it gave up.
Post that, this was my about:support

Crash Signature: [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | gkrust_shared::oom_hook::hook | std::alloc::rust_oom | core::iter::adapters::{{impl}}::next<T> ]
Crash Signature: [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | gkrust_shared::oom_hook::hook | std::alloc::rust_oom | core::iter::adapters::{{impl}}::next<T> ] → [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | gkrust_shared::oom_hook::hook | std::alloc::rust_oom | core::iter::adapters::{{impl}}::next<T> ] [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | gkrust_shared::oom_hook::hook | std::alloc::r…

The signature seems to have changed.

Crash Signature: std::alloc::rust_oom | alloc::vec::Vec<T>::push<T> ] → std::alloc::rust_oom | alloc::vec::Vec<T>::push<T> ] [@ OOM | large | mozalloc_abort | webrender_api::resources::ApiResources::update ]

Gnome XWayland, Debian Testing, Intel HD Graphics 630 (KBL GT2), MOZ_X11_EGL=1
My desktop shortly freezes, then Nightly crashes without report.

Blocks: wr-stability
Keywords: crash
OS: Unspecified → All
Hardware: Unspecified → All

The issue is no longer reproducible using the attached test case and was last reported by fuzzer targeting m-c 20190717-b6d154b23098.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: