Found while fuzzing m-c 20210430-b417d526e5fc (--enable-debug)

This test case only seems to repro with debug builds from TC. It does not reproduce with any other builds I have tested with. I've also tried with a fuzzing debug build with no-opt to get a rr trace and that also did not work.

==27674==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x77275f047010 (pc 0x7f27fd9bef09 bp 0x7f27cff510f0 sp 0x7f27cff50bc0 T27718)
==27674==The signal is caused by a READ memory access.
    #0 0x7f27fd9bef09 in is_flat /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:58:34
    #1 0x7f27fd9bef09 in draw_perspective_spans<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1186:21
    #2 0x7f27fd9bef09 in draw_perspective_clipped(int, glsl::vec4_scalar*, glsl::vec3*, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1401:5
    #3 0x7f27fd8c82ae in draw_perspective /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h
    #4 0x7f27fd8c82ae in draw_quad(int, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1518:5
    #5 0x7f27fd8c6002 in draw_elements<unsigned short> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1614:5
    #6 0x7f27fd8c6002 in DrawElementsInstanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2699:7
    #7 0x7f27fd4a9825 in _$LT$gleam..gl..ErrorReactingGl$LT$F$GT$$u20$as$u20$gleam..gl..Gl$GT$::draw_elements_instanced::h15875eccd4085214 /builds/worker/checkouts/gecko/third_party/rust/gleam/src/gl.rs:98:26
    #8 0x7f27fd5b262b in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::h03e5c73c0ee69070 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:3537:9
    #9 0x7f27fd6b9dee in webrender::renderer::Renderer::draw_instanced_batch::hece871d481d1692a /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2564:17
    #10 0x7f27fd6bcf2f in webrender::renderer::Renderer::draw_alpha_batch_container::hf664ccb3f3585bee /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:3048:17
    #11 0x7f27fd6cc252 in webrender::renderer::Renderer::draw_picture_cache_target::h1b391c944375d927 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2871:9
    #12 0x7f27fd6cc252 in webrender::renderer::Renderer::draw_frame::hb00d6f709d7a640d /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4698:21
    #13 0x7f27fd6aebb9 in webrender::renderer::Renderer::render_impl::hf0eaaa1ba1fb3c73 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2162:17
    #14 0x7f27fd6acf95 in webrender::renderer::Renderer::render::h35bafb0dd4cf9b06 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1898:30
    #15 0x7f27fd3d1e97 in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:636:11
    #16 0x7f27f6f9395e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #17 0x7f27f6f928a3 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:485:31
    #18 0x7f27f6f921ec in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:340:3
    #19 0x7f27f6f9c4fe in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #20 0x7f27f6f9c4fe in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #21 0x7f27f6f9c4fe in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #22 0x7f27f5f7552c in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #23 0x7f27f5f760a5 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #24 0x7f27f5f7634a in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #25 0x7f27f5f76d50 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #26 0x7f27f5f75187 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #27 0x7f27f5f750a2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #28 0x7f27f5f750a2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #29 0x7f27f5f83057 in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:191:16
    #30 0x7f27f5f7e5b9 in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #31 0x7f280ac8d608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #32 0x7f280a856292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bugmon Analysis:
Unable to reproduce bug using the following builds:

mozilla-central 20210503214210-c97286566c45
mozilla-central 20210430214504-b417d526e5fc
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Let's try again since I changed the test case.

Bugmon Analysis:
Unable to reproduce bug using the following builds:

mozilla-central 20210504033521-17594d43a3dc
mozilla-central 20210430214504-b417d526e5fc
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

doesn't seem to be in debug-only code, so more likely a race or uninitialized memory that the compiler setting doesn't differently in different builds. Just because it's not detected in an opt build doesn't mean it's not a potential problem there. Could be worse than "moderate", but can't say for sure right now.

I was able to reproduce under Valgrind (m-c 20210520-45c659bd4922). Not sure if the provides much more info though.

Thread 42 Renderer:
Invalid read of size 4
  at 0xFE6B6AB: void draw_perspective_spans<unsigned int>(int, glsl::vec4_scalar*, glsl::vec3*, Texture&, Texture&, ClipRect const&) (rasterize.h:58)
  by 0xFC0AF62: draw_quad(int, Texture&, Texture&) (rasterize.h:0)
  by 0xFC09B38: DrawElementsInstanced (rasterize.h:1604)
  by 0xF9C5EF1: webrender::renderer::Renderer::draw_instanced_batch (gl.rs:3523)
  by 0xF9C1A10: webrender::renderer::Renderer::draw_alpha_batch_container (mod.rs:2814)
  by 0xF9B4629: webrender::renderer::Renderer::draw_frame (mod.rs:2637)
  by 0xF999A97: webrender::renderer::Renderer::render_impl (mod.rs:1926)
  by 0xF9EB50D: wr_renderer_render (mod.rs:1662)
  by 0xB5F2E39: mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) (checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186)
  by 0xB5F2463: mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) (checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:485)
  by 0xB5F206F: mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) (checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:340)
  by 0xB5F897E: mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() (dist/include/nsThreadUtils.h:1150)
Address 0xfffff8003b436040 is not stack'd, malloc'd or (recently) free'd

This was last seen by fuzzer running m-c 20220121-00753e705770. I think is a duplicate of bug 1746545.

Let's try bugmon once more now that I've corrected the build flags in the description.

Bugmon Analysis
Unable to reproduce bug 1709193 using build mozilla-central 20210430214504-b417d526e5fc. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.