Testcase found while fuzzing mozilla-central rev 2eda0885cbad (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 2eda0885cbad --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Content-process DrawTargetRecording can't create requested similar drawtarget) at /gfx/2d/DrawTargetRecording.cpp:554

    ==4128648==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f54fa6f4444 bp 0x7fff39a85370 sp 0x7fff39a852e0 T4128648)
    ==4128648==The signal is caused by a WRITE memory access.
    ==4128648==Hint: address points to the zero page.
        #0 0x7f54fa6f4444 in mozilla::gfx::DrawTargetRecording::CreateSimilarDrawTarget(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) const /gfx/2d/DrawTargetRecording.cpp:552:5
        #1 0x7f54fe60f2dc in mozilla::nsImageRenderer::Draw(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, nsRect const&, nsPoint const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, float) /layout/painting/nsImageRenderer.cpp:464:55
        #2 0x7f54fe610dbe in mozilla::nsImageRenderer::DrawLayer(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, nsPoint const&, nsRect const&, nsSize const&, float) /layout/painting/nsImageRenderer.cpp:749:10
        #3 0x7f54fe5b66b4 in nsCSSRendering::PaintStyleImageLayerWithSC(nsCSSRendering::PaintBGParams const&, gfxContext&, mozilla::ComputedStyle*, nsStyleBorder const&) /layout/painting/nsCSSRendering.cpp:2573:38
        #4 0x7f54fe4c107a in mozilla::PaintMaskSurface(mozilla::SVGIntegrationUtils::PaintFramesParams const&, mozilla::gfx::DrawTarget*, float, mozilla::ComputedStyle*, nsTArray<mozilla::SVGMaskFrame*> const&, nsPoint const&) /layout/svg/SVGIntegrationUtils.cpp:551:35
        #5 0x7f54fe4c18f0 in CreateAndPaintMaskSurface /layout/svg/SVGIntegrationUtils.cpp:622:25
        #6 0x7f54fe4c18f0 in void mozilla::PaintMaskAndClipPathInternal<std::function<void ()> >(mozilla::SVGIntegrationUtils::PaintFramesParams const&, std::function<void ()> const&) /layout/svg/SVGIntegrationUtils.cpp:873:37
        #7 0x7f54fe5f4cba in mozilla::nsDisplayMasksAndClipPaths::PaintWithContentsPaintCallback(mozilla::nsDisplayListBuilder*, gfxContext*, std::function<void ()> const&) /layout/painting/nsDisplayList.cpp:7985:3
        #8 0x7f54fe5f4e2c in mozilla::nsDisplayMasksAndClipPaths::Paint(mozilla::nsDisplayListBuilder*, gfxContext*) /layout/painting/nsDisplayList.cpp:7997:3
        #9 0x7f54fe5ab5d3 in mozilla::nsDisplayList::Paint(mozilla::nsDisplayListBuilder*, gfxContext*, int) /layout/painting/nsDisplayList.cpp:2182:11
        #10 0x7f54fe5d412e in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /layout/painting/nsDisplayList.cpp:2247:5
        #11 0x7f54fe237b2e in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /layout/base/nsLayoutUtils.cpp:3436:9
        #12 0x7f54fe5dc2b6 in mozilla::GenerateAndPushTextMask(nsIFrame*, gfxContext*, nsRect const&, mozilla::nsDisplayListBuilder*) /layout/painting/nsDisplayList.cpp:319:3
        #13 0x7f54fe5de06a in mozilla::nsDisplayBackgroundColor::Paint(mozilla::nsDisplayListBuilder*, gfxContext*) /layout/painting/nsDisplayList.cpp:3947:10
        #14 0x7f54fa9fa71b in mozilla::layers::PaintItemByDrawTarget(mozilla::nsDisplayItem*, mozilla::gfx::DrawTarget*, mozilla::gfx::PointTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::nsDisplayListBuilder*, mozilla::gfx::SizeTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::DeviceColor>&) /gfx/layers/wr/WebRenderCommandBuilder.cpp:2155:38
        #15 0x7f54fa9f93e5 in mozilla::layers::WebRenderCommandBuilder::GenerateFallbackData(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float>&) /gfx/layers/wr/WebRenderCommandBuilder.cpp:2418:7
        #16 0x7f54fa9f2ea3 in mozilla::layers::WebRenderCommandBuilder::PushItemAsImage(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /gfx/layers/wr/WebRenderCommandBuilder.cpp:2705:48
        #17 0x7f54fa9f1548 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /gfx/layers/wr/WebRenderCommandBuilder.cpp:1934:7
        #18 0x7f54fe5f5990 in CreateWebRenderCommandsNewClipListOption /layout/painting/nsDisplayList.cpp:4654:30
        #19 0x7f54fe5f5990 in mozilla::nsDisplayMasksAndClipPaths::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /layout/painting/nsDisplayList.cpp:8187:3
        #20 0x7f54fa9f2d77 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /gfx/layers/wr/WebRenderCommandBuilder.cpp:1695:41
        #21 0x7f54fa9f1548 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /gfx/layers/wr/WebRenderCommandBuilder.cpp:1934:7
        #22 0x7f54fe5f5990 in CreateWebRenderCommandsNewClipListOption /layout/painting/nsDisplayList.cpp:4654:30
        #23 0x7f54fe5f5990 in mozilla::nsDisplayMasksAndClipPaths::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /layout/painting/nsDisplayList.cpp:8187:3
        #24 0x7f54fa9f2d77 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /gfx/layers/wr/WebRenderCommandBuilder.cpp:1695:41
        #25 0x7f54fa9f1548 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /gfx/layers/wr/WebRenderCommandBuilder.cpp:1934:7
        #26 0x7f54fe5e5836 in CreateWebRenderCommandsNewClipListOption /layout/painting/nsDisplayList.cpp:4654:30
        #27 0x7f54fe5e5836 in CreateWebRenderCommands /layout/painting/nsDisplayList.h:4923:12
        #28 0x7f54fe5e5836 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /layout/painting/nsDisplayList.cpp:5280:22
        #29 0x7f54fa9f2d77 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /gfx/layers/wr/WebRenderCommandBuilder.cpp:1695:41
        #30 0x7f54fa9f1548 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /gfx/layers/wr/WebRenderCommandBuilder.cpp:1934:7
        #31 0x7f54fa9f004a in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /gfx/layers/wr/WebRenderCommandBuilder.cpp:1616:5
        #32 0x7f54faa044a4 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /gfx/layers/wr/WebRenderLayerManager.cpp:362:30
        #33 0x7f54fe5d4420 in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /layout/painting/nsDisplayList.cpp:2287:18
        #34 0x7f54fe237b2e in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /layout/base/nsLayoutUtils.cpp:3436:9
        #35 0x7f54fe1a9f44 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /layout/base/PresShell.cpp:6360:5
        #36 0x7f54fde0be8b in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /view/nsViewManager.cpp:440:18
        #37 0x7f54fde0b9ab in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /view/nsViewManager.cpp:375:22
        #38 0x7f54fde0cf3c in nsViewManager::ProcessPendingUpdates() /view/nsViewManager.cpp:948:5
        #39 0x7f54fe166b9e in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2570:11
        #40 0x7f54fe16e0e0 in TickDriver /layout/base/nsRefreshDriver.cpp:348:13
        #41 0x7f54fe16e0e0 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:326:7
        #42 0x7f54fe16dfe3 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:342:5
        #43 0x7f54fe16deb0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:780:5
        #44 0x7f54fe16d6da in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:703:16
        #45 0x7f54fe16cf33 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /layout/base/nsRefreshDriver.cpp:620:7
        #46 0x7f54fe16cb09 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:541:9
        #47 0x7f54fd8df53a in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:68:15
        #48 0x7f54fa16ec35 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:209:54
        #49 0x7f54f9f0599c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6193:32
        #50 0x7f54f9b7c511 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1665:25
        #51 0x7f54f9b79952 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /ipc/glue/MessageChannel.cpp:1590:9
        #52 0x7f54f9b7a49d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1458:3
        #53 0x7f54f9b7af7d in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1486:14
        #54 0x7f54f90de73e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
        #55 0x7f54f90b7726 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:770:26
        #56 0x7f54f90b63e8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:606:15
        #57 0x7f54f90b6663 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
        #58 0x7f54f90e1be6 in operator() /xpcom/threads/TaskController.cpp:124:37
        #59 0x7f54f90e1be6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #60 0x7f54f90cc6b3 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1173:16
        #61 0x7f54f90d3bca in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #62 0x7f54f9b818b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #63 0x7f54f9a9e957 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #64 0x7f54f9a9e862 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #65 0x7f54f9a9e862 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #66 0x7f54fde6e948 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #67 0x7f54ffee3803 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:878:20
        #68 0x7f54f9b827aa in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #69 0x7f54f9a9e957 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #70 0x7f54f9a9e862 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #71 0x7f54f9a9e862 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #72 0x7f54ffee2e3c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:715:34
        #73 0x55588926bd37 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #74 0x55588926bd37 in main /browser/app/nsBrowserApp.cpp:327:18
        #75 0x7f550e0040b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #76 0x5558892474bc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x154bc)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /gfx/2d/DrawTargetRecording.cpp:552:5 in mozilla::gfx::DrawTargetRecording::CreateSimilarDrawTarget(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) const
    ==4128648==ABORTING

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220224093648-2eda0885cbad.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 7be47f00f8cfb94c2fbf68c094ddf7071a24bc44 (20210225041611)
End: 2eda0885cbada5c74f3b6c8d40b68ecb0f1826c1 (20220224093648)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

https://crash-stats.mozilla.org/report/index/8f1edd70-602f-4d83-9730-2bd2a0220224

A Pernosco session is available here: https://pernos.co/debug/RYe1006dJQzt7IhzjAiu6g/index.html

DrawTargetSkia::CanCreateSimilarDrawTarget fails because the surface size is 1136 x 303296, and the max surface size for that draw target is 32k.

I would have expected that bug 1815272 made this not happen?

(In reply to Timothy Nikkel (:tnikkel) from comment #5)

I would have expected that bug 1815272 made this not happen?

I can still repro with gfx.webrender.debug.restrict-blob-size=true and fuzzers are still frequently reporting it.

Would you like a new Pernosco session with the pref set?

No, it should be fine, it's easy to reproduce.

I think I know why gfx.webrender.debug.restrict-blob-size doesn't fix this, that pref is mostly webrender side, whereas this bug happens early on the content side.

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

We should probably fix this by not using CreateSimilarDrawTarget. Instead we should try to use a more PushLayer style.

e.g. we can probably use PushLayerWithBlend to handle the blend modes and maybe something like PushLayerForLuminanceMask or something like that.

Chrome does something like this:

  - beginLayer (content layer, srcOver mode)
    - draw content
    - beginLayer (mask layer, dstIn mode + luminance-to-alpha filter)
      - draw mask
    - endLayer: dstIn(luma(mask layer), content layer)
  - endLayer: srcOver(content layer, backdrop)

(from matrix:)
Kelsey (jgilbert):

jkratzer: for https://bugzilla.mozilla.org/show_bug.cgi?id=1757003 , would it help fuzzing to fix the crash (e.g. into a js oom error), which we can do faster than a full fix of the functionality?

1757003 - Hit MOZ_CRASH(Content-process DrawTargetRecording can't create requested similar drawtarget) at /gfx/2d/DrawTargetRecording.cpp:554
NEW (tnikkel) in Core - Graphics. Last updated 2023-06-26.

jkratzer:

Yeah. If it's non-fatal that would definitely be useful to us.

Kelsey (jgilbert):

ok! I take it from the lack of fuzzblocker tag that this is a less severe problem though? Like maybe S3 and P2?
(I don't know if your team uses P levels, so ignore if not!)

jkratzer:

Hrmm. It doesn't have the fuzzblocker tag but it probably should. It's actually #9 on our list of most frequent crashers.
We've hit it ~400 times in the past week