Open
Bug 1805333
Opened 2 years ago
Updated 1 year ago
Hit MOZ_CRASH(assertion failed: mem::size_of::<T>() <= slice.len()) at gfx/webrender_bindings/src/moz2d_renderer.rs:91
Categories
(Core :: Graphics: WebRender, defect)
Core
Graphics: WebRender
Tracking
()
NEW
People
(Reporter: tsmith, Unassigned, NeedInfo)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
Found while fuzzing m-c 20221212-d9b14b6b3a52 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(assertion failed: mem::size_of::<T>() <= slice.len()) at gfx/webrender_bindings/src/moz2d_renderer.rs:91
#0 0x7f37a4b21f25 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f37a4b21f25 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f37a4b21ea2 in mozglue_static::panic_hook::hd18ed6809dbf28d1 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7f37a4b2196b in core::ops::function::Fn::call::h07766207557d1e22 /rustc/897e37553bba8b42751c67658967889d11ecd120/library/core/src/ops/function.rs:77:5
#4 0x7f37a5bb956c in std::panicking::rust_panic_with_hook::h7b190ce1a948faac /rustc/897e37553bba8b42751c67658967889d11ecd120/library/std/src/panicking.rs:702:17
#5 0x7f37a5bb9380 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hbafbfdc3e1b97f68 /rustc/897e37553bba8b42751c67658967889d11ecd120/library/std/src/panicking.rs:586:13
#6 0x7f37a5bb652b in std::sys_common::backtrace::__rust_end_short_backtrace::hda93e5fef243b4c0 /rustc/897e37553bba8b42751c67658967889d11ecd120/library/std/src/sys_common/backtrace.rs:138:18
#7 0x7f37a5bb90e1 in rust_begin_unwind /rustc/897e37553bba8b42751c67658967889d11ecd120/library/std/src/panicking.rs:584:5
#8 0x7f37a5c0eca2 in core::panicking::panic_fmt::h8d17ca1073d9a733 /rustc/897e37553bba8b42751c67658967889d11ecd120/library/core/src/panicking.rs:142:14
#9 0x7f37a5c0eaec in core::panicking::panic::hf0565452d0d0936c /rustc/897e37553bba8b42751c67658967889d11ecd120/library/core/src/panicking.rs:48:5
#10 0x7f37a442f1b6 in webrender_bindings::moz2d_renderer::BlobReader::read_entry::h141b06455a565a95 /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/moz2d_renderer.rs
#11 0x7f37a4431832 in webrender_bindings::moz2d_renderer::CachedReader::next_entry_with_bounds::hfce5914fbb8af957 /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:365:23
#12 0x7f37a4431832 in webrender_bindings::moz2d_renderer::merge_blob_images::h27aeafd03f8b4ed0 /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:443:23
#13 0x7f37a4431832 in _$LT$webrender_bindings..moz2d_renderer..Moz2dBlobImageHandler$u20$as$u20$webrender_api..image..BlobImageHandler$GT$::update::hd5f382c1227dcab1 /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:685:41
#14 0x7f37a47af545 in webrender::api_resources::ApiResources::update_blob_image::he667e46cf3acf953 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/api_resources.rs:170:13
#15 0x7f37a47bc170 in webrender::api_resources::ApiResources::update::h484c56ac47cc82a2 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/api_resources.rs:80:21
#16 0x7f37a47bc170 in webrender::render_api::RenderApi::send_transaction::h833b8d53c7424c87 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/render_api.rs:1249:9
#17 0x7f37a4425ac1 in wr_api_send_transaction /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:2173:5
#18 0x7f379c5c9e27 in mozilla::layers::WebRenderBridgeParent::SetDisplayList(mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::ipc::ByteBuf&&, mozilla::ipc::ByteBuf&&, mozilla::ipc::ByteBuf&&, mozilla::wr::BuiltDisplayListDescriptor const&, nsTArray<mozilla::layers::OpUpdateResource> const&, nsTArray<mozilla::layers::RefCountedShmem> const&, nsTArray<mozilla::ipc::Shmem> const&, mozilla::TimeStamp const&, mozilla::wr::TransactionBuilder&, mozilla::wr::Epoch, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:1133:9
#19 0x7f379c5ca14d in mozilla::layers::WebRenderBridgeParent::ProcessDisplayListData(mozilla::layers::DisplayListData&, mozilla::wr::Epoch, mozilla::TimeStamp const&, bool, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:1164:15
#20 0x7f379c5cb183 in mozilla::layers::WebRenderBridgeParent::RecvSetDisplayList(mozilla::layers::DisplayListData&&, nsTArray<mozilla::layers::OpDestroy>&&, unsigned long const&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType> const&, bool const&, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTSubstring<char> const&, mozilla::TimeStamp const&, nsTArray<mozilla::layers::CompositionPayload>&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:1223:18
#21 0x7f379c4165ff in mozilla::layers::PWebRenderBridgeParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebRenderBridgeParent.cpp:461:52
#22 0x7f379c3dda7a in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:194:32
#23 0x7f379bdce95a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
#24 0x7f379bdcb5b7 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
#25 0x7f379bdcc105 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
#26 0x7f379bdcd43f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
#27 0x7f379b1dc727 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
#28 0x7f379b1e2ddd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:474:10
#29 0x7f379bdd5463 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#30 0x7f379bcf91c8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#31 0x7f379bcf90d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#32 0x7f379bcf90d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#33 0x7f379b1d7ad7 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:383:10
#34 0x7f37ae31ec86 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#35 0x7f37aebc7b42 in start_thread nptl/pthread_create.c:442:8
#36 0x7f37aec599ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?
|
Reporter | |
Updated•2 years ago
|
Crash Signature: [@ webrender_bindings::moz2d_renderer::BlobReader::read_entry ]
|
||
Comment 1•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20221213165020-300b0ac8eb7b.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: b3695b7e81433b4c4951addc7d2ef3b6a52d67db (20211215044124)
End: d9b14b6b3a524e622cff771d8074baa88895f8f1 (20221212215229)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•2 years ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #0)
Created attachment 9307946 [details]
testcase.htmlHit MOZ_CRASH(assertion failed: mem::size_of::<T>() <= slice.len()) at gfx/webrender_bindings/src/moz2d_renderer.rs:91
When I test testcase.html locally, slice.len() was 0 and mem::size_of::<T>() was 8. And both BufReader::pos and BufReader::buf.len() was 32.
|
|
||
Comment 3•2 years ago
|
||
:jrmuizel, :nical, can you comment to the bug?
Flags: needinfo?(nical.bugzilla)
Flags: needinfo?(jmuizelaar)
|
|
||
Updated•2 years ago
|
Severity: -- → S3
|
||
Updated•1 year ago
|
|
|
Reporter | |
Updated•1 year ago
|
|
|
||
Comment 4•1 year ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
||
Comment 5•1 year ago
|
||
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•