Bug 1743190 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Tyson Smith [:tsmith]

on 2021-11-26 12:13:52 PST

Found while fuzzing m-c 20211123-ba4d4963c38b (--enable-address-sanitizer --enable-fuzzing)

To help catch this issue `ASAN_OPTIONS=soft_rss_limit_mb=10000` was used. See Bug 1715316 for details about fuzzing triggered OOMs.

```
==437624==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x5598a64199bf bp 0x7fa5ef7808f0 sp 0x7fa5ef7808d0 T48)
==437624==The signal is caused by a WRITE memory access.
==437624==Hint: address points to the zero page.
    #0 0x5598a64199bf in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
    #1 0x5598a64199bf in mozalloc_abort src/memory/mozalloc/mozalloc_abort.cpp:35:3
    #2 0x5598a64191ad in mozalloc_handle_oom(unsigned long) src/memory/mozalloc/mozalloc_oom.cpp:51:3
    #3 0x5598a64190cb in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54:5
    #4 0x5598a648b89b in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #5 0x5598a648b89b in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111:27
    #6 0x5598a648b89b in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436:20
    #7 0x5598a648b89b in _M_create /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/basic_string.tcc:153:14
    #8 0x5598a648b89b in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::reserve(unsigned long) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/basic_string.tcc:293:24
    #9 0x7fa636ef6336 in std::__cxx11::basic_stringbuf<char, std::char_traits<char>, std::allocator<char> >::overflow(int) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x139336)
    #10 0x7fa636efeb59 in std::basic_streambuf<char, std::char_traits<char> >::xsputn(char const*, long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x141b59)
    #11 0x7fa636ef0823 in std::basic_ostream<char, std::char_traits<char> >& std::__ostream_insert<char, std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*, long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x133823)
    #12 0x7fa636ef0bdb in std::basic_ostream<char, std::char_traits<char> >& std::operator<<<std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x133bdb)
    #13 0x7fa61a95a4d7 in operator<< src/gfx/2d/Logging.h:296:16
    #14 0x7fa61a95a4d7 in RecordedFillGlyphs<MemReader> src/gfx/2d/RecordedEventImpl.h:2423:21
    #15 0x7fa61a95a4d7 in DoWithEvent<MemReader> src/gfx/2d/RecordedEventImpl.h:4061:5
    #16 0x7fa61a95a4d7 in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) src/gfx/2d/InlineTranslator.cpp:72:20
    #17 0x7fa61b22b514 in Moz2DRenderCallback src/gfx/webrender_bindings/Moz2DImageRenderer.cpp:427:20
    #18 0x7fa61b22b514 in wr_moz2d_render_cb src/gfx/webrender_bindings/Moz2DImageRenderer.cpp:471:10
    #19 0x7fa627b3cef0 in webrender_bindings::moz2d_renderer::rasterize_blob::_$u7b$$u7b$closure$u7d$$u7d$::h3121e484a1b67f3d src/gfx/webrender_bindings/src/moz2d_renderer.rs:608:16
    #20 0x7fa627b3cef0 in webrender_bindings::moz2d_renderer::autoreleasepool::h94fc726760f09370 src/gfx/webrender_bindings/src/moz2d_renderer.rs:590:9
    #21 0x7fa627b3cef0 in webrender_bindings::moz2d_renderer::rasterize_blob::h7ac12f4789a022e5 src/gfx/webrender_bindings/src/moz2d_renderer.rs:606:18
    #22 0x7fa627ae74ec in core::ops::function::Fn::call::h1d4fdb0a52fa4f92 /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
    #23 0x7fa627ae74ec in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnMut$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_mut::h2daa2bac6a5ab398 /builds/worker/fetches/rust/library/core/src/ops/function.rs:247:13
    #24 0x7fa627ae74ec in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$mut$u20$F$GT$::call_once::hc26ac72e9f193759 /builds/worker/fetches/rust/library/core/src/ops/function.rs:280:13
    #25 0x7fa627ae74ec in core::option::Option$LT$T$GT$::map::h4bdf95ca64ca0e4f /builds/worker/fetches/rust/library/core/src/option.rs:836:29
    #26 0x7fa627ae74ec in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::hc641fd93fafa78ac /builds/worker/fetches/rust/library/core/src/iter/adapters/map.rs:103:9
    #27 0x7fa627ae74ec in rayon::iter::plumbing::Folder::consume_iter::h89674144a63c178b src/third_party/rust/rayon/src/iter/plumbing/mod.rs:178:21
    #28 0x7fa627ae74ec in _$LT$rayon..iter..map..MapFolder$LT$C$C$F$GT$$u20$as$u20$rayon..iter..plumbing..Folder$LT$T$GT$$GT$::consume_iter::h5ce7eee21e60f4cb src/third_party/rust/rayon/src/iter/map.rs:248:21
    #29 0x7fa627ae74ec in rayon::iter::plumbing::Producer::fold_with::hd549d60b27ae1f60 src/third_party/rust/rayon/src/iter/plumbing/mod.rs:110:9
    #30 0x7fa627ae74ec in rayon::iter::plumbing::bridge_producer_consumer::helper::hbdff87fa1f93f71e src/third_party/rust/rayon/src/iter/plumbing/mod.rs:438:13
    #31 0x7fa627a5f455 in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::h0bdff91ebad9d71a src/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #32 0x7fa627a5f455 in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::h0a90fed1d90eb9f6 src/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #33 0x7fa627a5f455 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h11bb5129af55f89e /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
    #34 0x7fa627a5f455 in std::panicking::try::do_call::h6080a873f99cc4e5 /builds/worker/fetches/rust/library/std/src/panicking.rs:403:40
    #35 0x7fa627a5f455 in std::panicking::try::h40c2f1c016c4dfb3 /builds/worker/fetches/rust/library/std/src/panicking.rs:367:19
    #36 0x7fa627a5f455 in std::panic::catch_unwind::h40c9990754be49bf /builds/worker/fetches/rust/library/std/src/panic.rs:129:14
    #37 0x7fa627a5f455 in rayon_core::unwind::halt_unwinding::h7471fbc0ba16f85d src/third_party/rust/rayon-core/src/unwind.rs:17:5
    #38 0x7fa627a5f455 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h770f75d7ee3fa002 src/third_party/rust/rayon-core/src/join/mod.rs:141:24
    #39 0x7fa627a604e2 in rayon_core::registry::in_worker::h4e106ab7d121351a src/third_party/rust/rayon-core/src/registry.rs:875:13
    #40 0x7fa627ae78f7 in rayon_core::join::join_context::hd698d4c3e8d29183 src/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #41 0x7fa627ae78f7 in rayon::iter::plumbing::bridge_producer_consumer::helper::hbdff87fa1f93f71e src/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #42 0x7fa627a5f998 in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hc3fb560020e50bd4 src/third_party/rust/rayon/src/iter/plumbing/mod.rs:427:21
    #43 0x7fa627a5f998 in rayon_core::join::join_context::call_b::_$u7b$$u7b$closure$u7d$$u7d$::hf9baeb8f142826d5 src/third_party/rust/rayon-core/src/join/mod.rs:129:25
    #44 0x7fa627a5f998 in rayon_core::job::StackJob$LT$L$C$F$C$R$GT$::run_inline::h903d51559bafd42e src/third_party/rust/rayon-core/src/job.rs:97:9
    #45 0x7fa627a5f998 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h770f75d7ee3fa002 src/third_party/rust/rayon-core/src/join/mod.rs:158:36
    #46 0x7fa627a604e2 in rayon_core::registry::in_worker::h4e106ab7d121351a src/third_party/rust/rayon-core/src/registry.rs:875:13
    #47 0x7fa627ae78f7 in rayon_core::join::join_context::hd698d4c3e8d29183 src/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #48 0x7fa627ae78f7 in rayon::iter::plumbing::bridge_producer_consumer::helper::hbdff87fa1f93f71e src/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #49 0x7fa627a5f998 in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hc3fb560020e50bd4 src/third_party/rust/rayon/src/iter/plumbing/mod.rs:427:21
    #50 0x7fa627a5f998 in rayon_core::join::join_context::call_b::_$u7b$$u7b$closure$u7d$$u7d$::hf9baeb8f142826d5 src/third_party/rust/rayon-core/src/join/mod.rs:129:25
    #51 0x7fa627a5f998 in rayon_core::job::StackJob$LT$L$C$F$C$R$GT$::run_inline::h903d51559bafd42e src/third_party/rust/rayon-core/src/job.rs:97:9
    #52 0x7fa627a5f998 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h770f75d7ee3fa002 src/third_party/rust/rayon-core/src/join/mod.rs:158:36
    #53 0x7fa627a604e2 in rayon_core::registry::in_worker::h4e106ab7d121351a src/third_party/rust/rayon-core/src/registry.rs:875:13
    #54 0x7fa627ae78f7 in rayon_core::join::join_context::hd698d4c3e8d29183 src/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #55 0x7fa627ae78f7 in rayon::iter::plumbing::bridge_producer_consumer::helper::hbdff87fa1f93f71e src/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #56 0x7fa627a5f455 in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::h0bdff91ebad9d71a src/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #57 0x7fa627a5f455 in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::h0a90fed1d90eb9f6 src/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #58 0x7fa627a5f455 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h11bb5129af55f89e /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
    #59 0x7fa627a5f455 in std::panicking::try::do_call::h6080a873f99cc4e5 /builds/worker/fetches/rust/library/std/src/panicking.rs:403:40
    #60 0x7fa627a5f455 in std::panicking::try::h40c2f1c016c4dfb3 /builds/worker/fetches/rust/library/std/src/panicking.rs:367:19
    #61 0x7fa627a5f455 in std::panic::catch_unwind::h40c9990754be49bf /builds/worker/fetches/rust/library/std/src/panic.rs:129:14
    #62 0x7fa627a5f455 in rayon_core::unwind::halt_unwinding::h7471fbc0ba16f85d src/third_party/rust/rayon-core/src/unwind.rs:17:5
    #63 0x7fa627a5f455 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h770f75d7ee3fa002 src/third_party/rust/rayon-core/src/join/mod.rs:141:24
    #64 0x7fa627a604e2 in rayon_core::registry::in_worker::h4e106ab7d121351a src/third_party/rust/rayon-core/src/registry.rs:875:13
    #65 0x7fa627ae78f7 in rayon_core::join::join_context::hd698d4c3e8d29183 src/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #66 0x7fa627ae78f7 in rayon::iter::plumbing::bridge_producer_consumer::helper::hbdff87fa1f93f71e src/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #67 0x7fa627aee54f in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hc3fb560020e50bd4 src/third_party/rust/rayon/src/iter/plumbing/mod.rs:427:21
    #68 0x7fa627aee54f in rayon_core::join::join_context::call_b::_$u7b$$u7b$closure$u7d$$u7d$::hf9baeb8f142826d5 src/third_party/rust/rayon-core/src/join/mod.rs:129:25
    #69 0x7fa627aee54f in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::call::_$u7b$$u7b$closure$u7d$$u7d$::hd593021b281171fa src/third_party/rust/rayon-core/src/job.rs:113:21
    #70 0x7fa627aee54f in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h1642f5dafb808850 /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
    #71 0x7fa627aee54f in std::panicking::try::do_call::h30eabcaae97f70d2 /builds/worker/fetches/rust/library/std/src/panicking.rs:403:40
    #72 0x7fa627aee54f in std::panicking::try::h0423b5c741d490f1 /builds/worker/fetches/rust/library/std/src/panicking.rs:367:19
    #73 0x7fa627aee54f in std::panic::catch_unwind::hcf5b7b41760afdd9 /builds/worker/fetches/rust/library/std/src/panic.rs:129:14
    #74 0x7fa627aee54f in rayon_core::unwind::halt_unwinding::h4697030baefde3a1 src/third_party/rust/rayon-core/src/unwind.rs:17:5
    #75 0x7fa627aee54f in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::hf99af5423fc4a2df src/third_party/rust/rayon-core/src/job.rs:119:38
    #76 0x7fa61745032e in rayon_core::job::JobRef::execute::h74045f552c619ac1 src/third_party/rust/rayon-core/src/job.rs:59:9
    #77 0x7fa61745032e in rayon_core::registry::WorkerThread::execute::h37d6b3c282c8162e src/third_party/rust/rayon-core/src/registry.rs:749:9
    #78 0x7fa61745032e in rayon_core::registry::WorkerThread::wait_until_cold::h31d960cf9200795d src/third_party/rust/rayon-core/src/registry.rs:726:17
    #79 0x7fa62aaf651b in rayon_core::registry::WorkerThread::wait_until::h8e765de677ad8089 src/third_party/rust/rayon-core/src/registry.rs:700:13
    #80 0x7fa62aaf651b in rayon_core::registry::main_loop::h580ef685ddecc0c8 src/third_party/rust/rayon-core/src/registry.rs:833:5
    #81 0x7fa62aaf651b in rayon_core::registry::ThreadBuilder::run::haaeba247cf6e02cc src/third_party/rust/rayon-core/src/registry.rs:55:18
    #82 0x7fa62aaed26f in _$LT$rayon_core..registry..DefaultSpawn$u20$as$u20$rayon_core..registry..ThreadSpawn$GT$::spawn::_$u7b$$u7b$closure$u7d$$u7d$::h6761b6ccbae559d1 src/third_party/rust/rayon-core/src/registry.rs:100:20
    #83 0x7fa62aaed26f in std::sys_common::backtrace::__rust_begin_short_backtrace::h4f97be4da9afa348 /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:125:18
    #84 0x7fa62aaf01c6 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hed0d8f0c9e387cb6 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:481:17
    #85 0x7fa62aaf01c6 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h89167dd2882d4624 /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
    #86 0x7fa62aaf01c6 in std::panicking::try::do_call::h1adeb507d8438ee2 /builds/worker/fetches/rust/library/std/src/panicking.rs:403:40
    #87 0x7fa62aaf01c6 in std::panicking::try::h90eaa657a7cba4f9 /builds/worker/fetches/rust/library/std/src/panicking.rs:367:19
    #88 0x7fa62aaf01c6 in std::panic::catch_unwind::h27c6bbf3f633e963 /builds/worker/fetches/rust/library/std/src/panic.rs:129:14
    #89 0x7fa62aaf01c6 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h90d1049625be4dd0 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:480:30
    #90 0x7fa62aaf01c6 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h99fd14033cc91353 /builds/worker/fetches/rust/library/core/src/ops/function.rs:227:5
    #91 0x7fa62ac58942 in std::sys::unix::thread::Thread::new::thread_start::h3b1213720f18b702 std.ac3adaa7-cgu.2
    #92 0x7fa636fa8608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #93 0x7fa636b70292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3 in MOZ_Crash
Thread T48 (WRWorkerLP#2) created by T0 (GeckoMain) here:
    #0 0x5598a63c8a8c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
    #1 0x7fa62ac587c4 in std::sys::unix::thread::Thread::new::h6fcfdf86716b7232 (/home/user/workspace/browsers/m-c-20211123215113-fuzzing-asan-opt/libxul.so+0x184b47c4)
    #2 0x7fa627afeb82 in rayon_core::registry::Registry::new::hd9460046afb5a48d src/third_party/rust/rayon-core/src/registry.rs:256:29
    #3 0x7fa627afeb82 in rayon_core::thread_pool::ThreadPool::build::h1e0f8cfb23d49845 src/third_party/rust/rayon-core/src/thread_pool/mod.rs:70:24
    #4 0x7fa627afeb82 in rayon_core::ThreadPoolBuilder$LT$S$GT$::build::h4319e46c3efafd4c src/third_party/rust/rayon-core/src/lib.rs:226:9
    #5 0x7fa627afeb82 in wr_thread_pool_new src/gfx/webrender_bindings/src/bindings.rs:1093:18
    #6 0x7fa61b249f9e in WebRenderThreadPool src/gfx/webrender_bindings/RenderThread.cpp:1078:17
    #7 0x7fa61b249f9e in mozilla::wr::RenderThread::RenderThread(RefPtr<nsIThread>) src/gfx/webrender_bindings/RenderThread.cpp:73:7
    #8 0x7fa61b24ab46 in mozilla::wr::RenderThread::Start() src/gfx/webrender_bindings/RenderThread.cpp:114:23
    #9 0x7fa61afebe3e in InitLayersIPC src/gfx/thebes/gfxPlatform.cpp:1291:7
    #10 0x7fa61afebe3e in gfxPlatform::Init() src/gfx/thebes/gfxPlatform.cpp:957:3
    #11 0x7fa61afeeeb0 in GetPlatform src/gfx/thebes/gfxPlatform.cpp:466:5
    #12 0x7fa61afeeeb0 in gfxPlatform::InitializeCMS() src/gfx/thebes/gfxPlatform.cpp:2084:9
    #13 0x7fa6200e05f9 in GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:521:5
    #14 0x7fa6200e05f9 in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) src/widget/nsXPLookAndFeel.cpp:866:9
    #15 0x7fa6200e420e in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) src/widget/nsXPLookAndFeel.cpp:1211:47
    #16 0x7fa620057668 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:449:12
    #17 0x7fa620057668 in ThemedAccentColor src/widget/ThemeColors.cpp:89:37
    #18 0x7fa620057668 in mozilla::widget::ThemeColors::RecomputeAccentColors() src/widget/ThemeColors.cpp:170:20
    #19 0x7fa62009a50a in nsNativeBasicTheme::LookAndFeelChanged() src/widget/nsNativeBasicTheme.cpp:123:3
    #20 0x7fa6200deae2 in nsXPLookAndFeel::GetInstance() src/widget/nsXPLookAndFeel.cpp:358:3
    #21 0x7fa6200e4c0d in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) src/widget/nsXPLookAndFeel.cpp:1328:3
    #22 0x7fa617f53947 in nsSystemInfo::Init() src/xpcom/base/nsSystemInfo.cpp:1041:5
    #23 0x7fa61805a4f4 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9166:7
    #24 0x7fa6180a99e7 in CreateInstance src/xpcom/components/nsComponentManager.cpp:177:46
    #25 0x7fa6180a99e7 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) src/xpcom/components/nsComponentManager.cpp:1276:17
    #26 0x7fa6180aa498 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) src/xpcom/components/nsComponentManager.cpp:1366:10
    #27 0x7fa61807e7bd in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12273:50
    #28 0x7fa617f10981 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) src/xpcom/base/nsCOMPtr.cpp:109:7
    #29 0x7fa61a47ab8c in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
    #30 0x7fa61a47ab8c in GetServiceImpl src/js/xpconnect/src/JSServices.cpp:84:32
    #31 0x7fa61a47ab8c in GetService src/js/xpconnect/src/JSServices.cpp:131:8
    #32 0x7fa61a47ab8c in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) src/js/xpconnect/src/JSServices.cpp:154:25
    #33 0x7fa625339177 in CallResolveOp src/js/src/vm/NativeObject-inl.h:634:8
    #34 0x7fa625339177 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> src/js/src/vm/NativeObject-inl.h:751:14
    #35 0x7fa625339177 in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2099:10
    #36 0x7fa625339177 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2147:10
    #37 0x7fa624e30359 in GetProperty src/js/src/vm/ObjectOperations-inl.h:115:10
    #38 0x7fa624e30359 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) src/js/src/vm/ObjectOperations-inl.h:122:10
    #39 0x7fa624e2f9b4 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:4548:10
    #40 0x7fa624e007bd in GetPropertyOperation src/js/src/vm/Interpreter.cpp:204:10
    #41 0x7fa624e007bd in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2907:12
    #42 0x7fa624df8011 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:357:13
    #43 0x7fa624e26ddc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:13
    #44 0x7fa624e28f2b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:552:8
    #45 0x7fa62509af3c in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:53:10
    #46 0x7fa61a4c1908 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:973:17
    #47 0x7fa61814ee02 in PrepareAndDispatch src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #48 0x7fa61814db8a in SharedStub xptcstubs_x86_64_linux.cpp
    #49 0x7fa61809fdd2 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) src/xpcom/components/nsCategoryManager.cpp:687:19
    #50 0x7fa624b5f5c9 in nsXREDirProvider::DoStartup() src/toolkit/xre/nsXREDirProvider.cpp:976:11
    #51 0x7fa624b3a833 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:5044:18
    #52 0x7fa624b3db39 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5494:8
    #53 0x7fa624b3e873 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5553:21
    #54 0x5598a64136d9 in do_main src/browser/app/nsBrowserApp.cpp:225:22
    #55 0x5598a64136d9 in main src/browser/app/nsBrowserApp.cpp:395:16
    #56 0x7fa636a750b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
```

Revision 1 by

Tyson Smith [:tsmith]

on 2022-10-17 18:17:02 PDT

Found while fuzzing m-c 20211123-ba4d4963c38b (--enable-address-sanitizer --enable-fuzzing)

To help catch this issue `ASAN_OPTIONS=hard_rss_limit_mb=10000` was used. See Bug 1715316 for details about fuzzing triggered OOMs.

```
==437624==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x5598a64199bf bp 0x7fa5ef7808f0 sp 0x7fa5ef7808d0 T48)
==437624==The signal is caused by a WRITE memory access.
==437624==Hint: address points to the zero page.
    #0 0x5598a64199bf in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
    #1 0x5598a64199bf in mozalloc_abort src/memory/mozalloc/mozalloc_abort.cpp:35:3
    #2 0x5598a64191ad in mozalloc_handle_oom(unsigned long) src/memory/mozalloc/mozalloc_oom.cpp:51:3
    #3 0x5598a64190cb in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54:5
    #4 0x5598a648b89b in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #5 0x5598a648b89b in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111:27
    #6 0x5598a648b89b in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436:20
    #7 0x5598a648b89b in _M_create /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/basic_string.tcc:153:14
    #8 0x5598a648b89b in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::reserve(unsigned long) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/basic_string.tcc:293:24
    #9 0x7fa636ef6336 in std::__cxx11::basic_stringbuf<char, std::char_traits<char>, std::allocator<char> >::overflow(int) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x139336)
    #10 0x7fa636efeb59 in std::basic_streambuf<char, std::char_traits<char> >::xsputn(char const*, long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x141b59)
    #11 0x7fa636ef0823 in std::basic_ostream<char, std::char_traits<char> >& std::__ostream_insert<char, std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*, long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x133823)
    #12 0x7fa636ef0bdb in std::basic_ostream<char, std::char_traits<char> >& std::operator<<<std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x133bdb)
    #13 0x7fa61a95a4d7 in operator<< src/gfx/2d/Logging.h:296:16
    #14 0x7fa61a95a4d7 in RecordedFillGlyphs<MemReader> src/gfx/2d/RecordedEventImpl.h:2423:21
    #15 0x7fa61a95a4d7 in DoWithEvent<MemReader> src/gfx/2d/RecordedEventImpl.h:4061:5
    #16 0x7fa61a95a4d7 in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) src/gfx/2d/InlineTranslator.cpp:72:20
    #17 0x7fa61b22b514 in Moz2DRenderCallback src/gfx/webrender_bindings/Moz2DImageRenderer.cpp:427:20
    #18 0x7fa61b22b514 in wr_moz2d_render_cb src/gfx/webrender_bindings/Moz2DImageRenderer.cpp:471:10
    #19 0x7fa627b3cef0 in webrender_bindings::moz2d_renderer::rasterize_blob::_$u7b$$u7b$closure$u7d$$u7d$::h3121e484a1b67f3d src/gfx/webrender_bindings/src/moz2d_renderer.rs:608:16
    #20 0x7fa627b3cef0 in webrender_bindings::moz2d_renderer::autoreleasepool::h94fc726760f09370 src/gfx/webrender_bindings/src/moz2d_renderer.rs:590:9
    #21 0x7fa627b3cef0 in webrender_bindings::moz2d_renderer::rasterize_blob::h7ac12f4789a022e5 src/gfx/webrender_bindings/src/moz2d_renderer.rs:606:18
    #22 0x7fa627ae74ec in core::ops::function::Fn::call::h1d4fdb0a52fa4f92 /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
    #23 0x7fa627ae74ec in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnMut$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_mut::h2daa2bac6a5ab398 /builds/worker/fetches/rust/library/core/src/ops/function.rs:247:13
    #24 0x7fa627ae74ec in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$mut$u20$F$GT$::call_once::hc26ac72e9f193759 /builds/worker/fetches/rust/library/core/src/ops/function.rs:280:13
    #25 0x7fa627ae74ec in core::option::Option$LT$T$GT$::map::h4bdf95ca64ca0e4f /builds/worker/fetches/rust/library/core/src/option.rs:836:29
    #26 0x7fa627ae74ec in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::hc641fd93fafa78ac /builds/worker/fetches/rust/library/core/src/iter/adapters/map.rs:103:9
    #27 0x7fa627ae74ec in rayon::iter::plumbing::Folder::consume_iter::h89674144a63c178b src/third_party/rust/rayon/src/iter/plumbing/mod.rs:178:21
    #28 0x7fa627ae74ec in _$LT$rayon..iter..map..MapFolder$LT$C$C$F$GT$$u20$as$u20$rayon..iter..plumbing..Folder$LT$T$GT$$GT$::consume_iter::h5ce7eee21e60f4cb src/third_party/rust/rayon/src/iter/map.rs:248:21
    #29 0x7fa627ae74ec in rayon::iter::plumbing::Producer::fold_with::hd549d60b27ae1f60 src/third_party/rust/rayon/src/iter/plumbing/mod.rs:110:9
    #30 0x7fa627ae74ec in rayon::iter::plumbing::bridge_producer_consumer::helper::hbdff87fa1f93f71e src/third_party/rust/rayon/src/iter/plumbing/mod.rs:438:13
    #31 0x7fa627a5f455 in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::h0bdff91ebad9d71a src/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #32 0x7fa627a5f455 in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::h0a90fed1d90eb9f6 src/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #33 0x7fa627a5f455 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h11bb5129af55f89e /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
    #34 0x7fa627a5f455 in std::panicking::try::do_call::h6080a873f99cc4e5 /builds/worker/fetches/rust/library/std/src/panicking.rs:403:40
    #35 0x7fa627a5f455 in std::panicking::try::h40c2f1c016c4dfb3 /builds/worker/fetches/rust/library/std/src/panicking.rs:367:19
    #36 0x7fa627a5f455 in std::panic::catch_unwind::h40c9990754be49bf /builds/worker/fetches/rust/library/std/src/panic.rs:129:14
    #37 0x7fa627a5f455 in rayon_core::unwind::halt_unwinding::h7471fbc0ba16f85d src/third_party/rust/rayon-core/src/unwind.rs:17:5
    #38 0x7fa627a5f455 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h770f75d7ee3fa002 src/third_party/rust/rayon-core/src/join/mod.rs:141:24
    #39 0x7fa627a604e2 in rayon_core::registry::in_worker::h4e106ab7d121351a src/third_party/rust/rayon-core/src/registry.rs:875:13
    #40 0x7fa627ae78f7 in rayon_core::join::join_context::hd698d4c3e8d29183 src/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #41 0x7fa627ae78f7 in rayon::iter::plumbing::bridge_producer_consumer::helper::hbdff87fa1f93f71e src/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #42 0x7fa627a5f998 in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hc3fb560020e50bd4 src/third_party/rust/rayon/src/iter/plumbing/mod.rs:427:21
    #43 0x7fa627a5f998 in rayon_core::join::join_context::call_b::_$u7b$$u7b$closure$u7d$$u7d$::hf9baeb8f142826d5 src/third_party/rust/rayon-core/src/join/mod.rs:129:25
    #44 0x7fa627a5f998 in rayon_core::job::StackJob$LT$L$C$F$C$R$GT$::run_inline::h903d51559bafd42e src/third_party/rust/rayon-core/src/job.rs:97:9
    #45 0x7fa627a5f998 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h770f75d7ee3fa002 src/third_party/rust/rayon-core/src/join/mod.rs:158:36
    #46 0x7fa627a604e2 in rayon_core::registry::in_worker::h4e106ab7d121351a src/third_party/rust/rayon-core/src/registry.rs:875:13
    #47 0x7fa627ae78f7 in rayon_core::join::join_context::hd698d4c3e8d29183 src/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #48 0x7fa627ae78f7 in rayon::iter::plumbing::bridge_producer_consumer::helper::hbdff87fa1f93f71e src/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #49 0x7fa627a5f998 in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hc3fb560020e50bd4 src/third_party/rust/rayon/src/iter/plumbing/mod.rs:427:21
    #50 0x7fa627a5f998 in rayon_core::join::join_context::call_b::_$u7b$$u7b$closure$u7d$$u7d$::hf9baeb8f142826d5 src/third_party/rust/rayon-core/src/join/mod.rs:129:25
    #51 0x7fa627a5f998 in rayon_core::job::StackJob$LT$L$C$F$C$R$GT$::run_inline::h903d51559bafd42e src/third_party/rust/rayon-core/src/job.rs:97:9
    #52 0x7fa627a5f998 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h770f75d7ee3fa002 src/third_party/rust/rayon-core/src/join/mod.rs:158:36
    #53 0x7fa627a604e2 in rayon_core::registry::in_worker::h4e106ab7d121351a src/third_party/rust/rayon-core/src/registry.rs:875:13
    #54 0x7fa627ae78f7 in rayon_core::join::join_context::hd698d4c3e8d29183 src/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #55 0x7fa627ae78f7 in rayon::iter::plumbing::bridge_producer_consumer::helper::hbdff87fa1f93f71e src/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #56 0x7fa627a5f455 in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::h0bdff91ebad9d71a src/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #57 0x7fa627a5f455 in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::h0a90fed1d90eb9f6 src/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #58 0x7fa627a5f455 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h11bb5129af55f89e /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
    #59 0x7fa627a5f455 in std::panicking::try::do_call::h6080a873f99cc4e5 /builds/worker/fetches/rust/library/std/src/panicking.rs:403:40
    #60 0x7fa627a5f455 in std::panicking::try::h40c2f1c016c4dfb3 /builds/worker/fetches/rust/library/std/src/panicking.rs:367:19
    #61 0x7fa627a5f455 in std::panic::catch_unwind::h40c9990754be49bf /builds/worker/fetches/rust/library/std/src/panic.rs:129:14
    #62 0x7fa627a5f455 in rayon_core::unwind::halt_unwinding::h7471fbc0ba16f85d src/third_party/rust/rayon-core/src/unwind.rs:17:5
    #63 0x7fa627a5f455 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h770f75d7ee3fa002 src/third_party/rust/rayon-core/src/join/mod.rs:141:24
    #64 0x7fa627a604e2 in rayon_core::registry::in_worker::h4e106ab7d121351a src/third_party/rust/rayon-core/src/registry.rs:875:13
    #65 0x7fa627ae78f7 in rayon_core::join::join_context::hd698d4c3e8d29183 src/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #66 0x7fa627ae78f7 in rayon::iter::plumbing::bridge_producer_consumer::helper::hbdff87fa1f93f71e src/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #67 0x7fa627aee54f in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hc3fb560020e50bd4 src/third_party/rust/rayon/src/iter/plumbing/mod.rs:427:21
    #68 0x7fa627aee54f in rayon_core::join::join_context::call_b::_$u7b$$u7b$closure$u7d$$u7d$::hf9baeb8f142826d5 src/third_party/rust/rayon-core/src/join/mod.rs:129:25
    #69 0x7fa627aee54f in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::call::_$u7b$$u7b$closure$u7d$$u7d$::hd593021b281171fa src/third_party/rust/rayon-core/src/job.rs:113:21
    #70 0x7fa627aee54f in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h1642f5dafb808850 /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
    #71 0x7fa627aee54f in std::panicking::try::do_call::h30eabcaae97f70d2 /builds/worker/fetches/rust/library/std/src/panicking.rs:403:40
    #72 0x7fa627aee54f in std::panicking::try::h0423b5c741d490f1 /builds/worker/fetches/rust/library/std/src/panicking.rs:367:19
    #73 0x7fa627aee54f in std::panic::catch_unwind::hcf5b7b41760afdd9 /builds/worker/fetches/rust/library/std/src/panic.rs:129:14
    #74 0x7fa627aee54f in rayon_core::unwind::halt_unwinding::h4697030baefde3a1 src/third_party/rust/rayon-core/src/unwind.rs:17:5
    #75 0x7fa627aee54f in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::hf99af5423fc4a2df src/third_party/rust/rayon-core/src/job.rs:119:38
    #76 0x7fa61745032e in rayon_core::job::JobRef::execute::h74045f552c619ac1 src/third_party/rust/rayon-core/src/job.rs:59:9
    #77 0x7fa61745032e in rayon_core::registry::WorkerThread::execute::h37d6b3c282c8162e src/third_party/rust/rayon-core/src/registry.rs:749:9
    #78 0x7fa61745032e in rayon_core::registry::WorkerThread::wait_until_cold::h31d960cf9200795d src/third_party/rust/rayon-core/src/registry.rs:726:17
    #79 0x7fa62aaf651b in rayon_core::registry::WorkerThread::wait_until::h8e765de677ad8089 src/third_party/rust/rayon-core/src/registry.rs:700:13
    #80 0x7fa62aaf651b in rayon_core::registry::main_loop::h580ef685ddecc0c8 src/third_party/rust/rayon-core/src/registry.rs:833:5
    #81 0x7fa62aaf651b in rayon_core::registry::ThreadBuilder::run::haaeba247cf6e02cc src/third_party/rust/rayon-core/src/registry.rs:55:18
    #82 0x7fa62aaed26f in _$LT$rayon_core..registry..DefaultSpawn$u20$as$u20$rayon_core..registry..ThreadSpawn$GT$::spawn::_$u7b$$u7b$closure$u7d$$u7d$::h6761b6ccbae559d1 src/third_party/rust/rayon-core/src/registry.rs:100:20
    #83 0x7fa62aaed26f in std::sys_common::backtrace::__rust_begin_short_backtrace::h4f97be4da9afa348 /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:125:18
    #84 0x7fa62aaf01c6 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hed0d8f0c9e387cb6 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:481:17
    #85 0x7fa62aaf01c6 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h89167dd2882d4624 /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
    #86 0x7fa62aaf01c6 in std::panicking::try::do_call::h1adeb507d8438ee2 /builds/worker/fetches/rust/library/std/src/panicking.rs:403:40
    #87 0x7fa62aaf01c6 in std::panicking::try::h90eaa657a7cba4f9 /builds/worker/fetches/rust/library/std/src/panicking.rs:367:19
    #88 0x7fa62aaf01c6 in std::panic::catch_unwind::h27c6bbf3f633e963 /builds/worker/fetches/rust/library/std/src/panic.rs:129:14
    #89 0x7fa62aaf01c6 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h90d1049625be4dd0 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:480:30
    #90 0x7fa62aaf01c6 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h99fd14033cc91353 /builds/worker/fetches/rust/library/core/src/ops/function.rs:227:5
    #91 0x7fa62ac58942 in std::sys::unix::thread::Thread::new::thread_start::h3b1213720f18b702 std.ac3adaa7-cgu.2
    #92 0x7fa636fa8608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #93 0x7fa636b70292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3 in MOZ_Crash
Thread T48 (WRWorkerLP#2) created by T0 (GeckoMain) here:
    #0 0x5598a63c8a8c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
    #1 0x7fa62ac587c4 in std::sys::unix::thread::Thread::new::h6fcfdf86716b7232 (/home/user/workspace/browsers/m-c-20211123215113-fuzzing-asan-opt/libxul.so+0x184b47c4)
    #2 0x7fa627afeb82 in rayon_core::registry::Registry::new::hd9460046afb5a48d src/third_party/rust/rayon-core/src/registry.rs:256:29
    #3 0x7fa627afeb82 in rayon_core::thread_pool::ThreadPool::build::h1e0f8cfb23d49845 src/third_party/rust/rayon-core/src/thread_pool/mod.rs:70:24
    #4 0x7fa627afeb82 in rayon_core::ThreadPoolBuilder$LT$S$GT$::build::h4319e46c3efafd4c src/third_party/rust/rayon-core/src/lib.rs:226:9
    #5 0x7fa627afeb82 in wr_thread_pool_new src/gfx/webrender_bindings/src/bindings.rs:1093:18
    #6 0x7fa61b249f9e in WebRenderThreadPool src/gfx/webrender_bindings/RenderThread.cpp:1078:17
    #7 0x7fa61b249f9e in mozilla::wr::RenderThread::RenderThread(RefPtr<nsIThread>) src/gfx/webrender_bindings/RenderThread.cpp:73:7
    #8 0x7fa61b24ab46 in mozilla::wr::RenderThread::Start() src/gfx/webrender_bindings/RenderThread.cpp:114:23
    #9 0x7fa61afebe3e in InitLayersIPC src/gfx/thebes/gfxPlatform.cpp:1291:7
    #10 0x7fa61afebe3e in gfxPlatform::Init() src/gfx/thebes/gfxPlatform.cpp:957:3
    #11 0x7fa61afeeeb0 in GetPlatform src/gfx/thebes/gfxPlatform.cpp:466:5
    #12 0x7fa61afeeeb0 in gfxPlatform::InitializeCMS() src/gfx/thebes/gfxPlatform.cpp:2084:9
    #13 0x7fa6200e05f9 in GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:521:5
    #14 0x7fa6200e05f9 in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) src/widget/nsXPLookAndFeel.cpp:866:9
    #15 0x7fa6200e420e in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) src/widget/nsXPLookAndFeel.cpp:1211:47
    #16 0x7fa620057668 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:449:12
    #17 0x7fa620057668 in ThemedAccentColor src/widget/ThemeColors.cpp:89:37
    #18 0x7fa620057668 in mozilla::widget::ThemeColors::RecomputeAccentColors() src/widget/ThemeColors.cpp:170:20
    #19 0x7fa62009a50a in nsNativeBasicTheme::LookAndFeelChanged() src/widget/nsNativeBasicTheme.cpp:123:3
    #20 0x7fa6200deae2 in nsXPLookAndFeel::GetInstance() src/widget/nsXPLookAndFeel.cpp:358:3
    #21 0x7fa6200e4c0d in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) src/widget/nsXPLookAndFeel.cpp:1328:3
    #22 0x7fa617f53947 in nsSystemInfo::Init() src/xpcom/base/nsSystemInfo.cpp:1041:5
    #23 0x7fa61805a4f4 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9166:7
    #24 0x7fa6180a99e7 in CreateInstance src/xpcom/components/nsComponentManager.cpp:177:46
    #25 0x7fa6180a99e7 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) src/xpcom/components/nsComponentManager.cpp:1276:17
    #26 0x7fa6180aa498 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) src/xpcom/components/nsComponentManager.cpp:1366:10
    #27 0x7fa61807e7bd in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12273:50
    #28 0x7fa617f10981 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) src/xpcom/base/nsCOMPtr.cpp:109:7
    #29 0x7fa61a47ab8c in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
    #30 0x7fa61a47ab8c in GetServiceImpl src/js/xpconnect/src/JSServices.cpp:84:32
    #31 0x7fa61a47ab8c in GetService src/js/xpconnect/src/JSServices.cpp:131:8
    #32 0x7fa61a47ab8c in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) src/js/xpconnect/src/JSServices.cpp:154:25
    #33 0x7fa625339177 in CallResolveOp src/js/src/vm/NativeObject-inl.h:634:8
    #34 0x7fa625339177 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> src/js/src/vm/NativeObject-inl.h:751:14
    #35 0x7fa625339177 in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2099:10
    #36 0x7fa625339177 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2147:10
    #37 0x7fa624e30359 in GetProperty src/js/src/vm/ObjectOperations-inl.h:115:10
    #38 0x7fa624e30359 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) src/js/src/vm/ObjectOperations-inl.h:122:10
    #39 0x7fa624e2f9b4 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:4548:10
    #40 0x7fa624e007bd in GetPropertyOperation src/js/src/vm/Interpreter.cpp:204:10
    #41 0x7fa624e007bd in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2907:12
    #42 0x7fa624df8011 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:357:13
    #43 0x7fa624e26ddc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:13
    #44 0x7fa624e28f2b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:552:8
    #45 0x7fa62509af3c in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:53:10
    #46 0x7fa61a4c1908 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:973:17
    #47 0x7fa61814ee02 in PrepareAndDispatch src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #48 0x7fa61814db8a in SharedStub xptcstubs_x86_64_linux.cpp
    #49 0x7fa61809fdd2 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) src/xpcom/components/nsCategoryManager.cpp:687:19
    #50 0x7fa624b5f5c9 in nsXREDirProvider::DoStartup() src/toolkit/xre/nsXREDirProvider.cpp:976:11
    #51 0x7fa624b3a833 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:5044:18
    #52 0x7fa624b3db39 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5494:8
    #53 0x7fa624b3e873 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5553:21
    #54 0x5598a64136d9 in do_main src/browser/app/nsBrowserApp.cpp:225:22
    #55 0x5598a64136d9 in main src/browser/app/nsBrowserApp.cpp:395:16
    #56 0x7fa636a750b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
```

Back to Bug 1743190 Comment 0