Testcase found while fuzzing mozilla-central rev f93461c8f7ba (built with: --enable-address-sanitizer --enable-fuzzing). Since this bug is relatively easy to hit, I'm going to mark it as a [fuzzblocker](https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html#fuzz-blockers). Please prioritize it accordingly. Testcase can be reproduced using the following commands: ``` $ pip install fuzzfetch grizzly-framework $ python -m fuzzfetch --build f93461c8f7ba --asan --fuzzing -n firefox $ python -m grizzly.replay ./firefox/firefox testcase.html ``` ``` Hit MOZ_CRASH(Bad `packing`.) at /dom/canvas/WebGLFormats.cpp:685 ================================================================= ==235686==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f8c90a530e7 bp 0x7f8c6e2addf0 sp 0x7f8c6e2adb60 T44) ==235686==The signal is caused by a WRITE memory access. ==235686==Hint: address points to the zero page. #0 0x7f8c90a530e7 in mozilla::webgl::BytesPerPixel(mozilla::webgl::PackingInfo const&) /dom/canvas/WebGLFormats.cpp:685:3 #1 0x7f8c90a52b9b in mozilla::WebGLContext::ReadPixelsPbo(mozilla::webgl::ReadPixelsDesc const&, unsigned long) /dom/canvas/WebGLContextGL.cpp:937:9 #2 0x7f8c90afaba4 in ReadPixelsPbo /dom/canvas/HostWebGLContext.h:653:15 #3 0x7f8c90afaba4 in auto bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 87ul, void (mozilla::HostWebGLContext::*)(mozilla::webgl::ReadPixelsDesc const&, unsigned long) const, &(mozilla::HostWebGLContext::ReadPixelsPbo(mozilla::webgl::ReadPixelsDesc const&, unsigned long) const)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...)::operator()<mozilla::webgl::ReadPixelsDesc, unsigned long>(auto&...) const /dom/canvas/WebGLCommandQueue.h:246:13 #4 0x7f8c90a9c16c in __invoke_impl<bool, (lambda at /dom/canvas/WebGLCommandQueue.h:238:11), mozilla::webgl::ReadPixelsDesc &, unsigned long &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/invoke.h:60:14 #5 0x7f8c90a9c16c in __invoke<(lambda at /dom/canvas/WebGLCommandQueue.h:238:11), mozilla::webgl::ReadPixelsDesc &, unsigned long &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/invoke.h:95:14 #6 0x7f8c90a9c16c in __apply_impl<(lambda at /dom/canvas/WebGLCommandQueue.h:238:11), std::tuple<mozilla::webgl::ReadPixelsDesc, unsigned long> &, 0UL, 1UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/tuple:1662:14 #7 0x7f8c90a9c16c in apply<(lambda at /dom/canvas/WebGLCommandQueue.h:238:11), std::tuple<mozilla::webgl::ReadPixelsDesc, unsigned long> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/tuple:1671:14 #8 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:237:14 #9 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #10 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #11 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #12 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #13 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #14 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #15 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #16 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #17 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #18 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #19 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #20 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #21 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #22 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #23 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #24 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #25 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #26 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #27 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #28 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #29 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #30 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #31 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #32 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #33 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #34 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #35 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #36 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #37 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #38 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #39 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #40 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #41 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #42 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #43 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #44 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #45 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #46 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #47 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #48 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #49 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #50 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #51 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #52 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #53 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #54 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #55 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #56 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #57 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #58 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #59 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #60 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #61 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #62 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #63 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #64 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #65 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #66 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #67 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #68 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #69 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #70 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #71 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #72 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #73 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #74 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #75 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #76 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #77 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #78 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #79 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #80 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #81 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #82 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #83 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #84 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #85 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #86 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #87 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #88 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #89 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #90 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #91 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #92 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #93 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #94 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #95 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #96 0x7f8c90a9c16c in mozilla::dom::WebGLParent::RecvDispatchCommands(mozilla::ipc::Shmem&&, unsigned long) /dom/canvas/WebGLParent.cpp:68:21 #97 0x7f8c90be3085 in mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp:243:79 #98 0x7f8c8df84b0c in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214:32 #99 0x7f8c8ccdf9b9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1749:25 #100 0x7f8c8ccdca27 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1674:9 #101 0x7f8c8ccdd674 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1474:3 #102 0x7f8c8ccde902 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1572:14 #103 0x7f8c8b56a5fe in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16 #104 0x7f8c8b574254 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10 #105 0x7f8c8cce8a7b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20 #106 0x7f8c8cb67551 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10 #107 0x7f8c8cb67551 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3 #108 0x7f8c8cb67551 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3 #109 0x7f8c8b561748 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10 #110 0x7f8cb28d3b7e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5 #111 0x7f8cb350a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8 #112 0x7f8cb30d1132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /dom/canvas/WebGLFormats.cpp:685:3 in mozilla::webgl::BytesPerPixel(mozilla::webgl::PackingInfo const&) Thread T44 (Compositor) created by T0 here: #0 0x555b0fb2665c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3 #1 0x7f8cb28c3c2c in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14 #2 0x7f8cb28b4fce in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12 #3 0x7f8c8b5646c5 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:618:18 #4 0x7f8c8b571af8 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /xpcom/threads/nsThreadManager.cpp:534:12 #5 0x7f8c8b57df59 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadUtils.cpp:161:57 #6 0x7f8c8db66802 in NS_NewNamedThread<11UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10 #7 0x7f8c8db66802 in mozilla::layers::CompositorThreadHolder::CreateCompositorThread() /gfx/layers/ipc/CompositorThread.cpp:66:17 #8 0x7f8c8db66d09 in CompositorThreadHolder /gfx/layers/ipc/CompositorThread.cpp:40:25 #9 0x7f8c8db66d09 in mozilla::layers::CompositorThreadHolder::Start() /gfx/layers/ipc/CompositorThread.cpp:109:33 #10 0x7f8c8ddd631c in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:953:3 #11 0x7f8c8ddd997e in GetPlatform /gfx/thebes/gfxPlatform.cpp:459:5 #12 0x7f8c8ddd997e in gfxPlatform::InitializeCMS() /gfx/thebes/gfxPlatform.cpp:2058:9 #13 0x7f8c93d328fc in EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:968:7 #14 0x7f8c93d328fc in gfxPlatform::GetCMSMode() /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:526:5 #15 0x7f8c93d31e9e in nsXPLookAndFeel::GetUncachedColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:926:9 #16 0x7f8c93d31a35 in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /widget/nsXPLookAndFeel.cpp:906:17 #17 0x7f8c93d35d46 in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1323:47 #18 0x7f8c93ca1101 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:440:12 #19 0x7f8c93ca1101 in GetAccentColor /widget/ThemeColors.cpp:90:7 #20 0x7f8c93ca1101 in mozilla::widget::ThemeColors::RecomputeAccentColors() /widget/ThemeColors.cpp:193:20 #21 0x7f8c93ca0d3d in mozilla::widget::Theme::LookAndFeelChanged() /widget/Theme.cpp:180:3 #22 0x7f8c93d2fdce in nsXPLookAndFeel::GetInstance() /widget/nsXPLookAndFeel.cpp:383:3 #23 0x7f8c93d36805 in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /widget/nsXPLookAndFeel.cpp:1436:3 #24 0x7f8c8b3c38fa in nsSystemInfo::Init() /xpcom/base/nsSystemInfo.cpp:1047:5 #25 0x7f8c8b4dcc1a in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11830:7 #26 0x7f8c8b516c6e in CreateInstance /xpcom/components/nsComponentManager.cpp:184:46 #27 0x7f8c8b516c6e in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor> >&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:977:17 #28 0x7f8c8b517738 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1067:10 #29 0x7f8c8b4fd64d in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12734:50 #30 0x7f8c8b379fe1 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:109:7 #31 0x7f8c8cff9bf1 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5 #32 0x7f8c8cff9bf1 in xpc::GetServiceImpl(JSContext*, mozilla::xpcom::JSServiceEntry const&, JS::MutableHandle<JSObject*>, mozilla::ErrorResult&) /js/xpconnect/src/JSServices.cpp:83:32 #33 0x7f8c8cff9678 in xpc::GetService(JSContext*, mozilla::xpcom::JSServiceEntry const&, mozilla::ErrorResult&) /js/xpconnect/src/JSServices.cpp:130:8 #34 0x7f8c8cff85a1 in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /js/xpconnect/src/JSServices.cpp:153:25 #35 0x7f8c993b9456 in CallResolveOp /js/src/vm/NativeObject-inl.h:641:8 #36 0x7f8c993b9456 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /js/src/vm/NativeObject-inl.h:753:14 #37 0x7f8c993b9456 in NativeGetPropertyInline<js::CanGC> /js/src/vm/NativeObject.cpp:2126:10 #38 0x7f8c993b9456 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2174:10 #39 0x7f8c9903d244 in GetProperty /js/src/vm/ObjectOperations-inl.h:120:10 #40 0x7f8c9903d244 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:127:10 #41 0x7f8c9ab311e3 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4684:10 #42 0x7f8c9ab02c52 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2995:12 #43 0x7f8c9aafd9b9 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:390:13 #44 0x7f8c9ab29f9e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:540:13 #45 0x7f8c9ab2ba7e in InternalCall /js/src/vm/Interpreter.cpp:575:10 #46 0x7f8c9ab2ba7e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:606:8 #47 0x7f8c991d6ec4 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:53:10 #48 0x7f8c8d03fd55 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:981:17 #49 0x7f8c8b5c27d2 in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37 #50 0x7f8c8b5c1522 in SharedStub xptcstubs_x86_64_linux.cpp #51 0x7f8c8b5104fd in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:682:19 #52 0x7f8c98cfd929 in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:936:11 #53 0x7f8c98cd5420 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5462:18 #54 0x7f8c98cd7cee in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5913:8 #55 0x7f8c98cd8a6b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5981:21 #56 0x555b0fb7b8e1 in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:227:22 #57 0x555b0fb7ac1e in main /browser/app/nsBrowserApp.cpp:406:16 #58 0x7f8cb2fd6082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 ==235686==ABORTING ```
Bug 1778549 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Testcase found while fuzzing mozilla-central rev f93461c8f7ba (built with: --enable-address-sanitizer --enable-fuzzing). Since this testcase is relatively simple, I'm going to mark it as a [fuzzblocker](https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html#fuzz-blockers). Please prioritize it accordingly. Testcase can be reproduced using the following commands: ``` $ pip install fuzzfetch grizzly-framework $ python -m fuzzfetch --build f93461c8f7ba --asan --fuzzing -n firefox $ python -m grizzly.replay ./firefox/firefox testcase.html ``` ``` Hit MOZ_CRASH(Bad `packing`.) at /dom/canvas/WebGLFormats.cpp:685 ================================================================= ==235686==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f8c90a530e7 bp 0x7f8c6e2addf0 sp 0x7f8c6e2adb60 T44) ==235686==The signal is caused by a WRITE memory access. ==235686==Hint: address points to the zero page. #0 0x7f8c90a530e7 in mozilla::webgl::BytesPerPixel(mozilla::webgl::PackingInfo const&) /dom/canvas/WebGLFormats.cpp:685:3 #1 0x7f8c90a52b9b in mozilla::WebGLContext::ReadPixelsPbo(mozilla::webgl::ReadPixelsDesc const&, unsigned long) /dom/canvas/WebGLContextGL.cpp:937:9 #2 0x7f8c90afaba4 in ReadPixelsPbo /dom/canvas/HostWebGLContext.h:653:15 #3 0x7f8c90afaba4 in auto bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 87ul, void (mozilla::HostWebGLContext::*)(mozilla::webgl::ReadPixelsDesc const&, unsigned long) const, &(mozilla::HostWebGLContext::ReadPixelsPbo(mozilla::webgl::ReadPixelsDesc const&, unsigned long) const)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...)::operator()<mozilla::webgl::ReadPixelsDesc, unsigned long>(auto&...) const /dom/canvas/WebGLCommandQueue.h:246:13 #4 0x7f8c90a9c16c in __invoke_impl<bool, (lambda at /dom/canvas/WebGLCommandQueue.h:238:11), mozilla::webgl::ReadPixelsDesc &, unsigned long &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/invoke.h:60:14 #5 0x7f8c90a9c16c in __invoke<(lambda at /dom/canvas/WebGLCommandQueue.h:238:11), mozilla::webgl::ReadPixelsDesc &, unsigned long &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/invoke.h:95:14 #6 0x7f8c90a9c16c in __apply_impl<(lambda at /dom/canvas/WebGLCommandQueue.h:238:11), std::tuple<mozilla::webgl::ReadPixelsDesc, unsigned long> &, 0UL, 1UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/tuple:1662:14 #7 0x7f8c90a9c16c in apply<(lambda at /dom/canvas/WebGLCommandQueue.h:238:11), std::tuple<mozilla::webgl::ReadPixelsDesc, unsigned long> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/tuple:1671:14 #8 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:237:14 #9 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #10 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #11 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #12 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #13 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #14 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #15 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #16 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #17 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #18 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #19 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #20 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #21 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #22 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #23 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #24 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #25 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #26 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #27 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #28 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #29 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #30 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #31 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #32 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #33 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #34 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #35 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #36 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #37 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #38 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #39 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #40 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #41 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #42 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #43 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #44 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #45 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #46 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #47 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #48 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #49 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #50 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #51 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #52 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #53 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #54 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #55 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #56 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #57 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #58 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #59 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #60 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #61 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #62 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #63 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #64 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #65 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #66 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #67 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #68 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #69 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #70 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #71 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #72 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #73 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #74 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #75 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #76 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #77 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #78 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #79 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #80 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #81 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #82 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #83 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #84 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #85 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #86 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #87 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #88 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #89 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #90 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #91 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #92 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #93 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #94 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #95 0x7f8c90a9c16c in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12 #96 0x7f8c90a9c16c in mozilla::dom::WebGLParent::RecvDispatchCommands(mozilla::ipc::Shmem&&, unsigned long) /dom/canvas/WebGLParent.cpp:68:21 #97 0x7f8c90be3085 in mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp:243:79 #98 0x7f8c8df84b0c in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214:32 #99 0x7f8c8ccdf9b9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1749:25 #100 0x7f8c8ccdca27 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1674:9 #101 0x7f8c8ccdd674 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1474:3 #102 0x7f8c8ccde902 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1572:14 #103 0x7f8c8b56a5fe in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16 #104 0x7f8c8b574254 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10 #105 0x7f8c8cce8a7b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20 #106 0x7f8c8cb67551 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10 #107 0x7f8c8cb67551 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3 #108 0x7f8c8cb67551 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3 #109 0x7f8c8b561748 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10 #110 0x7f8cb28d3b7e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5 #111 0x7f8cb350a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8 #112 0x7f8cb30d1132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /dom/canvas/WebGLFormats.cpp:685:3 in mozilla::webgl::BytesPerPixel(mozilla::webgl::PackingInfo const&) Thread T44 (Compositor) created by T0 here: #0 0x555b0fb2665c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3 #1 0x7f8cb28c3c2c in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14 #2 0x7f8cb28b4fce in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12 #3 0x7f8c8b5646c5 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:618:18 #4 0x7f8c8b571af8 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /xpcom/threads/nsThreadManager.cpp:534:12 #5 0x7f8c8b57df59 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadUtils.cpp:161:57 #6 0x7f8c8db66802 in NS_NewNamedThread<11UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10 #7 0x7f8c8db66802 in mozilla::layers::CompositorThreadHolder::CreateCompositorThread() /gfx/layers/ipc/CompositorThread.cpp:66:17 #8 0x7f8c8db66d09 in CompositorThreadHolder /gfx/layers/ipc/CompositorThread.cpp:40:25 #9 0x7f8c8db66d09 in mozilla::layers::CompositorThreadHolder::Start() /gfx/layers/ipc/CompositorThread.cpp:109:33 #10 0x7f8c8ddd631c in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:953:3 #11 0x7f8c8ddd997e in GetPlatform /gfx/thebes/gfxPlatform.cpp:459:5 #12 0x7f8c8ddd997e in gfxPlatform::InitializeCMS() /gfx/thebes/gfxPlatform.cpp:2058:9 #13 0x7f8c93d328fc in EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:968:7 #14 0x7f8c93d328fc in gfxPlatform::GetCMSMode() /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:526:5 #15 0x7f8c93d31e9e in nsXPLookAndFeel::GetUncachedColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:926:9 #16 0x7f8c93d31a35 in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /widget/nsXPLookAndFeel.cpp:906:17 #17 0x7f8c93d35d46 in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1323:47 #18 0x7f8c93ca1101 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:440:12 #19 0x7f8c93ca1101 in GetAccentColor /widget/ThemeColors.cpp:90:7 #20 0x7f8c93ca1101 in mozilla::widget::ThemeColors::RecomputeAccentColors() /widget/ThemeColors.cpp:193:20 #21 0x7f8c93ca0d3d in mozilla::widget::Theme::LookAndFeelChanged() /widget/Theme.cpp:180:3 #22 0x7f8c93d2fdce in nsXPLookAndFeel::GetInstance() /widget/nsXPLookAndFeel.cpp:383:3 #23 0x7f8c93d36805 in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /widget/nsXPLookAndFeel.cpp:1436:3 #24 0x7f8c8b3c38fa in nsSystemInfo::Init() /xpcom/base/nsSystemInfo.cpp:1047:5 #25 0x7f8c8b4dcc1a in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11830:7 #26 0x7f8c8b516c6e in CreateInstance /xpcom/components/nsComponentManager.cpp:184:46 #27 0x7f8c8b516c6e in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor> >&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:977:17 #28 0x7f8c8b517738 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1067:10 #29 0x7f8c8b4fd64d in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12734:50 #30 0x7f8c8b379fe1 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:109:7 #31 0x7f8c8cff9bf1 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5 #32 0x7f8c8cff9bf1 in xpc::GetServiceImpl(JSContext*, mozilla::xpcom::JSServiceEntry const&, JS::MutableHandle<JSObject*>, mozilla::ErrorResult&) /js/xpconnect/src/JSServices.cpp:83:32 #33 0x7f8c8cff9678 in xpc::GetService(JSContext*, mozilla::xpcom::JSServiceEntry const&, mozilla::ErrorResult&) /js/xpconnect/src/JSServices.cpp:130:8 #34 0x7f8c8cff85a1 in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /js/xpconnect/src/JSServices.cpp:153:25 #35 0x7f8c993b9456 in CallResolveOp /js/src/vm/NativeObject-inl.h:641:8 #36 0x7f8c993b9456 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /js/src/vm/NativeObject-inl.h:753:14 #37 0x7f8c993b9456 in NativeGetPropertyInline<js::CanGC> /js/src/vm/NativeObject.cpp:2126:10 #38 0x7f8c993b9456 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2174:10 #39 0x7f8c9903d244 in GetProperty /js/src/vm/ObjectOperations-inl.h:120:10 #40 0x7f8c9903d244 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:127:10 #41 0x7f8c9ab311e3 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4684:10 #42 0x7f8c9ab02c52 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2995:12 #43 0x7f8c9aafd9b9 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:390:13 #44 0x7f8c9ab29f9e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:540:13 #45 0x7f8c9ab2ba7e in InternalCall /js/src/vm/Interpreter.cpp:575:10 #46 0x7f8c9ab2ba7e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:606:8 #47 0x7f8c991d6ec4 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:53:10 #48 0x7f8c8d03fd55 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:981:17 #49 0x7f8c8b5c27d2 in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37 #50 0x7f8c8b5c1522 in SharedStub xptcstubs_x86_64_linux.cpp #51 0x7f8c8b5104fd in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:682:19 #52 0x7f8c98cfd929 in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:936:11 #53 0x7f8c98cd5420 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5462:18 #54 0x7f8c98cd7cee in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5913:8 #55 0x7f8c98cd8a6b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5981:21 #56 0x555b0fb7b8e1 in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:227:22 #57 0x555b0fb7ac1e in main /browser/app/nsBrowserApp.cpp:406:16 #58 0x7f8cb2fd6082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 ==235686==ABORTING ```