Found while fuzzing m-c 20220829-ad01d1ce5556 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
```
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb
```
I have only managed to reproduce this crash on a fuzzing debug build. I tried with a fuzzing debug build with all optimization disabled to get a rr trace but I was unable to trigger the issue.
The stack trace output by the UBSan does not contain any entries
```
==15373==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7f58ff000000 (pc 0x7f58ff000000 bp 0x7f586c0b5d60 sp 0x7f586c0b5ce0 T15455)
==15373==The signal is caused by a READ memory access.
```
While reducing the crash I did see
```
==161106==ERROR: UndefinedBehaviorSanitizer: ILL on unknown address 0x7f4cff00006b (pc 0x7f4cff00006b bp 0x7f4cac08ad60 sp 0x7f4cac08ace0 T161153)
#0 0x7f4cff00006b (/home/user/workspace/browsers/m-c-20220829094551-fuzzing-debug/libxul.so+0xeb4406b) (BuildId: 60b5d7c9cd5810ce8ca90721bfc74fce76e23c30)
```
The attached stack is from the Pernosco from a rr trace I collected with a optimized debug build.
The Pernosco session is available here: https://pernos.co/debug/vJiv1NU7XCucv93B0tXcJw/index.html
```
start_thread () at pthread_create.c:463
_pt_root () at ptthread.c:201
ThreadFunc () at nsThread.cpp:384
Run () at message_loop.cc:356
RunHandler () at message_loop.cc:374
RunInternal () at message_loop.cc:381
Run () at MessagePump.cpp:300
NS_ProcessNextEvent () at nsThreadUtils.cpp:465
ProcessNextEvent () at nsThread.cpp:1199
Run () at MessageChannel.cpp:1578
RunMessage () at MessageChannel.cpp:1480
DispatchMessage () at MessageChannel.cpp:1680
DispatchAsyncMessage () at MessageChannel.cpp:1755
OnMessageReceived () at PCanvasManagerParent.cpp:214
OnMessageReceived () at PWebGLParent.cpp:243
RecvDispatchCommands () at WebGLParent.cpp:64
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
0x3fbd4273cc80+3163304832
```
Bug 1787959 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Found while fuzzing m-c 20220829-ad01d1ce5556 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
```
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb
```
I have only managed to reproduce this crash on a fuzzing debug build. I tried with a fuzzing debug build with all optimization disabled to get a rr trace but I was unable to trigger the issue.
The stack trace output by the UBSan does not contain any entries
```
==15373==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7f58ff000000 (pc 0x7f58ff000000 bp 0x7f586c0b5d60 sp 0x7f586c0b5ce0 T15455)
==15373==The signal is caused by a READ memory access.
```
While reducing the crash I did see
```
==161106==ERROR: UndefinedBehaviorSanitizer: ILL on unknown address 0x7f4cff00006b (pc 0x7f4cff00006b bp 0x7f4cac08ad60 sp 0x7f4cac08ace0 T161153)
#0 0x7f4cff00006b (/home/user/workspace/browsers/m-c-20220829094551-fuzzing-debug/libxul.so+0xeb4406b) (BuildId: 60b5d7c9cd5810ce8ca90721bfc74fce76e23c30)
```
The attached stack is from the Pernosco from a rr trace I collected with a optimized debug build.
~~The Pernosco session is available here: https://pernos.co/debug/vJiv1NU7XCucv93B0tXcJw/index.html~~
```
start_thread () at pthread_create.c:463
_pt_root () at ptthread.c:201
ThreadFunc () at nsThread.cpp:384
Run () at message_loop.cc:356
RunHandler () at message_loop.cc:374
RunInternal () at message_loop.cc:381
Run () at MessagePump.cpp:300
NS_ProcessNextEvent () at nsThreadUtils.cpp:465
ProcessNextEvent () at nsThread.cpp:1199
Run () at MessageChannel.cpp:1578
RunMessage () at MessageChannel.cpp:1480
DispatchMessage () at MessageChannel.cpp:1680
DispatchAsyncMessage () at MessageChannel.cpp:1755
OnMessageReceived () at PCanvasManagerParent.cpp:214
OnMessageReceived () at PWebGLParent.cpp:243
RecvDispatchCommands () at WebGLParent.cpp:64
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
DispatchCommand<mozilla::HostWebGLContext> () at WebGLCommandQueue.h:251
0x3fbd4273cc80+3163304832
```