Testcase found while fuzzing mozilla-central rev 2c9f37ff7f0d (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
```
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 2c9f37ff7f0d --asan --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla --repeat 20 --relaunch 1 ./firefox/firefox <bugid>
```
```
Hit MOZ_CRASH(bug: this is an unexpected case - please open a bug and talk to #gfx team!) at gfx/wr/webrender/src/spatial_tree.rs:1038
=================================================================
==3257511==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f887ecd8c67 bp 0x7f884b8b0130 sp 0x7f884b8b0120 T26)
==3257511==The signal is caused by a WRITE memory access.
==3257511==Hint: address points to the zero page.
#0 0x7f887ecd8c67 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
#1 0x7f887ecd8c67 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f887ecd74fe in mozglue_static::panic_hook::h2b7b0c7ab69696a9 /mozglue/static/rust/lib.rs:102:9
#3 0x7f887ecd74fe in core::ops::function::Fn::call::h397a2f6bd0d5fd2c /builds/worker/fetches/rust/library/core/src/ops/function.rs:79:5
#4 0x7f88820dc354 in std::panicking::rust_panic_with_hook::h0c15db9fe1a518fe std.4dd631fead81e61f-cgu.07
#5 0x7f887d58477d in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::ha27d71e1704ddcac /builds/worker/fetches/rust/library/std/src/panicking.rs:738:9
#6 0x7f887d57a505 in std::sys::backtrace::__rust_end_short_backtrace::h64eb775dfb43b60b /builds/worker/fetches/rust/library/std/src/sys/backtrace.rs:168:18
#7 0x7f887d584601 in std::panicking::begin_panic::h962b4c708ca0ec8b /builds/worker/fetches/rust/library/std/src/panicking.rs:737:5
#8 0x7f887db9263d in webrender::spatial_tree::SpatialTree::get_relative_transform_with_face::hc0704baf74fdae02 /gfx/wr/webrender/src/spatial_tree.rs:1038:9
#9 0x7f887db6c8a1 in webrender::space::SpaceMapper$LT$F$C$T$GT$::set_target_spatial_node::h61756b5be6b9848b /gfx/wr/webrender/src/space.rs:72:29
#10 0x7f887dcc9e4d in webrender::picture::PicturePrimitive::propagate_bounding_rect::h9ac0bdbb60d5e82c /gfx/wr/webrender/src/picture.rs:6875:13
#11 0x7f887dce0d40 in webrender::picture_graph::PictureGraph::propagate_bounding_rects::h916d920a15ef5009 /gfx/wr/webrender/src/picture_graph.rs:149:17
#12 0x7f887dc1be09 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::h8f4b0d8ce40d2632 /gfx/wr/webrender/src/frame_builder.rs:322:9
#13 0x7f887dc1be09 in webrender::frame_builder::FrameBuilder::build::h5c4d95ef0a1aadb2 /gfx/wr/webrender/src/frame_builder.rs:573:9
#14 0x7f887dd6d4bf in webrender::render_backend::Document::build_frame::h6ec2aa7e2a0134ea /gfx/wr/webrender/src/render_backend.rs:530:25
#15 0x7f887ddaddb4 in webrender::render_backend::RenderBackend::update_document::hfee6bca39b8610e8 /gfx/wr/webrender/src/render_backend.rs:1466:41
#16 0x7f887dd97c5b in webrender::render_backend::RenderBackend::prepare_transactions::h5d543b6d839f97a7 /gfx/wr/webrender/src/render_backend.rs:1306:28
#17 0x7f887dd97c5b in webrender::render_backend::RenderBackend::process_api_msg::h36de583fbe5237bd /gfx/wr/webrender/src/render_backend.rs:1153:17
#18 0x7f887d57f81d in webrender::render_backend::RenderBackend::run::h0e120a759b25a18e /gfx/wr/webrender/src/render_backend.rs:802:21
#19 0x7f887d57f81d in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::hc78ec6ad6e344411 /gfx/wr/webrender/src/renderer/init.rs:715:9
#20 0x7f887d57f81d in std::sys::backtrace::__rust_begin_short_backtrace::h7375a8628da1919d /builds/worker/fetches/rust/library/std/src/sys/backtrace.rs:152:18
#21 0x7f887d59408a in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h56bc8289e53f10ea /builds/worker/fetches/rust/library/std/src/thread/mod.rs:538:17
#22 0x7f887d59408a in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h2928193593fae6e6 /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:272:9
#23 0x7f887d59408a in std::panicking::try::do_call::he21920fae9d640e3 /builds/worker/fetches/rust/library/std/src/panicking.rs:557:40
#24 0x7f887d59408a in std::panicking::try::hed8ab6d33e869df0 /builds/worker/fetches/rust/library/std/src/panicking.rs:521:19
#25 0x7f887d59408a in std::panic::catch_unwind::h2d51e474fae8aed4 /builds/worker/fetches/rust/library/std/src/panic.rs:350:14
#26 0x7f887d59408a in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h2756b443fb11650e /builds/worker/fetches/rust/library/std/src/thread/mod.rs:537:30
#27 0x7f887d59408a in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h1c5ac6c0835839fb /builds/worker/fetches/rust/library/core/src/ops/function.rs:250:5
#28 0x7f88820eb1fa in std::sys::pal::unix::thread::Thread::new::thread_start::h51b652028646be50 std.4dd631fead81e61f-cgu.12
#29 0x55c0216552f8 in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
#30 0x7f888ec88143 in start_thread nptl/pthread_create.c:442:8
#31 0x7f888ed087db in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3 in MOZ_Crash
==3257511==ABORTING
```
Bug 1927586 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Testcase found while fuzzing mozilla-central rev 2c9f37ff7f0d (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
```
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 2c9f37ff7f0d --asan --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla --repeat 20 --relaunch 1 ./firefox/firefox 1927586
```
```
Hit MOZ_CRASH(bug: this is an unexpected case - please open a bug and talk to #gfx team!) at gfx/wr/webrender/src/spatial_tree.rs:1038
=================================================================
==3257511==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f887ecd8c67 bp 0x7f884b8b0130 sp 0x7f884b8b0120 T26)
==3257511==The signal is caused by a WRITE memory access.
==3257511==Hint: address points to the zero page.
#0 0x7f887ecd8c67 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3
#1 0x7f887ecd8c67 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f887ecd74fe in mozglue_static::panic_hook::h2b7b0c7ab69696a9 /mozglue/static/rust/lib.rs:102:9
#3 0x7f887ecd74fe in core::ops::function::Fn::call::h397a2f6bd0d5fd2c /builds/worker/fetches/rust/library/core/src/ops/function.rs:79:5
#4 0x7f88820dc354 in std::panicking::rust_panic_with_hook::h0c15db9fe1a518fe std.4dd631fead81e61f-cgu.07
#5 0x7f887d58477d in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::ha27d71e1704ddcac /builds/worker/fetches/rust/library/std/src/panicking.rs:738:9
#6 0x7f887d57a505 in std::sys::backtrace::__rust_end_short_backtrace::h64eb775dfb43b60b /builds/worker/fetches/rust/library/std/src/sys/backtrace.rs:168:18
#7 0x7f887d584601 in std::panicking::begin_panic::h962b4c708ca0ec8b /builds/worker/fetches/rust/library/std/src/panicking.rs:737:5
#8 0x7f887db9263d in webrender::spatial_tree::SpatialTree::get_relative_transform_with_face::hc0704baf74fdae02 /gfx/wr/webrender/src/spatial_tree.rs:1038:9
#9 0x7f887db6c8a1 in webrender::space::SpaceMapper$LT$F$C$T$GT$::set_target_spatial_node::h61756b5be6b9848b /gfx/wr/webrender/src/space.rs:72:29
#10 0x7f887dcc9e4d in webrender::picture::PicturePrimitive::propagate_bounding_rect::h9ac0bdbb60d5e82c /gfx/wr/webrender/src/picture.rs:6875:13
#11 0x7f887dce0d40 in webrender::picture_graph::PictureGraph::propagate_bounding_rects::h916d920a15ef5009 /gfx/wr/webrender/src/picture_graph.rs:149:17
#12 0x7f887dc1be09 in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::h8f4b0d8ce40d2632 /gfx/wr/webrender/src/frame_builder.rs:322:9
#13 0x7f887dc1be09 in webrender::frame_builder::FrameBuilder::build::h5c4d95ef0a1aadb2 /gfx/wr/webrender/src/frame_builder.rs:573:9
#14 0x7f887dd6d4bf in webrender::render_backend::Document::build_frame::h6ec2aa7e2a0134ea /gfx/wr/webrender/src/render_backend.rs:530:25
#15 0x7f887ddaddb4 in webrender::render_backend::RenderBackend::update_document::hfee6bca39b8610e8 /gfx/wr/webrender/src/render_backend.rs:1466:41
#16 0x7f887dd97c5b in webrender::render_backend::RenderBackend::prepare_transactions::h5d543b6d839f97a7 /gfx/wr/webrender/src/render_backend.rs:1306:28
#17 0x7f887dd97c5b in webrender::render_backend::RenderBackend::process_api_msg::h36de583fbe5237bd /gfx/wr/webrender/src/render_backend.rs:1153:17
#18 0x7f887d57f81d in webrender::render_backend::RenderBackend::run::h0e120a759b25a18e /gfx/wr/webrender/src/render_backend.rs:802:21
#19 0x7f887d57f81d in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::hc78ec6ad6e344411 /gfx/wr/webrender/src/renderer/init.rs:715:9
#20 0x7f887d57f81d in std::sys::backtrace::__rust_begin_short_backtrace::h7375a8628da1919d /builds/worker/fetches/rust/library/std/src/sys/backtrace.rs:152:18
#21 0x7f887d59408a in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h56bc8289e53f10ea /builds/worker/fetches/rust/library/std/src/thread/mod.rs:538:17
#22 0x7f887d59408a in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h2928193593fae6e6 /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:272:9
#23 0x7f887d59408a in std::panicking::try::do_call::he21920fae9d640e3 /builds/worker/fetches/rust/library/std/src/panicking.rs:557:40
#24 0x7f887d59408a in std::panicking::try::hed8ab6d33e869df0 /builds/worker/fetches/rust/library/std/src/panicking.rs:521:19
#25 0x7f887d59408a in std::panic::catch_unwind::h2d51e474fae8aed4 /builds/worker/fetches/rust/library/std/src/panic.rs:350:14
#26 0x7f887d59408a in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h2756b443fb11650e /builds/worker/fetches/rust/library/std/src/thread/mod.rs:537:30
#27 0x7f887d59408a in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h1c5ac6c0835839fb /builds/worker/fetches/rust/library/core/src/ops/function.rs:250:5
#28 0x7f88820eb1fa in std::sys::pal::unix::thread::Thread::new::thread_start::h51b652028646be50 std.4dd631fead81e61f-cgu.12
#29 0x55c0216552f8 in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
#30 0x7f888ec88143 in start_thread nptl/pthread_create.c:442:8
#31 0x7f888ed087db in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:317:3 in MOZ_Crash
==3257511==ABORTING
```