Closed
Bug 1317640
Opened 8 years ago
Closed 8 years ago
Crash [@ mozalloc_abort]
Categories
(Core :: Graphics: CanvasWebGL, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox52 | --- | affected |
People
(Reporter: rforbes, Assigned: ethlin)
References
Details
(4 keywords, Whiteboard: [sg:dos][gfx-noted])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-inbound revision 20161109-310ae43d23b7 (build with (buildFlags not available), run with ): See attachment. Backtrace: Launch command: /home/ubuntu/firefox/firefox -no-remote -profile /tmp/ffprof_HJN4WI http://127.0.0.1:56637 J [5703] ###!!! ABORT: Divide by zero: file /home/worker/workspace/build/src/toolkit/xre/nsSigHandlers.cpp, line 156 ==5703==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe5a11e000; bottom 0x7f07510c7000; size: 0x00f709057000 (1061008273408) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 [5703] ###!!! ABORT: Divide by zero: file /home/worker/workspace/build/src/toolkit/xre/nsSigHandlers.cpp, line 156 ASAN:DEADLYSIGNAL ================================================================= ==5703==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004e114b bp 0x7f07510c8550 sp 0x7f07510c8540 T0) #0 0x4e114a in mozalloc_abort(char const*) /home/worker/workspace/build/src/memory/mozalloc/mozalloc_abort.cpp:33:5 #1 0x7f07347e5da5 in Abort(char const*) /home/worker/workspace/build/src/xpcom/base/nsDebugImpl.cpp:449:3 #2 0x7f07347e5b4c in NS_DebugBreak /home/worker/workspace/build/src/xpcom/base/nsDebugImpl.cpp:405:7 #3 0x7f073cf3403a in fpehandler(int, siginfo*, void*) /home/worker/workspace/build/src/toolkit/xre/nsSigHandlers.cpp:156:5 #4 0x7f0750cac3df (/lib/x86_64-linux-gnu/libpthread.so.0+0x113df) #5 0x7f073da92d9b in TType::getObjectSize() const /home/worker/workspace/build/src/gfx/angle/src/compiler/translator/Types.cpp:331:40 #6 0x7f073da184da in TParseContext::checkConstructorArguments(TSourceLoc const&, TIntermNode*, TFunction const&, TOperator, TType const&) /home/worker/workspace/build/src/gfx/angle/src/compiler/translator/ParseContext.cpp:568:49 #7 0x7f073da2850b in TParseContext::addConstructor(TIntermNode*, TOperator, TFunction*, TSourceLoc const&) /home/worker/workspace/build/src/gfx/angle/src/compiler/translator/ParseContext.cpp:2352:10 #8 0x7f073da35e3e in TParseContext::addFunctionCallOrMethod(TFunction*, TIntermNode*, TIntermNode*, TSourceLoc const&, bool*) /home/worker/workspace/build/src/gfx/angle/src/compiler/translator/ParseContext.cpp:3787:20 #9 0x7f073d91e93e in yyparse(TParseContext*, void*) /home/worker/workspace/build/src/gfx/angle/src/compiler/translator/glslang_tab.cpp:2481:42 #10 0x7f073da382ee in PaParseStrings(unsigned long, char const* const*, int const*, TParseContext*) /home/worker/workspace/build/src/gfx/angle/src/compiler/translator/ParseContext.cpp:3955:17 #11 0x7f073d95dd74 in TCompiler::compileTreeImpl(char const* const*, unsigned long, unsigned long) /home/worker/workspace/build/src/gfx/angle/src/compiler/translator/Compiler.cpp:232:10 #12 0x7f073d962532 in TCompiler::compile(char const* const*, unsigned long, unsigned long) /home/worker/workspace/build/src/gfx/angle/src/compiler/translator/Compiler.cpp:418:25 #13 0x7f07392c3b2c in ValidateAndTranslate /home/worker/workspace/build/src/dom/canvas/WebGLShaderValidator.cpp:205:12 #14 0x7f07392c3b2c in Translate /home/worker/workspace/build/src/dom/canvas/WebGLShader.cpp:28 #15 0x7f07392c3b2c in mozilla::WebGLShader::CompileShader() /home/worker/workspace/build/src/dom/canvas/WebGLShader.cpp:217 #16 0x7f0738792917 in mozilla::dom::WebGLRenderingContextBinding::compileShader(JSContext*, JS::Handle<JSObject*>, mozilla::WebGLContext*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WebGLRenderingContextBinding.cpp:12125:3 #17 0x7f0739066d30 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2879:13 #18 0x7f073f3ec74c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15 #19 0x7f073f3ec74c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447 #20 0x7f073f3cc893 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12 #21 0x7f073f3cc893 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922 #22 0x7f073f3b1986 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12 #23 0x7f073f3ef212 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:686:15 #24 0x7f073f3efaab in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:718:12 #25 0x7f073eee2194 in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:4415:19 #26 0x7f073eee2eeb in Evaluate /home/worker/workspace/build/src/js/src/jsapi.cpp:4442:12 #27 0x7f073eee2eeb in JS::Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:4500 #28 0x7f07376c4287 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /home/worker/workspace/build/src/dom/base/nsJSUtils.cpp:207:12 #29 0x7f07376c5499 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /home/worker/workspace/build/src/dom/base/nsJSUtils.cpp:274:10 #30 0x7f0737750481 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:2193:14 #31 0x7f073774d2b1 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:1979:10 #32 0x7f0737734681 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:1712:10 #33 0x7f0737731002 in nsScriptElement::MaybeProcessScript() /home/worker/workspace/build/src/dom/base/nsScriptElement.cpp:149:10 #34 0x7f07367c0c64 in AttemptToExecute /home/worker/workspace/build/src/dom/base/nsIScriptElement.h:222:18 #35 0x7f07367c0c64 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:666 #36 0x7f07367bf3d5 in nsHtml5TreeOpExecutor::RunFlushLoop() /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:489:7 #37 0x7f07367c3dab in nsHtml5ExecutorFlusher::Run() /home/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:128:9 #38 0x7f0734931e5b in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7 #39 0x7f07349b4d8c in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10 #40 0x7f073573e5cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21 #41 0x7f07356ae698 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3 #42 0x7f07356ae698 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225 #43 0x7f07356ae698 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205 #44 0x7f073ad6960f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3 #45 0x7f073cda0781 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19 #46 0x7f073cf1fb5e in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4467:10 #47 0x7f073cf21072 in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4600:8 #48 0x7f073cf21f2c in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4691:16 #49 0x4df8ca in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282:10 #50 0x4df8ca in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:415 #51 0x7f074fc4582f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291 #52 0x41ba38 in _start (/home/ubuntu/firefox/firefox+0x41ba38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/worker/workspace/build/src/memory/mozalloc/mozalloc_abort.cpp:33:5 in mozalloc_abort(char const*) ==5703==ABORTING [Exit code: 1]
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
|
|
Reporter | |
Updated•8 years ago
|
Group: gfx-core-security
|
||
Updated•8 years ago
|
|
||
Comment 3•8 years ago
|
||
Ethan, please take a look.
Assignee: nobody → ethlin
Priority: -- → P3
Whiteboard: [sg:dos] → [sg:dos][gfx-noted]
|
Assignee | |
Comment 4•8 years ago
|
||
It looks like a division by zero problem in ANGLE validator. I'll check if it's fixed by new ANGLE.
|
|
Assignee | |
Comment 5•8 years ago
|
||
(In reply to Ethan Lin[:ethlin] from comment #4) > It looks like a division by zero problem in ANGLE validator. I'll check if > it's fixed by new ANGLE. The problem is fixed after I updated ANGLE to 2920. We should have a ANGLE update for m-c and maybe cherry-pick the related commit to 51/52 for this bug.
See Also: → 1316533
|
|
Assignee | |
Comment 6•8 years ago
|
||
Bug 1319004 is fixed. I tested with the latest Nightly (2016-11-17) on windows and the web page looked fine.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•