null pointer dereference and crash on startup with WebRender enabled (Linux GL context creation failure)

RESOLVED DUPLICATE of bug 1372880

Status

()

Core
Graphics: WebRender
P5
critical
RESOLVED DUPLICATE of bug 1372880
8 months ago
4 months ago

People

(Reporter: geeknik, Unassigned)

Tracking

(Blocks: 1 bug, {crash, nightly-community})

Trunk
x86_64
Linux
crash, nightly-community
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox55 affected)

Details

Attachments

(1 attachment)

(Reporter)

Description

8 months ago
Created attachment 8853570 [details]
My fuzzing prefs.js

I thought it would be keen to fuzz a WebRender enabled Nightly. This machine is a Debian 8.x x64 VM running under VMWare Player, so accelerated graphics are iffy at best. ASAN build ID 20170330192027.

Crash Annotation GraphicsCriticalError: |[0][GFX1-]: Ignoring any feature blocklisting. (t=2.13809) |[1][GFX1-]: Failed GL context creation for WebRender: 0 (t=6.55497) [GFX1-]: Failed GL context creation for WebRender: 0
ASAN:DEADLYSIGNAL
=================================================================
==72271==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f8ff3ceeb58 bp 0x7f8fd78af770 sp 0x7f8fd78af770 T36)
==72271==The signal is caused by a READ memory access.
==72271==Hint: address points to the zero page.
    #0 0x7f8ff3ceeb57 in _ZN7mozilla2wr12WebRenderAPI15SetRootPipelineE12WrPipelineId /home/worker/workspace/build/src/gfx/webrender_bindings/WebRenderAPI.cpp:305
    #1 0x7f8ff3ceeb57 in ?? ??:0
    #2 0x7f8ff39f28c3 in AllocPWebRenderBridgeParent /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:1599 (discriminator 2)
    #3 0x7f8ff39f28c3 in ?? ??:0
    #4 0x7f8ff2db1f68 in OnMessageReceived /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorBridgeParent.cpp:1721
    #5 0x7f8ff2db1f68 in ?? ??:0
    #6 0x7f8ff27e0166 in DispatchSyncMessage /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1843
    #7 0x7f8ff27e0166 in ?? ??:0
    #8 0x7f8ff27dd0ca in DispatchMessage /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1803 (discriminator 2)
    #9 0x7f8ff27dd0ca in ?? ??:0
    #10 0x7f8ff27df494 in RunMessage /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1680 (discriminator 1)
    #11 0x7f8ff27df494 in ?? ??:0
    #12 0x7f8ff27dfa96 in Run /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1713
    #13 0x7f8ff27dfa96 in ?? ??:0
    #14 0x7f8ff274b7a1 in RunTask /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:361 (discriminator 1)
    #15 0x7f8ff274b7a1 in DeferOrRunPendingTask /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:369 (discriminator 1)
    #16 0x7f8ff274b7a1 in DoWork /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:444 (discriminator 1)
    #17 0x7f8ff274b7a1 in ?? ??:0
    #18 0x7f8ff274d229 in Run /home/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36 (discriminator 1)
    #19 0x7f8ff274d229 in ?? ??:0
    #20 0x7f8ff2749210 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238 (discriminator 1)
    #21 0x7f8ff2749210 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231 (discriminator 1)
    #22 0x7f8ff2749210 in Run /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211 (discriminator 1)
    #23 0x7f8ff2749210 in ?? ??:0
    #24 0x7f8ff276742f in ThreadMain /home/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:179
    #25 0x7f8ff276742f in ?? ??:0
    #26 0x7f8ff27568dc in _ZL10ThreadFuncPv /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38
    #27 0x7f8ff27568dc in ?? ??:0
    #28 0x7f900c3c5063 in start_thread /build/glibc-qK83Be/glibc-2.19/nptl/pthread_create.c:309 (discriminator 2)
    #29 0x7f900c3c5063 in ?? ??:0
    #30 0x7f900b4cc62c in clone /build/glibc-qK83Be/glibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
    #31 0x7f900b4cc62c in ?? ??:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/geeknik/firefox/libxul.so+0x4353b57)
Thread T36 (Compositor) created by T0 here:
    #0 0x4a3b76 in __interceptor_pthread_create _asan_rtl_ (discriminator 2)
    #1 0x4a3b76 in ?? ??:0
    #2 0x7f8ff275582c in CreateThread /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:137
    #3 0x7f8ff275582c in Create /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:148
    #4 0x7f8ff275582c in ?? ??:0
    #5 0x7f8ff2766e7e in StartWithOptions /home/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:98
    #6 0x7f8ff2766e7e in ?? ??:0
    #7 0x7f8ff39f9828 in CreateCompositorThread /home/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:102
    #8 0x7f8ff39f9828 in CompositorThreadHolder /home/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:53
    #9 0x7f8ff39f9828 in ?? ??:0
    #10 0x7f8ff39f996a in Start /home/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:118 (discriminator 1)
    #11 0x7f8ff39f996a in ?? ??:0
    #12 0x7f8ff3b34769 in InitLayersIPC /home/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:947
    #13 0x7f8ff3b34769 in Init /home/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:717
    #14 0x7f8ff3b34769 in ?? ??:0
    #15 0x7f8ff3b31bf2 in _ZN11gfxPlatform11GetPlatformEv /home/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:531
    #16 0x7f8ff3b31bf2 in ?? ??:0
    #17 0x7f8ff78baad7 in GetContentBackend /home/worker/workspace/build/src/widget/GfxInfoBase.cpp:1453 (discriminator 1)
    #18 0x7f8ff78baad7 in ?? ??:0
    #19 0x7f8ff1a5a421 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:115
    #20 0x7f8ff1a5a421 in ?? ??:0
    #21 0x7f8ff30f0414 in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2010
    #22 0x7f8ff30f0414 in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1329
    #23 0x7f8ff30f0414 in CallMethod /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1296
    #24 0x7f8ff30f0414 in ?? ??:0
    #25 0x7f8ff30f7eb4 in GetAttribute /home/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1679
    #26 0x7f8ff30f7eb4 in XPC_WN_GetterSetter /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1019
    #27 0x7f8ff30f7eb4 in ?? ??:0
    #28 0x7f8ffb3895e3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282 (discriminator 3)
    #29 0x7f8ffb3895e3 in InternalCallOrConstruct /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:455 (discriminator 3)
    #30 0x7f8ffb3895e3 in ?? ??:0
    #31 0x7f8ffb38ac1f in InternalCall /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:500
    #32 0x7f8ffb38ac1f in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:519
    #33 0x7f8ffb38ac1f in CallGetter /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:634
    #34 0x7f8ffb38ac1f in ?? ??:0
    #35 0x7f8ffc239e45 in CallGetter /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1829 (discriminator 3)
    #36 0x7f8ffc239e45 in GetExistingProperty<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1877 (discriminator 3)
    #37 0x7f8ffc239e45 in NativeGetPropertyInline<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2108 (discriminator 3)
    #38 0x7f8ffc239e45 in NativeGetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2142 (discriminator 3)
    #39 0x7f8ffc239e45 in ?? ??:0
    #40 0x7f8ffb3759ba in GetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1442 (discriminator 4)
    #41 0x7f8ffb3759ba in GetProperty /home/worker/workspace/build/src/js/src/jsobj.h:853 (discriminator 4)
    #42 0x7f8ffb3759ba in GetObjectElementOperation /home/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:492 (discriminator 4)
    #43 0x7f8ffb3759ba in GetElementOperation /home/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:597 (discriminator 4)
    #44 0x7f8ffb3759ba in Interpret /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2833 (discriminator 4)
    #45 0x7f8ffb3759ba in ?? ??:0
    #46 0x7f8ffb3579e8 in RunScript /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:395
    #47 0x7f8ffb3579e8 in ?? ??:0
    #48 0x7f8ffb389768 in InternalCallOrConstruct /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473 (discriminator 1)
    #49 0x7f8ffb389768 in ?? ??:0
    #50 0x7f8ffb371d0f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:506
    #51 0x7f8ffb371d0f in Interpret /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2997
    #52 0x7f8ffb371d0f in ?? ??:0
    #53 0x7f8ffb3579e8 in RunScript /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:395
    #54 0x7f8ffb3579e8 in ?? ??:0
    #55 0x7f8ffb389768 in InternalCallOrConstruct /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473 (discriminator 1)
    #56 0x7f8ffb389768 in ?? ??:0
    #57 0x7f8ffb371d0f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:506
    #58 0x7f8ffb371d0f in Interpret /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2997
    #59 0x7f8ffb371d0f in ?? ??:0
    #60 0x7f8ffb3579e8 in RunScript /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:395
    #61 0x7f8ffb3579e8 in ?? ??:0
    #62 0x7f8ffb389768 in InternalCallOrConstruct /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473 (discriminator 1)
    #63 0x7f8ffb389768 in ?? ??:0
    #64 0x7f8ffb389f92 in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:519
    #65 0x7f8ffb389f92 in ?? ??:0
    #66 0x7f8ffbfa0b4e in call /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165 (discriminator 3)
    #67 0x7f8ffbfa0b4e in ?? ??:0
    #68 0x7f8ffbf574c4 in call /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353 (discriminator 1)
    #69 0x7f8ffbf574c4 in ?? ??:0
    #70 0x7f8ffbf810f3 in call /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464 (discriminator 1)
    #71 0x7f8ffbf810f3 in ?? ??:0
    #72 0x7f8ffbf83a57 in proxy_Call /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716 (discriminator 1)
    #73 0x7f8ffbf83a57 in ?? ??:0
    #74 0x7f8ffb389933 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282 (discriminator 3)
    #75 0x7f8ffb389933 in InternalCallOrConstruct /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:437 (discriminator 3)
    #76 0x7f8ffb389933 in ?? ??:0
    #77 0x7f8ffb371d0f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:506
    #78 0x7f8ffb371d0f in Interpret /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2997
    #79 0x7f8ffb371d0f in ?? ??:0
    #80 0x7f8ffb3579e8 in RunScript /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:395
    #81 0x7f8ffb3579e8 in ?? ??:0
    #82 0x7f8ffb389768 in InternalCallOrConstruct /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473 (discriminator 1)
    #83 0x7f8ffb389768 in ?? ??:0
    #84 0x7f8ffb389f92 in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:519
    #85 0x7f8ffb389f92 in ?? ??:0
    #86 0x7f8ffbd0dae3 in JS_CallFunctionValue /home/worker/workspace/build/src/js/src/jsapi.cpp:2829 (discriminator 3)
    #87 0x7f8ffbd0dae3 in ?? ??:0
    #88 0x7f8ff30d744f in CallMethod /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1214 (discriminator 5)
    #89 0x7f8ff30d744f in ?? ??:0
    #90 0x7f8ff1a5bb0a in PrepareAndDispatch /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120
    #91 0x7f8ff1a5bb0a in ?? ??:0
    #92 0x7f8ff1a5aae6 in SharedStub /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:?
    #93 0x7f8ff1a5aae6 in ?? ??:0
    #94 0x7f8ff19ec287 in NS_CreateServicesFromCategory /home/worker/workspace/build/src/xpcom/components/nsCategoryManager.cpp:821 (discriminator 1)
    #95 0x7f8ff19ec287 in ?? ??:0
    #96 0x7f8ffaefa4a3 in DoStartup /home/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1168
    #97 0x7f8ffaefa4a3 in ?? ??:0
    #98 0x7f8ffaed6f50 in XRE_mainRun /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4343
    #99 0x7f8ffaed6f50 in ?? ??:0
    #100 0x7f8ffaed93d0 in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4693
    #101 0x7f8ffaed93d0 in ?? ??:0
    #102 0x7f8ffaeda68c in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4784 (discriminator 1)
    #103 0x7f8ffaeda68c in ?? ??:0
    #104 0x4eb3c3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236 (discriminator 1)
    #105 0x4eb3c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307 (discriminator 1)
    #106 0x4eb3c3 in ?? ??:0
    #107 0x7f900b405b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
    #108 0x7f900b405b44 in ?? ??:0

==72271==ABORTING
(Reporter)

Updated

8 months ago
Severity: normal → critical
Keywords: crash, nightly-community
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
Does it run without address sanitizer? I'd suggest running with llvmpipe if you're in a VM.
(Reporter)

Comment 2

8 months ago
The latest non_ASAN Nightly build fails like so:

[GFX1-]: Ignoring any feature blocklisting.
ATTENTION: default value of option force_s3tc_enable overridden by environment.
[GFX1-]: Failed GL context creation for WebRender: 0
ExceptionHandler::GenerateDump cloned child 72983
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...

@ mozilla::wr::WebRenderAPI::SetRootPipeline
https://crash-stats.mozilla.com/report/index/cd561902-dc8f-4a14-8ad9-810ca2170331
https://crash-stats.mozilla.com/report/index/36caffa5-f94a-4eb0-b2ed-db0e12170331
This is caused by the environment you're using to run the build in - it can't create a GL context and so crashes on startup. It's not something we're going to prioritize fixing or investigating, because in general we're more concerned with Windows than Linux right now. Linux is only useful insofar as it's easier to debug the cross-platform code there. So unless this issue blocks a graphics developer from being more productive, it's basically going to sit on the backburner until we start caring about Linux again.

That being said there is a similar crash on Windows, and fixing that may end up fixing this. Or at least working around it.
Priority: -- → P5
See Also: → bug 1350404
Summary: ASAN: null pointer dereference and crash on startup with WebRender enabled → null pointer dereference and crash on startup with WebRender enabled (Linux GL context creation failure)
Depends on: 1343345
Blocks: 1386674
It is addressed by bug 1372880.
Status: NEW → RESOLVED
Last Resolved: 4 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1372880
You need to log in before you can comment on or make changes to this bug.