1402434 - crash near null in [@ mozilla::FrameLayerBuilder::DrawPaintedLayer]

Status: RESOLVED WORKSFORME

(Core :: Web Painting, defect, P2)

Description

[Tyson Smith [:tsmith]]

Attachment: test_case.html

==2286==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f98f3edf420 bp 0x7ffdb0ec4340 sp 0x7ffdb0ec3d60 T0)
==2286==The signal is caused by a READ memory access.
==2286==Hint: address points to the zero page.
    #0 0x7f98f3edf41f in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) / src/layout/painting/FrameLayerBuilder.cpp:6146:15
    #1 0x7f98eeb39c1c in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) / src/gfx/layers/client/ClientPaintedLayer.cpp:166:5
    #2 0x7f98eeb3b0d9 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) / src/gfx/layers/client/ClientPaintedLayer.cpp:297:3
    #3 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29
    #4 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29
    #5 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29
    #6 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29
    #7 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29
    #8 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29
    #9 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29
    #10 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29
    #11 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29
    #12 0x7f98eeb33eca in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) / src/gfx/layers/client/ClientLayerManager.cpp:380:13
    #13 0x7f98eeb34817 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) / src/gfx/layers/client/ClientLayerManager.cpp:438:3
    #14 0x7f98f3f56388 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) / src/layout/painting/nsDisplayList.cpp:2347:17
    #15 0x7f98f374d012 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) / src/layout/base/nsLayoutUtils.cpp:3772:12
    #16 0x7f98f36428ba in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) / src/layout/base/PresShell.cpp:6454:5
    #17 0x7f98f2e3e839 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) / src/view/nsViewManager.cpp:480:19
    #18 0x7f98f2e3d59b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) / src/view/nsViewManager.cpp:412:33
    #19 0x7f98f2e40f15 in nsViewManager::ProcessPendingUpdates() / src/view/nsViewManager.cpp:1102:5
    #20 0x7f98f35a44fd in nsRefreshDriver::Tick(long, mozilla::TimeStamp) / src/layout/base/nsRefreshDriver.cpp:2082:11
    #21 0x7f98f35b01eb in TickDriver / src/layout/base/nsRefreshDriver.cpp:337:13
    #22 0x7f98f35b01eb in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) / src/layout/base/nsRefreshDriver.cpp:307
    #23 0x7f98f35afee6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) / src/layout/base/nsRefreshDriver.cpp:329:5
    #24 0x7f98f35b243b in RunRefreshDrivers / src/layout/base/nsRefreshDriver.cpp:770:5
    #25 0x7f98f35b243b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) / src/layout/base/nsRefreshDriver.cpp:683
    #26 0x7f98f35adb57 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() / src/layout/base/nsRefreshDriver.cpp:529:20
    #27 0x7f98eca0033c in nsThread::ProcessNextEvent(bool, bool*) / src/xpcom/threads/nsThread.cpp:1039:14
    #28 0x7f98eca0615c in NS_ProcessNextEvent(nsIThread*, bool) / src/xpcom/threads/nsThreadUtils.cpp:521:10
    #29 0x7f98ed7ab061 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) / src/ipc/glue/MessagePump.cpp:97:21
    #30 0x7f98ed70cf2b in RunInternal / src/ipc/chromium/src/base/message_loop.cc:326:10
    #31 0x7f98ed70cf2b in RunHandler / src/ipc/chromium/src/base/message_loop.cc:319
    #32 0x7f98ed70cf2b in MessageLoop::Run() / src/ipc/chromium/src/base/message_loop.cc:299
    #33 0x7f98f2ebd4df in nsBaseAppShell::Run() / src/widget/nsBaseAppShell.cpp:158:27
    #34 0x7f98f701d3c1 in nsAppStartup::Run() / src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #35 0x7f98f71fdf0b in XREMain::XRE_mainRun() / src/toolkit/xre/nsAppRunner.cpp:4701:22
    #36 0x7f98f71ffb08 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) / src/toolkit/xre/nsAppRunner.cpp:4865:8
    #37 0x7f98f7200f3b in XRE_main(int, char**, mozilla::BootstrapConfig const&) / src/toolkit/xre/nsAppRunner.cpp:4960:21
    #38 0x4ebea3 in do_main / src/browser/app/nsBrowserApp.cpp:236:22
    #39 0x4ebea3 in main / src/browser/app/nsBrowserApp.cpp:309
    #40 0x7f990a3dc82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #41 0x41d9f8 in _start (firefox+0x41d9f8)

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Trying to bisect this has been a complete exercise in futility. It doesn't crash reliably enough in older builds to get a solid sense of whether a build is good or not.

On debug builds, I did notice that it also hits the below assertions:
ASSERTION: Layer shouldn't be the child of some other container: 'layer->GetParent() == mContainerLayer', file /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp, line 5346
ASSERTION: aChild not our child: 'Error', file /builds/worker/workspace/build/src/gfx/layers/Layers.cpp, line 982
ASSERTION: aAfter is not our child: 'Error', file /builds/worker/workspace/build/src/gfx/layers/Layers.cpp, line 871
ASSERTION: We shouldn't be drawing into a layer with no items!: 'entry', file /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp, line 6145

Comment 2

[Tyson Smith [:tsmith]]

Attachment: test_case_2.html

This testcase requires the fuzzpriv extension.

Comment 3

[Tyson Smith [:tsmith]]

Attachment: prefs.js

Comment 4

[Tyson Smith [:tsmith]]

Attachment: test_case_2.html

Fix a typo

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Comment 6

[Timothy Nikkel (:tnikkel)]

This code is gone. If these testcases still crash they must have a new signature, please update accordingly if that is the case.