Open Bug 1415776 Opened 2 years ago Updated 2 years ago

Crash near null [@ SoftwareDisplay::SoftwareDisplay]

Categories

(Core :: Graphics, defect, P3, critical)

defect

Tracking

()

Tracking Status
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- ?

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase-wanted, Whiteboard: [gfx-noted])

Found while fuzzing mozilla-central rev e2f87726b608.  I do not have a reproducible testcase at this time but will update when once becomes available.

=================================================================
==17529==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff611798411 bp 0x7ffc80913ef0 sp 0x7ffc80913ec0 T0)
==17529==The signal is caused by a WRITE memory access.
==17529==Hint: address points to the zero page.
==17529==WARNING: failed to fork (errno 11)
    #0 0x7ff611798410 in SoftwareDisplay::SoftwareDisplay() /builds/worker/workspace/build/src/gfx/thebes/SoftwareVsyncSource.cpp:34:3
    #1 0x7ff611797d0f in SoftwareVsyncSource::SoftwareVsyncSource() /builds/worker/workspace/build/src/gfx/thebes/SoftwareVsyncSource.cpp:17:24
    #2 0x7ff61170f14e in gfxPlatform::CreateHardwareVsyncSource() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:2690:57
    #3 0x7ff611720d4b in gfxPlatformGtk::CreateHardwareVsyncSource() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatformGtk.cpp:815:23
    #4 0x7ff61170a429 in gfxPlatform::Init() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:766:46
    #5 0x7ff6117071eb in gfxPlatform::GetPlatform() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:547:9
    #6 0x7ff616a3e279 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/widget/GfxInfoBase.cpp:1495:25
    #7 0x7ff60efc7be1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
    #8 0x7ff6108e061b in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #9 0x7ff6108e061b in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #10 0x7ff6108e061b in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #11 0x7ff6108e7a10 in GetAttribute /builds/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1679:17
    #12 0x7ff6108e7a10 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965
    #13 0x7ff61b2b7afc in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #14 0x7ff61b2b7afc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
    #15 0x7ff61b2b9ada in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #16 0x7ff61b2b9ada in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
    #17 0x7ff61b2b9ada in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:655
    #18 0x7ff61c31c3d8 in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2117:16
    #19 0x7ff61c31c3d8 in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2170
    #20 0x7ff61c31c3d8 in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2373
    #21 0x7ff61c31c3d8 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2409
    #22 0x7ff61b29873b in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1607:12
    #23 0x7ff61b29873b in GetObjectElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:523
    #24 0x7ff61b29873b in GetElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:629
    #25 0x7ff61b29873b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2899
    #26 0x7ff61b289c4d in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
    #27 0x7ff61b2b8058 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:494:15
    #28 0x7ff61b295b53 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
    #29 0x7ff61b295b53 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
    #30 0x7ff61b289c4d in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
    #31 0x7ff61b2b8058 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:494:15
    #32 0x7ff61b295b53 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
    #33 0x7ff61b295b53 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
    #34 0x7ff61b289c4d in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
    #35 0x7ff61b2b8058 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:494:15
    #36 0x7ff61b295b53 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
    #37 0x7ff61b295b53 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
    #38 0x7ff61b289c4d in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
    #39 0x7ff61b2b8058 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:494:15
    #40 0x7ff61b2b8b42 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:10
    #41 0x7ff61bd6e37e in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2973:12
    #42 0x7ff6108c6da9 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1317:23
    #43 0x7ff60efc9258 in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28
    #44 0x7ff60efc8226 in SharedStub (/home/ubuntu/builds/central-fuzzinge2f87726b608/libxul.so+0x2243226)
    #45 0x7ff60ef47ca5 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/components/nsCategoryManager.cpp:810:19
    #46 0x7ff61afdfa45 in nsXREDirProvider::DoStartup() /builds/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1024:11
    #47 0x7ff61afbf97c in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4493:16
    #48 0x7ff61afc21be in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4826:8
    #49 0x7ff61afc3482 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4921:21
    #50 0x4fa1c0 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #51 0x4fa1c0 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #52 0x7ff62e1e882f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #53 0x422ddc in _start (/home/ubuntu/builds/central-fuzzinge2f87726b608/firefox+0x422ddc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/gfx/thebes/SoftwareVsyncSource.cpp:34:3 in SoftwareDisplay::SoftwareDisplay()
==17529==ABORTING
Whiteboard: [gfx-noted]
You need to log in before you can comment on or make changes to this bug.