Closed Bug 1419609 Opened 2 years ago Closed 2 years ago

UBSan: load of value which is not a valid value for type 'bool' [@ nsDisplayListBuilder::WrapAGRForFrame]

Categories

(Core :: Web Painting, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox59 --- fixed

People

(Reporter: tsmith, Assigned: mattwoodrow)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, csectype-uninitialized, testcase)

Attachments

(2 files)

Attached file testcase.html
This was found with a Firefox build built with -fsanitize=bool

/layout/painting/nsDisplayList.cpp:1064:50: runtime error: load of value 208, which is not a valid value for type 'bool'
    #0 0x7fe41183880b in nsDisplayListBuilder::WrapAGRForFrame(nsIFrame*, bool, AnimatedGeometryRoot*) /layout/painting/nsDisplayList.cpp:1064:50
    #1 0x7fe4117e9651 in nsDisplayListBuilder::FindAnimatedGeometryRootFor(nsIFrame*) /layout/painting/nsDisplayList.cpp:1100:12
    #2 0x7fe41117c6af in nsDisplayListBuilder::AutoBuildingDisplayList::AutoBuildingDisplayList(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsRect const&, bool) /layout/painting/nsDisplayList.h:1039:43
    #3 0x7fe41122ac2e in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /layout/generic/nsFrame.cpp:3612:5
    #4 0x7fe4116262f3 in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsBoxFrame.cpp:1389:5
    #5 0x7fe411625d69 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsBoxFrame.cpp:1349:3
    #6 0x7fe41122b588 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /layout/generic/nsFrame.cpp:3734:14
    #7 0x7fe41162a813 in nsDeckFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsDeckFrame.cpp:199:3
    #8 0x7fe411625d69 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsBoxFrame.cpp:1349:3
    #9 0x7fe41122b588 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /layout/generic/nsFrame.cpp:3734:14
    #10 0x7fe4116262f3 in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsBoxFrame.cpp:1389:5
    #11 0x7fe411625d69 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsBoxFrame.cpp:1349:3
    #12 0x7fe41122b588 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /layout/generic/nsFrame.cpp:3734:14
    #13 0x7fe4116262f3 in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsBoxFrame.cpp:1389:5
    #14 0x7fe41166c5ed in nsRootBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsRootBoxFrame.cpp:190:3
    #15 0x7fe41122b588 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /layout/generic/nsFrame.cpp:3734:14
    #16 0x7fe41122a06b in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/generic/ViewportFrame.cpp:66:5
    #17 0x7fe4112b175b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) /layout/generic/nsFrame.cpp:2965:5
    #18 0x7fe411138ed6 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /layout/base/nsLayoutUtils.cpp:3880:17
    #19 0x7fe41105dbe2 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /layout/base/PresShell.cpp:6512:5
    #20 0x7fe41093b65b in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /view/nsViewManager.cpp:480:19
    #21 0x7fe41093ad3d in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /view/nsViewManager.cpp:412:33
    #22 0x7fe41093cfcb in nsViewManager::ProcessPendingUpdates() /view/nsViewManager.cpp:1102:5
    #23 0x7fe410fdb3ed in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:2027:11
    #24 0x7fe410fe5fc7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:306:7
    #25 0x7fe410fe5cdc in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:328:5
    #26 0x7fe410fea37a in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:769:5
    #27 0x7fe410fe8dd0 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:682:35
    #28 0x7fe410fe4148 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /layout/base/nsRefreshDriver.cpp:528:20
    #29 0x7fe40997fa60 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1037:14
    #30 0x7fe4099b91fa in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:513:10
    #31 0x7fe40ab02f91 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:97:21
    #32 0x7fe40a983990 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299:3
    #33 0x7fe4109caa05 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:159:27
    #34 0x7fe415379a57 in nsAppStartup::Run() /toolkit/components/startup/nsAppStartup.cpp:288:30
    #35 0x7fe415545f7a in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:4685:22
    #36 0x7fe415547a37 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4847:8
    #37 0x7fe415548781 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4942:21
    #38 0x518198 in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:231:22
    #39 0x517a1a in main /browser/app/nsBrowserApp.cpp:304:16
    #40 0x7fe43edff1c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
    #41 0x4204e9 in _start (firefox+0x4204e9)
Flags: in-testsuite?
Summary: UBSan: load of value which is not a valid value for type 'bool' → UBSan: load of value which is not a valid value for type 'bool' [@ nsDisplayListBuilder::WrapAGRForFrame]
Component: Layout → Layout: Web Painting
Blocks: 1352499
Priority: -- → P2
This doesn't seem to repro on mac FWIW.
(In reply to Jonathan Watt [:jwatt] (needinfo? me) from comment #1)
> This doesn't seem to repro on mac FWIW.

I have seen instances of this type of error where the underlying issue was actually uninitialized memory. That may also make this inconsistently reproducible.
FWIW: I can still repro on m-c changeset 395820:5f52c2488a83
Pretty sure this is the issue, we call FindAnimatedGeometryRootFor to initialize isAsync, but it's possible for us to leave it uninitialized.
Assignee: nobody → matt.woodrow
Attachment #8935989 - Flags: review?(jwatt)
Verified the issue is no longer reproducible with the patch applied.
Attachment #8935989 - Flags: review?(jwatt) → review+
Pushed by mwoodrow@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/969f4ef3c4b2
Always mark the root agr as async. r=jwatt
https://hg.mozilla.org/mozilla-central/rev/969f4ef3c4b2
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in before you can comment on or make changes to this bug.