Closed Bug 1440522 Opened 7 years ago Closed 7 years ago

UBSan: downcast of address which does not point to an object of type 'mozilla::layers::PaintedLayer'

Categories

(Core :: Web Painting, defect)

defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox60 --- affected

People

(Reporter: tsmith, Unassigned)

References

Details

(Keywords: csectype-undefined)

This is triggered on startup when built with -fsanitize=vptr Found with changeset: 404902:169b1ba48437 src/layout/painting/FrameLayerBuilder.cpp:3224:31: runtime error: downcast of address 0x618000052c80 which does not point to an object of type 'mozilla::layers::PaintedLayer' 0x618000052c80: note: object is of type 'mozilla::layers::ClientColorLayer' a0 00 00 7d 38 08 98 91 5f 7f 00 00 07 00 00 00 00 00 00 00 40 34 0d 00 40 61 00 00 00 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'mozilla::layers::ClientColorLayer' #0 0x7f5f87780410 in FinishPaintedLayerData<(lambda at src/layout/painting/FrameLayerBuilder.cpp:2843:50)> src/layout/painting/FrameLayerBuilder.cpp:3224:31 #1 0x7f5f87780410 in mozilla::PaintedLayerDataNode::PopPaintedLayerData() src/layout/painting/FrameLayerBuilder.cpp:2843 #2 0x7f5f8777c1bc in PopAllPaintedLayerData src/layout/painting/FrameLayerBuilder.cpp:2853:5 #3 0x7f5f8777c1bc in mozilla::PaintedLayerDataNode::Finish(bool) src/layout/painting/FrameLayerBuilder.cpp:2807 #4 0x7f5f8777c597 in mozilla::PaintedLayerDataNode::FinishAllChildren(bool) src/layout/painting/FrameLayerBuilder.cpp:2796:19 #5 0x7f5f8777c177 in mozilla::PaintedLayerDataNode::Finish(bool) src/layout/painting/FrameLayerBuilder.cpp:2805:3 #6 0x7f5f877ab6ea in Finish src/layout/painting/FrameLayerBuilder.cpp:2867:12 #7 0x7f5f877ab6ea in mozilla::ContainerState::Finish(unsigned int*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsDisplayList*) src/layout/painting/FrameLayerBuilder.cpp:5327 #8 0x7f5f877aeaff in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) src/layout/painting/FrameLayerBuilder.cpp:5713:9 #9 0x7f5f878481bd in nsDisplayList::BuildLayers(nsDisplayListBuilder*, mozilla::layers::LayerManager*, unsigned int, bool) src/layout/painting/nsDisplayList.cpp:2556:9 #10 0x7f5f8784ade5 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2746:20 #11 0x7f5f86bbdef2 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:4016:12 #12 0x7f5f86a21bc3 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6473:5 #13 0x7f5f85e3da2c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19 #14 0x7f5f85e3c3bf in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33 #15 0x7f5f85e4111b in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5 #16 0x7f5f869304ce in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2063:11 #17 0x7f5f869428b0 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:310:7 #18 0x7f5f8694223a in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:332:5 #19 0x7f5f86947692 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:686:35 #20 0x7f5f86946a41 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:587:9 #21 0x7f5f8764e4a5 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16 #22 0x7f5f7d891465 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-vptr/ipc/ipdl/PVsyncChild.cpp:155:20 #23 0x7f5f7d541bee in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-vptr/ipc/ipdl/PBackgroundChild.cpp:1812:28 #24 0x7f5f7ccbdb92 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2110:25 #25 0x7f5f7ccb6262 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2040:17 #26 0x7f5f7ccb985f in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1886:5 #27 0x7f5f7ccbb52a in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1919:15 #28 0x7f5f7b36a55a in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14 #29 0x7f5f7b3ac0de in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:517:10 #30 0x7f5f7ccccb28 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #31 0x7f5f7cb5443d in RunHandler src/ipc/chromium/src/base/message_loop.cc:319:3 #32 0x7f5f7cb5443d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #33 0x7f5f85f336f6 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #34 0x7f5f8c0b85a4 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:892:22 #35 0x7f5f7cb5443d in RunHandler src/ipc/chromium/src/base/message_loop.cc:319:3 #36 0x7f5f7cb5443d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #37 0x7f5f8c0b76e7 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:718:34 #38 0x516234 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #39 0x516a50 in main src/browser/app/nsBrowserApp.cpp:280:18 #40 0x7f5fa28e01c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308 #41 0x41eef9 in _start (firefox+0x41eef9)
The patches in bug 1440177 fix this.
Depends on: 1440177
Yes it does. Thanks!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.