Closed
Bug 1440522
Opened 7 years ago
Closed 7 years ago
UBSan: downcast of address which does not point to an object of type 'mozilla::layers::PaintedLayer'
Categories
(Core :: Web Painting, defect)
Core
Web Painting
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox60 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
Details
(Keywords: csectype-undefined)
This is triggered on startup when built with -fsanitize=vptr
Found with changeset: 404902:169b1ba48437
src/layout/painting/FrameLayerBuilder.cpp:3224:31: runtime error: downcast of address 0x618000052c80 which does not point to an object of type 'mozilla::layers::PaintedLayer'
0x618000052c80: note: object is of type 'mozilla::layers::ClientColorLayer'
a0 00 00 7d 38 08 98 91 5f 7f 00 00 07 00 00 00 00 00 00 00 40 34 0d 00 40 61 00 00 00 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'mozilla::layers::ClientColorLayer'
#0 0x7f5f87780410 in FinishPaintedLayerData<(lambda at src/layout/painting/FrameLayerBuilder.cpp:2843:50)> src/layout/painting/FrameLayerBuilder.cpp:3224:31
#1 0x7f5f87780410 in mozilla::PaintedLayerDataNode::PopPaintedLayerData() src/layout/painting/FrameLayerBuilder.cpp:2843
#2 0x7f5f8777c1bc in PopAllPaintedLayerData src/layout/painting/FrameLayerBuilder.cpp:2853:5
#3 0x7f5f8777c1bc in mozilla::PaintedLayerDataNode::Finish(bool) src/layout/painting/FrameLayerBuilder.cpp:2807
#4 0x7f5f8777c597 in mozilla::PaintedLayerDataNode::FinishAllChildren(bool) src/layout/painting/FrameLayerBuilder.cpp:2796:19
#5 0x7f5f8777c177 in mozilla::PaintedLayerDataNode::Finish(bool) src/layout/painting/FrameLayerBuilder.cpp:2805:3
#6 0x7f5f877ab6ea in Finish src/layout/painting/FrameLayerBuilder.cpp:2867:12
#7 0x7f5f877ab6ea in mozilla::ContainerState::Finish(unsigned int*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsDisplayList*) src/layout/painting/FrameLayerBuilder.cpp:5327
#8 0x7f5f877aeaff in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) src/layout/painting/FrameLayerBuilder.cpp:5713:9
#9 0x7f5f878481bd in nsDisplayList::BuildLayers(nsDisplayListBuilder*, mozilla::layers::LayerManager*, unsigned int, bool) src/layout/painting/nsDisplayList.cpp:2556:9
#10 0x7f5f8784ade5 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2746:20
#11 0x7f5f86bbdef2 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:4016:12
#12 0x7f5f86a21bc3 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6473:5
#13 0x7f5f85e3da2c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19
#14 0x7f5f85e3c3bf in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33
#15 0x7f5f85e4111b in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5
#16 0x7f5f869304ce in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2063:11
#17 0x7f5f869428b0 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:310:7
#18 0x7f5f8694223a in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:332:5
#19 0x7f5f86947692 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:686:35
#20 0x7f5f86946a41 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:587:9
#21 0x7f5f8764e4a5 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
#22 0x7f5f7d891465 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-vptr/ipc/ipdl/PVsyncChild.cpp:155:20
#23 0x7f5f7d541bee in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-vptr/ipc/ipdl/PBackgroundChild.cpp:1812:28
#24 0x7f5f7ccbdb92 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2110:25
#25 0x7f5f7ccb6262 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2040:17
#26 0x7f5f7ccb985f in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1886:5
#27 0x7f5f7ccbb52a in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1919:15
#28 0x7f5f7b36a55a in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14
#29 0x7f5f7b3ac0de in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:517:10
#30 0x7f5f7ccccb28 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#31 0x7f5f7cb5443d in RunHandler src/ipc/chromium/src/base/message_loop.cc:319:3
#32 0x7f5f7cb5443d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
#33 0x7f5f85f336f6 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
#34 0x7f5f8c0b85a4 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:892:22
#35 0x7f5f7cb5443d in RunHandler src/ipc/chromium/src/base/message_loop.cc:319:3
#36 0x7f5f7cb5443d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
#37 0x7f5f8c0b76e7 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:718:34
#38 0x516234 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#39 0x516a50 in main src/browser/app/nsBrowserApp.cpp:280:18
#40 0x7f5fa28e01c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
#41 0x41eef9 in _start (firefox+0x41eef9)
Reporter | ||
Updated•7 years ago
|
Keywords: csectype-uninitialized → csectype-undefined
Reporter | ||
Comment 2•7 years ago
|
||
Yes it does. Thanks!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•