Closed Bug 1442825 Opened 6 years ago Closed 5 years ago

UBSan: downcast of address which does not point to an object of type 'mozilla::gl::ScopedBindRenderbuffer'

Categories

(Core :: Graphics, defect, P3)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox60 --- wontfix
firefox69 --- fixed

People

(Reporter: tsmith, Assigned: jgilbert)

Details

(Keywords: csectype-undefined, Whiteboard: [gfx-noted])

Attachments

(1 file)

Bug 1442825 - Remove ScopedGLWrapper base class.
47 bytes, text/x-phabricator-request
Details | Review 
This is triggered with regular browsing when built with -fsanitize=vptr

Found with mozilla-central changeset: 406399:f4e33c42faa7

mozilla-central/gfx/gl/ScopedGLHelpers.h:50:28: runtime error: downcast of address 0x7ffe14afc080 which does not point to an object of type 'mozilla::gl::ScopedBindRenderbuffer'
0x7ffe14afc080: note: object is of type 'mozilla::gl::ScopedGLWrapper<mozilla::gl::ScopedBindRenderbuffer>'
 89 7f 00 00  38 6e 15 89 89 7f 00 00  00 6f 8e 3c af 46 7a 60  80 30 06 00 e0 61 00 00  00 00 00 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'mozilla::gl::ScopedGLWrapper<mozilla::gl::ScopedBindRenderbuffer>'
    #0 0x7f89775ba342 in mozilla::gl::ScopedGLWrapper<mozilla::gl::ScopedBindRenderbuffer>::Unwrap() mozilla-central/gfx/gl/ScopedGLHelpers.h:50:28
    #1 0x7f89775bedf4 in ~ScopedGLWrapper mozilla-central/gfx/gl/ScopedGLHelpers.h:42:13
    #2 0x7f89775bedf4 in mozilla::gl::MozFramebuffer::CreateWith(mozilla::gl::GLContext*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, bool, unsigned int, unsigned int)::$_0::operator()(unsigned int, unsigned int) const mozilla-central/gfx/gl/MozFramebuffer.cpp:102
    #3 0x7f89775be528 in mozilla::gl::MozFramebuffer::CreateWith(mozilla::gl::GLContext*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, bool, unsigned int, unsigned int) mozilla-central/gfx/gl/MozFramebuffer.cpp:111:27
    #4 0x7f89775bd989 in mozilla::gl::MozFramebuffer::Create(mozilla::gl::GLContext*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, bool) mozilla-central/gfx/gl/MozFramebuffer.cpp:71:12
    #5 0x7f897b6038bf in operator() mozilla-central/dom/canvas/WebGLContext.cpp:769:26
    #6 0x7f897b6038bf in mozilla::WebGLContext::EnsureDefaultFB(char const*) mozilla-central/dom/canvas/WebGLContext.cpp:757
    #7 0x7f897b607499 in mozilla::WebGLContext::SetDimensions(int, int) mozilla-central/dom/canvas/WebGLContext.cpp:1006:10
    #8 0x7f897b50bfe5 in mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) mozilla-central/dom/canvas/CanvasRenderingContextHelper.cpp:243:24
    #9 0x7f897b50b4ca in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) mozilla-central/dom/canvas/CanvasRenderingContextHelper.cpp:197:19
    #10 0x7f897bd1502f in mozilla::dom::HTMLCanvasElement::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) mozilla-central/dom/html/HTMLCanvasElement.cpp:1016:40
    #11 0x7f897add14d9 in mozilla::dom::HTMLCanvasElementBinding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) mozilla-central/objdir-ff-vptr/dom/bindings/HTMLCanvasElementBinding.cpp:275:49
    #12 0x7f897b380197 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) mozilla-central/dom/bindings/BindingUtils.cpp:3031:13
    #13 0x7f8983cdc99f in CallJSNative mozilla-central/js/src/vm/JSContext-inl.h:290:15
    #14 0x7f8983cdc99f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) mozilla-central/js/src/vm/Interpreter.cpp:467
    #15 0x7f8983cb9c2d in CallFromStack mozilla-central/js/src/vm/Interpreter.cpp:522:12
    #16 0x7f8983cb9c2d in Interpret(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:3085
    #17 0x7f8983cacfab in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:417:12
    #18 0x7f8983cdc888 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) mozilla-central/js/src/vm/Interpreter.cpp:489:15
    #19 0x7f8983f22672 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/jit/BaselineIC.cpp:2379:14
    #20 0x114640e5c61a  (<unknown module>)
Flags: needinfo?(jgilbert)
Whiteboard: [gfx-noted]

Ok, technically speaking, we're calling into the Derived class in the Base class's dtor, which is a no-no.
This whole file needs to be redone.

Flags: needinfo?(jgilbert)
Assignee: nobody → jgilbert
Pushed by jgilbert@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/40c99f4752f9
Remove ScopedGLWrapper base class. r=lsalzman

https://hg.mozilla.org/mozilla-central/rev/40c99f4752f9

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox69: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: