Closed
Bug 1443671
Opened 7 years ago
Closed 7 years ago
Crash at ImageBridgeChild::Connect() with offscreen canvas
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
FIXED
mozilla61
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox59 | --- | disabled |
| firefox60 | --- | disabled |
| firefox61 | --- | fixed |
People
(Reporter: jkratzer, Assigned: sotaro)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [fuzzblocker][gfx-noted])
Attachments
(3 files)
|
244 bytes,
text/html
|
Details | |
|
1.03 KB,
patch
|
nical
:
review+
|
Details | Diff | Splinter Review |
|
875 bytes,
patch
|
nical
:
review+
|
Details | Diff | Splinter Review |
Testcase found while fuzzing mozilla-central rev a007dd56b994.
==12112==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x7fb85b6f0843 bp 0x7fb809fce660 sp 0x7fb809fce520 T18)
==12112==The signal is caused by a READ memory access.
==12112==Hint: address points to the zero page.
#0 0x7fb85b6f0842 in get /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:287:27
#1 0x7fb85b6f0842 in operator mozilla::layers::ImageContainerListener * /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:300
#2 0x7fb85b6f0842 in GetImageContainerListener /builds/worker/workspace/build/src/obj-firefox/dist/include/ImageContainer.h:620
#3 0x7fb85b6f0842 in mozilla::layers::ImageBridgeChild::Connect(mozilla::layers::CompositableClient*, mozilla::layers::ImageContainer*) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:330
#4 0x7fb85b5d1b6f in mozilla::layers::CompositableClient::Connect(mozilla::layers::ImageContainer*) /builds/worker/workspace/build/src/gfx/layers/client/CompositableClient.cpp:67:19
#5 0x7fb85b6f0088 in CreateCanvasClientNow /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:835:13
#6 0x7fb85b6f0088 in mozilla::layers::ImageBridgeChild::CreateCanvasClientSync(mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:284
#7 0x7fb85b7376a3 in apply<RefPtr<mozilla::layers::ImageBridgeChild>, void (mozilla::layers::ImageBridgeChild::*)(mozilla::layers::SynchronousTask *, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient> *), mozilla::layers::SynchronousTask *, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient> *, 0, 1, 2, 3> /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:85:5
#8 0x7fb85b7376a3 in mozilla::runnable_args_memfn<RefPtr<mozilla::layers::ImageBridgeChild>, void (mozilla::layers::ImageBridgeChild::*)(mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*), mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:155
#9 0x7fb859db9ea3 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9
#10 0x7fb859db9ea3 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460
#11 0x7fb859db9ea3 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535
#12 0x7fb859dbbe18 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31
#13 0x7fb859db7289 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#14 0x7fb859db7289 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#15 0x7fb859db7289 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#16 0x7fb859dd682f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
#17 0x7fb859dc829c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
#18 0x7fb8799db6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#19 0x7fb878a5d41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:287:27 in get
Thread T18 (ImageBr~geChild) created by T0 (file:// Content) here:
#0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
#1 0x7fb859dc5bff in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
#2 0x7fb859dc5bff in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
#3 0x7fb859dd61cf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
#4 0x7fb859dd5f4f in base::Thread::Start() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:88:10
#5 0x7fb85b6f3c45 in mozilla::layers::ImageBridgeChild::InitForContent(mozilla::ipc::Endpoint<mozilla::layers::PImageBridgeChild>&&, unsigned int) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:542:45
#6 0x7fb860183fa9 in mozilla::dom::ContentChild::RecvInitRendering(mozilla::ipc::Endpoint<mozilla::layers::PCompositorManagerChild>&&, mozilla::ipc::Endpoint<mozilla::layers::PImageBridgeChild>&&, mozilla::ipc::Endpoint<mozilla::gfx::PVRManagerChild>&&, mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&, nsTArray<unsigned int>&&) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1361:8
#7 0x7fb85a6393cd in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5455:20
#8 0x7fb859e6029e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2133:25
#9 0x7fb859e5d317 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2063:17
#10 0x7fb859e5ea1c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1909:5
#11 0x7fb859e5f078 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1942:15
#12 0x7fb858f8a754 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
#13 0x7fb858fa6710 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
#14 0x7fb859e683ba in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#15 0x7fb859db7289 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#16 0x7fb859db7289 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#17 0x7fb859db7289 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#18 0x7fb860949fda in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#19 0x7fb864ddb50b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:892:22
#20 0x7fb859db7289 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#21 0x7fb859db7289 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#22 0x7fb859db7289 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#23 0x7fb864ddaeea in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:718:34
#24 0x4f6f2c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#25 0x4f6f2c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#26 0x7fb87897682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
==12112==ABORTING
Flags: in-testsuite?
|
Reporter | |
Updated•7 years ago
|
Whiteboard: [fuzzblocker]
|
|
Reporter | |
Comment 1•7 years ago
|
||
Is there any way we could have someone investigate this? We've triggered this issue 12000 times over the past several days and will soon have to disable all canvas fuzzing until it's resolved.
|
||
Updated•7 years ago
|
Whiteboard: [fuzzblocker] → [fuzzblocker][gfx-noted]
|
Assignee | |
Comment 4•7 years ago
|
||
(In reply to Jeff Muizelaar [:jrmuizel] from comment #2)
> Sotaro, do you mind taking a look at this?
I take a look.
|
|
Assignee | |
Comment 5•7 years ago
|
||
To check locally, we need to set pref "gfx.offscreencanvas.enabled;true".
|
|
Assignee | |
Comment 6•7 years ago
|
||
Bug 1409789 looks same bug.
|
|
Assignee | |
Updated•7 years ago
|
Blocks: offscreen-canvas
|
|
Assignee | |
Comment 7•7 years ago
|
||
Ah it is a regression of Bug 1402739. In offscreen canvas case, aImageContainer is nullptr. It was not detected by tests, since offscreen canvas is disabled by default.
|
|
Assignee | |
Comment 8•7 years ago
|
||
|
|
Assignee | |
Updated•7 years ago
|
Summary: Crash [@ get] → Crash at ImageBridgeChild::Connect() with offscreen canvas
|
|
Assignee | |
Comment 10•7 years ago
|
||
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8958712 -
Flags: review?(nical.bugzilla)
|
||
Updated•7 years ago
|
Attachment #8958712 -
Flags: review?(nical.bugzilla) → review+
|
||
Comment 11•7 years ago
|
||
Pushed by sikeda@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e9ad11e8506a
Check aImageContainer in ImageBridgeChild::Connect() r=nical
|
||
Comment 13•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
|
||
Comment 14•7 years ago
|
||
Can we land this testcase as a crashtest?
status-firefox59:
--- → disabled
status-firefox60:
--- → disabled
status-firefox-esr52:
--- → unaffected
Flags: needinfo?(sotaro.ikeda.g)
|
|
Assignee | |
Comment 15•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #14)
> Can we land this testcase as a crashtest?
Ok, I am going to add a crashtest.
Status: RESOLVED → REOPENED
Flags: needinfo?(sotaro.ikeda.g)
Resolution: FIXED → ---
|
|
Assignee | |
Comment 16•7 years ago
|
||
|
|
Assignee | |
Comment 17•7 years ago
|
||
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8960085 -
Flags: review?(nical.bugzilla)
|
|
||
Updated•7 years ago
|
Attachment #8960085 -
Flags: review?(nical.bugzilla) → review+
|
|
||
Comment 18•7 years ago
|
||
Pushed by sikeda@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ce013a4cb8d1
Add crashtest r=nical
|
|
||
Comment 19•7 years ago
|
||
| bugherder | ||
Status: REOPENED → RESOLVED
Closed: 7 years ago → 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•