Closed Bug 1443671 Opened 6 years ago Closed 6 years ago

Crash at ImageBridgeChild::Connect() with offscreen canvas

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
59 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla61
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- disabled
firefox60 --- disabled
firefox61 --- fixed

People

(Reporter: jkratzer, Assigned: sotaro)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [fuzzblocker][gfx-noted])

Attachments

(3 files)

trigger.html
244 bytes, text/html
Details
patch - Check aImageContainer in ImageBridgeChild::Connect()
1.03 KB, patch
nical
: review+
Details | Diff | Splinter Review
patch - Add crashtest
875 bytes, patch
nical
: review+
Details | Diff | Splinter Review
Attached file trigger.html 
Testcase found while fuzzing mozilla-central rev a007dd56b994.

==12112==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x7fb85b6f0843 bp 0x7fb809fce660 sp 0x7fb809fce520 T18)
==12112==The signal is caused by a READ memory access.
==12112==Hint: address points to the zero page.
    #0 0x7fb85b6f0842 in get /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:287:27
    #1 0x7fb85b6f0842 in operator mozilla::layers::ImageContainerListener * /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:300
    #2 0x7fb85b6f0842 in GetImageContainerListener /builds/worker/workspace/build/src/obj-firefox/dist/include/ImageContainer.h:620
    #3 0x7fb85b6f0842 in mozilla::layers::ImageBridgeChild::Connect(mozilla::layers::CompositableClient*, mozilla::layers::ImageContainer*) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:330
    #4 0x7fb85b5d1b6f in mozilla::layers::CompositableClient::Connect(mozilla::layers::ImageContainer*) /builds/worker/workspace/build/src/gfx/layers/client/CompositableClient.cpp:67:19
    #5 0x7fb85b6f0088 in CreateCanvasClientNow /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:835:13
    #6 0x7fb85b6f0088 in mozilla::layers::ImageBridgeChild::CreateCanvasClientSync(mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:284
    #7 0x7fb85b7376a3 in apply<RefPtr<mozilla::layers::ImageBridgeChild>, void (mozilla::layers::ImageBridgeChild::*)(mozilla::layers::SynchronousTask *, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient> *), mozilla::layers::SynchronousTask *, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient> *, 0, 1, 2, 3> /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:85:5
    #8 0x7fb85b7376a3 in mozilla::runnable_args_memfn<RefPtr<mozilla::layers::ImageBridgeChild>, void (mozilla::layers::ImageBridgeChild::*)(mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*), mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:155
    #9 0x7fb859db9ea3 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9
    #10 0x7fb859db9ea3 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460
    #11 0x7fb859db9ea3 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535
    #12 0x7fb859dbbe18 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31
    #13 0x7fb859db7289 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #14 0x7fb859db7289 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #15 0x7fb859db7289 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #16 0x7fb859dd682f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #17 0x7fb859dc829c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #18 0x7fb8799db6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #19 0x7fb878a5d41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:287:27 in get
Thread T18 (ImageBr~geChild) created by T0 (file:// Content) here:
    #0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7fb859dc5bff in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
    #2 0x7fb859dc5bff in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7fb859dd61cf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7fb859dd5f4f in base::Thread::Start() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:88:10
    #5 0x7fb85b6f3c45 in mozilla::layers::ImageBridgeChild::InitForContent(mozilla::ipc::Endpoint<mozilla::layers::PImageBridgeChild>&&, unsigned int) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:542:45
    #6 0x7fb860183fa9 in mozilla::dom::ContentChild::RecvInitRendering(mozilla::ipc::Endpoint<mozilla::layers::PCompositorManagerChild>&&, mozilla::ipc::Endpoint<mozilla::layers::PImageBridgeChild>&&, mozilla::ipc::Endpoint<mozilla::gfx::PVRManagerChild>&&, mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&, nsTArray<unsigned int>&&) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1361:8
    #7 0x7fb85a6393cd in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5455:20
    #8 0x7fb859e6029e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2133:25
    #9 0x7fb859e5d317 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2063:17
    #10 0x7fb859e5ea1c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1909:5
    #11 0x7fb859e5f078 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1942:15
    #12 0x7fb858f8a754 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #13 0x7fb858fa6710 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #14 0x7fb859e683ba in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #15 0x7fb859db7289 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #16 0x7fb859db7289 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #17 0x7fb859db7289 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #18 0x7fb860949fda in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #19 0x7fb864ddb50b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:892:22
    #20 0x7fb859db7289 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #21 0x7fb859db7289 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #22 0x7fb859db7289 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #23 0x7fb864ddaeea in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:718:34
    #24 0x4f6f2c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #25 0x4f6f2c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #26 0x7fb87897682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

==12112==ABORTING
Flags: in-testsuite?
Whiteboard: [fuzzblocker]
Is there any way we could have someone investigate this?  We've triggered this issue 12000 times over the past several days and will soon have to disable all canvas fuzzing until it's resolved.
Sotaro, do you mind taking a look at this?
Flags: needinfo?(sotaro.ikeda.g)
Whiteboard: [fuzzblocker] → [fuzzblocker][gfx-noted]
(In reply to Jeff Muizelaar [:jrmuizel] from comment #2)
> Sotaro, do you mind taking a look at this?

I take a look.
To check locally, we need to set pref "gfx.offscreencanvas.enabled;true".
Bug 1409789 looks same bug.
Blocks: offscreen-canvas
Ah it is a regression of Bug 1402739. In offscreen canvas case, aImageContainer is nullptr. It was not detected by tests, since offscreen canvas is disabled by default.
Blocks: 1402739
Summary: Crash [@ get] → Crash at ImageBridgeChild::Connect() with offscreen canvas
Attachment #8958712 - Flags: review?(nical.bugzilla)
Attachment #8958712 - Flags: review?(nical.bugzilla) → review+
Pushed by sikeda@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e9ad11e8506a
Check aImageContainer in ImageBridgeChild::Connect() r=nical
https://hg.mozilla.org/mozilla-central/rev/e9ad11e8506a
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox61: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Can we land this testcase as a crashtest?
status-firefox59: --- → disabled
status-firefox60: --- → disabled
status-firefox-esr52: --- → unaffected
Flags: needinfo?(sotaro.ikeda.g)
(In reply to Ryan VanderMeulen [:RyanVM] from comment #14)
> Can we land this testcase as a crashtest?

Ok, I am going to add a crashtest.
Status: RESOLVED → REOPENED
Flags: needinfo?(sotaro.ikeda.g)
Resolution: FIXED → ---

    
  

        Attachment #8960085 -
        Flags: review?(nical.bugzilla)

        Attachment #8960085 -
        Flags: review?(nical.bugzilla) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/ce013a4cb8d1
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: