Closed Bug 1445719 Opened 2 years ago Closed 2 years ago

Crash [@ get] near

Categories

(Core :: Canvas: WebGL, defect)

59 Branch
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1443671

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev c56ef1c14a55.

==1978==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x7fd59911ea23 bp 0x7fd5872d2700 sp 0x7fd5872d25c0 T19)
==1978==The signal is caused by a READ memory access.
==1978==Hint: address points to the zero page.
    #0 0x7fd59911ea22 in get /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:287:27
    #1 0x7fd59911ea22 in operator mozilla::layers::ImageContainerListener * /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:300
    #2 0x7fd59911ea22 in GetImageContainerListener /builds/worker/workspace/build/src/obj-firefox/dist/include/ImageContainer.h:620
    #3 0x7fd59911ea22 in mozilla::layers::ImageBridgeChild::Connect(mozilla::layers::CompositableClient*, mozilla::layers::ImageContainer*) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:325
    #4 0x7fd5990035df in mozilla::layers::CompositableClient::Connect(mozilla::layers::ImageContainer*) /builds/worker/workspace/build/src/gfx/layers/client/CompositableClient.cpp:67:19
    #5 0x7fd59911e2af in CreateCanvasClientNow /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:830:13
    #6 0x7fd59911e2af in mozilla::layers::ImageBridgeChild::CreateCanvasClientSync(mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:279
    #7 0x7fd5991670b3 in apply<RefPtr<mozilla::layers::ImageBridgeChild>, void (mozilla::layers::ImageBridgeChild::*)(mozilla::layers::SynchronousTask *, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient> *), mozilla::layers::SynchronousTask *, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient> *, 0, 1, 2, 3> /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:85:5
    #8 0x7fd5991670b3 in mozilla::runnable_args_memfn<RefPtr<mozilla::layers::ImageBridgeChild>, void (mozilla::layers::ImageBridgeChild::*)(mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*), mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:155
    #9 0x7fd5977cc0e3 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9
    #10 0x7fd5977cc0e3 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460
    #11 0x7fd5977cc0e3 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535
    #12 0x7fd5977ce058 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31
    #13 0x7fd5977c96f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #14 0x7fd5977c96f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #15 0x7fd5977c96f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #16 0x7fd5977e8a1f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #17 0x7fd5977da4dc in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #18 0x7fd5b75c96b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #19 0x7fd5b664b41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:287:27 in get
Thread T19 (ImageBr~geChild) created by T0 (file:// Content) here:
    #0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7fd5977d7e3f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
    #2 0x7fd5977d7e3f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7fd5977e83bf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7fd5977e813f in base::Thread::Start() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:88:10
    #5 0x7fd599121c35 in mozilla::layers::ImageBridgeChild::InitForContent(mozilla::ipc::Endpoint<mozilla::layers::PImageBridgeChild>&&, unsigned int) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:537:45
    #6 0x7fd59dd88d39 in mozilla::dom::ContentChild::RecvInitRendering(mozilla::ipc::Endpoint<mozilla::layers::PCompositorManagerChild>&&, mozilla::ipc::Endpoint<mozilla::layers::PImageBridgeChild>&&, mozilla::ipc::Endpoint<mozilla::gfx::PVRManagerChild>&&, mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&, nsTArray<unsigned int>&&) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1398:8
    #7 0x7fd59806066d in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5513:20
    #8 0x7fd59787330e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25
    #9 0x7fd597870291 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17
    #10 0x7fd597871a8c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5
    #11 0x7fd5978720e8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15
    #12 0x7fd5969a4b86 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #13 0x7fd5969c0120 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #14 0x7fd59787ae8a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #15 0x7fd5977c96f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #16 0x7fd5977c96f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #17 0x7fd5977c96f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #18 0x7fd59e54e8da in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #19 0x7fd5a2a628ab in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #20 0x7fd5977c96f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #21 0x7fd5977c96f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #22 0x7fd5977c96f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #23 0x7fd5a2a6228a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #24 0x4f6f2c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #25 0x4f6f2c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #26 0x7fd5b656482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

==1978==ABORTING
Flags: in-testsuite?
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1443671
You need to log in before you can comment on or make changes to this bug.