Closed Bug 1445719 Opened 7 years ago Closed 7 years ago

Crash [@ get] near

Categories

(Core :: Graphics: CanvasWebGL, defect)

59 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1443671

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev c56ef1c14a55. ==1978==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x7fd59911ea23 bp 0x7fd5872d2700 sp 0x7fd5872d25c0 T19) ==1978==The signal is caused by a READ memory access. ==1978==Hint: address points to the zero page. #0 0x7fd59911ea22 in get /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:287:27 #1 0x7fd59911ea22 in operator mozilla::layers::ImageContainerListener * /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:300 #2 0x7fd59911ea22 in GetImageContainerListener /builds/worker/workspace/build/src/obj-firefox/dist/include/ImageContainer.h:620 #3 0x7fd59911ea22 in mozilla::layers::ImageBridgeChild::Connect(mozilla::layers::CompositableClient*, mozilla::layers::ImageContainer*) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:325 #4 0x7fd5990035df in mozilla::layers::CompositableClient::Connect(mozilla::layers::ImageContainer*) /builds/worker/workspace/build/src/gfx/layers/client/CompositableClient.cpp:67:19 #5 0x7fd59911e2af in CreateCanvasClientNow /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:830:13 #6 0x7fd59911e2af in mozilla::layers::ImageBridgeChild::CreateCanvasClientSync(mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:279 #7 0x7fd5991670b3 in apply<RefPtr<mozilla::layers::ImageBridgeChild>, void (mozilla::layers::ImageBridgeChild::*)(mozilla::layers::SynchronousTask *, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient> *), mozilla::layers::SynchronousTask *, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient> *, 0, 1, 2, 3> /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:85:5 #8 0x7fd5991670b3 in mozilla::runnable_args_memfn<RefPtr<mozilla::layers::ImageBridgeChild>, void (mozilla::layers::ImageBridgeChild::*)(mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*), mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:155 #9 0x7fd5977cc0e3 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9 #10 0x7fd5977cc0e3 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460 #11 0x7fd5977cc0e3 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535 #12 0x7fd5977ce058 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31 #13 0x7fd5977c96f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #14 0x7fd5977c96f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #15 0x7fd5977c96f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #16 0x7fd5977e8a1f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16 #17 0x7fd5977da4dc in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13 #18 0x7fd5b75c96b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #19 0x7fd5b664b41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:287:27 in get Thread T19 (ImageBr~geChild) created by T0 (file:// Content) here: #0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 #1 0x7fd5977d7e3f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14 #2 0x7fd5977d7e3f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146 #3 0x7fd5977e83bf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8 #4 0x7fd5977e813f in base::Thread::Start() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:88:10 #5 0x7fd599121c35 in mozilla::layers::ImageBridgeChild::InitForContent(mozilla::ipc::Endpoint<mozilla::layers::PImageBridgeChild>&&, unsigned int) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:537:45 #6 0x7fd59dd88d39 in mozilla::dom::ContentChild::RecvInitRendering(mozilla::ipc::Endpoint<mozilla::layers::PCompositorManagerChild>&&, mozilla::ipc::Endpoint<mozilla::layers::PImageBridgeChild>&&, mozilla::ipc::Endpoint<mozilla::gfx::PVRManagerChild>&&, mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&, nsTArray<unsigned int>&&) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1398:8 #7 0x7fd59806066d in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5513:20 #8 0x7fd59787330e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25 #9 0x7fd597870291 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17 #10 0x7fd597871a8c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5 #11 0x7fd5978720e8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15 #12 0x7fd5969a4b86 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14 #13 0x7fd5969c0120 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10 #14 0x7fd59787ae8a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #15 0x7fd5977c96f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #16 0x7fd5977c96f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #17 0x7fd5977c96f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #18 0x7fd59e54e8da in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #19 0x7fd5a2a628ab in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #20 0x7fd5977c96f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #21 0x7fd5977c96f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #22 0x7fd5977c96f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #23 0x7fd5a2a6228a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #24 0x4f6f2c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #25 0x4f6f2c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 #26 0x7fd5b656482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 ==1978==ABORTING
Flags: in-testsuite?
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: