Closed
Bug 1445719
Opened 7 years ago
Closed 7 years ago
Crash [@ get] near
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1443671
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Attachments
(1 file)
312 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev c56ef1c14a55.
==1978==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x7fd59911ea23 bp 0x7fd5872d2700 sp 0x7fd5872d25c0 T19)
==1978==The signal is caused by a READ memory access.
==1978==Hint: address points to the zero page.
#0 0x7fd59911ea22 in get /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:287:27
#1 0x7fd59911ea22 in operator mozilla::layers::ImageContainerListener * /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:300
#2 0x7fd59911ea22 in GetImageContainerListener /builds/worker/workspace/build/src/obj-firefox/dist/include/ImageContainer.h:620
#3 0x7fd59911ea22 in mozilla::layers::ImageBridgeChild::Connect(mozilla::layers::CompositableClient*, mozilla::layers::ImageContainer*) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:325
#4 0x7fd5990035df in mozilla::layers::CompositableClient::Connect(mozilla::layers::ImageContainer*) /builds/worker/workspace/build/src/gfx/layers/client/CompositableClient.cpp:67:19
#5 0x7fd59911e2af in CreateCanvasClientNow /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:830:13
#6 0x7fd59911e2af in mozilla::layers::ImageBridgeChild::CreateCanvasClientSync(mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:279
#7 0x7fd5991670b3 in apply<RefPtr<mozilla::layers::ImageBridgeChild>, void (mozilla::layers::ImageBridgeChild::*)(mozilla::layers::SynchronousTask *, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient> *), mozilla::layers::SynchronousTask *, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient> *, 0, 1, 2, 3> /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:85:5
#8 0x7fd5991670b3 in mozilla::runnable_args_memfn<RefPtr<mozilla::layers::ImageBridgeChild>, void (mozilla::layers::ImageBridgeChild::*)(mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*), mozilla::layers::SynchronousTask*, mozilla::layers::CanvasClient::CanvasClientType, mozilla::layers::TextureFlags, RefPtr<mozilla::layers::CanvasClient>*>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:155
#9 0x7fd5977cc0e3 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9
#10 0x7fd5977cc0e3 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460
#11 0x7fd5977cc0e3 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535
#12 0x7fd5977ce058 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31
#13 0x7fd5977c96f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#14 0x7fd5977c96f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#15 0x7fd5977c96f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#16 0x7fd5977e8a1f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
#17 0x7fd5977da4dc in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
#18 0x7fd5b75c96b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#19 0x7fd5b664b41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:287:27 in get
Thread T19 (ImageBr~geChild) created by T0 (file:// Content) here:
#0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
#1 0x7fd5977d7e3f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
#2 0x7fd5977d7e3f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
#3 0x7fd5977e83bf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
#4 0x7fd5977e813f in base::Thread::Start() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:88:10
#5 0x7fd599121c35 in mozilla::layers::ImageBridgeChild::InitForContent(mozilla::ipc::Endpoint<mozilla::layers::PImageBridgeChild>&&, unsigned int) /builds/worker/workspace/build/src/gfx/layers/ipc/ImageBridgeChild.cpp:537:45
#6 0x7fd59dd88d39 in mozilla::dom::ContentChild::RecvInitRendering(mozilla::ipc::Endpoint<mozilla::layers::PCompositorManagerChild>&&, mozilla::ipc::Endpoint<mozilla::layers::PImageBridgeChild>&&, mozilla::ipc::Endpoint<mozilla::gfx::PVRManagerChild>&&, mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&, nsTArray<unsigned int>&&) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1398:8
#7 0x7fd59806066d in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5513:20
#8 0x7fd59787330e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25
#9 0x7fd597870291 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17
#10 0x7fd597871a8c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5
#11 0x7fd5978720e8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15
#12 0x7fd5969a4b86 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
#13 0x7fd5969c0120 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
#14 0x7fd59787ae8a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#15 0x7fd5977c96f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#16 0x7fd5977c96f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#17 0x7fd5977c96f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#18 0x7fd59e54e8da in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#19 0x7fd5a2a628ab in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#20 0x7fd5977c96f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#21 0x7fd5977c96f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#22 0x7fd5977c96f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#23 0x7fd5a2a6228a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#24 0x4f6f2c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#25 0x4f6f2c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#26 0x7fd5b656482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
==1978==ABORTING
Flags: in-testsuite?
Reporter | ||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•