Open
Bug 1445945
Opened 6 years ago
Updated 2 years ago
Crash [@ mozilla::WebGL2Context::GetActiveUniforms]
Categories
(Core :: Graphics: CanvasWebGL, defect, P3)
Tracking
()
NEW
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [gfx-noted])
Attachments
(1 file)
|
1.81 KB,
text/html
|
Details |
Testcase found while fuzzing esr52 rev d61516b059c1.
==21907==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x7f6224eea5e5 bp 0x7fff3c554a50 sp 0x7fff3c554880 T0)
#0 0x7f6224eea5e4 in mozilla::WebGL2Context::GetActiveUniforms(JSContext*, mozilla::WebGLProgram const&, mozilla::dom::Sequence<unsigned int> const&, unsigned int, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:523:32
#1 0x7f62244021b5 in mozilla::dom::WebGL2RenderingContextBinding::getActiveUniforms(JSContext*, JS::Handle<JSObject*>, mozilla::WebGL2Context*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WebGL2RenderingContextBinding.cpp:7969:3
#2 0x7f6224d50a29 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2904:13
#3 0x7f622b0d8135 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#4 0x7f622b0d8135 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#5 0x7f622b0b853f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#6 0x7f622b0b853f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#7 0x7f622b09d6fd in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#8 0x7f622b0da622 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:686:15
#9 0x7f622b0daebb in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:718:12
#10 0x7f622abbc454 in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:4439:19
#11 0x7f622abbd1ab in Evaluate /home/worker/workspace/build/src/js/src/jsapi.cpp:4466:12
#12 0x7f622abbd1ab in JS::Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:4524
#13 0x7f622333ffd0 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /home/worker/workspace/build/src/dom/base/nsJSUtils.cpp:207:12
#14 0x7f62233410e9 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /home/worker/workspace/build/src/dom/base/nsJSUtils.cpp:274:10
#15 0x7f62233d82d1 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:2193:14
#16 0x7f62233d51de in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:1979:10
#17 0x7f62233bc535 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:1712:10
#18 0x7f62233b8ea1 in nsScriptElement::MaybeProcessScript() /home/worker/workspace/build/src/dom/base/nsScriptElement.cpp:149:10
#19 0x7f62224286a3 in AttemptToExecute /home/worker/workspace/build/src/dom/base/nsIScriptElement.h:222:18
#20 0x7f62224286a3 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:666
#21 0x7f6222426e25 in nsHtml5TreeOpExecutor::RunFlushLoop() /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:489:7
#22 0x7f622242ba9b in nsHtml5ExecutorFlusher::Run() /home/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:128:9
#23 0x7f62205bc91b in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
#24 0x7f622063ea5c in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
#25 0x7f62213f7a4f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#26 0x7f62213695a8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#27 0x7f62213695a8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#28 0x7f62213695a8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#29 0x7f6226a0183f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#30 0x7f6228c209a7 in XRE_RunAppShell /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:866:12
#31 0x7f62213695a8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#32 0x7f62213695a8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#33 0x7f62213695a8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#34 0x7f6228c1ffb2 in XRE_InitChildProcess /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:698:7
#35 0x4e037b in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
#36 0x4e037b in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:392
#37 0x7f623c39782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291Flags: in-testsuite?
|
||
Comment 1•6 years ago
|
||
Confirmed instantly crashes the tab on my local Ubuntu machine. Works fine on macos.
Whiteboard: [gfx-noted]
|
||
Updated•6 years ago
|
Priority: -- → P3
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•