Closed Bug 1446021 Opened 7 years ago Closed 7 years ago

IPC: crash [@mozilla::layers::AsyncPanZoomController::GetCurrentAsyncTransform / __GI___pthread_mutex_lock]

Categories

(Core :: Panning and Zooming, defect)

Product:
Core
Component:
Panning and Zooming
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1446022
Tracking Flags:
Tracking Status
firefox61 --- affected

People

(Reporter: posidron, Assigned: kats)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Attachments

(1 file)

session.txt
255.97 KB, text/plain
Details
Attached file session.txt
INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction. The attached session.txt contains a trace of IPC messages which were sent and received during a session of visiting https://html5test.com *** Possible reproduction scenario: pip install git+https://github.com/mozillasecurity/fuzzfetch fuzzfetch -a --fuzzing -n firefox -o /tmp export FAULTY_PROBABILITY=50000 export FAULTY_LARGE_VALUES=1 export FAULTY_PARENT=1 export FAULTY_ENABLE_LOGGING=1 export FAULTY_PICKLE=1 export MOZ_IPC_MESSAGE_LOG=1 ==28698==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000208 (pc 0x7f1c82455d44 bp 0x7f1c44140910 sp 0x7f1c44140900 T35) ==28698==The signal is caused by a READ memory access. ==28698==Hint: address points to the zero page. #0 0x7f1c82455d43 in __GI___pthread_mutex_lock (/lib/x86_64-linux-gnu/libpthread.so.0+0x9d43) #1 0x7f1c61c27638 in mozilla::RecursiveMutex::LockInternal() /builds/worker/workspace/build/src/xpcom/threads/RecursiveMutex.cpp:73:3 #2 0x7f1c641ad497 in Lock /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RecursiveMutex.h:31:17 #3 0x7f1c641ad497 in RecursiveMutexAutoLock /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RecursiveMutex.h:85 #4 0x7f1c641ad497 in mozilla::layers::AsyncPanZoomController::GetCurrentAsyncTransform(mozilla::layers::AsyncPanZoomController::AsyncTransformConsumer) const /builds/worker/workspace/build/src/gfx/layers/apz/src/AsyncPanZoomController.cpp:3579 #5 0x7f1c641b1aeb in mozilla::layers::APZSampler::GetCurrentAsyncTransform(mozilla::layers::LayerMetricsWrapper const&) /builds/worker/workspace/build/src/gfx/layers/apz/src/APZSampler.cpp:180:28 #6 0x7f1c643440e8 in mozilla::layers::AsyncCompositionManager::ApplyAsyncContentTransformToTree(mozilla::layers::Layer*, bool*)::$_4::operator()(mozilla::layers::Layer*) const /builds/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:897:26 #7 0x7f1c64308dd3 in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_23AsyncCompositionManager32ApplyAsyncContentTransformToTreeES4_PbE3$_3ZNS5_32ApplyAsyncContentTransformToTreeES4_S6_E3$_4EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:145:3 #8 0x7f1c64308dab in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_23AsyncCompositionManager32ApplyAsyncContentTransformToTreeES4_PbE3$_3ZNS5_32ApplyAsyncContentTransformToTreeES4_S6_E3$_4EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5 #9 0x7f1c64308d57 in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_23AsyncCompositionManager32ApplyAsyncContentTransformToTreeES4_PbE3$_3ZNS5_32ApplyAsyncContentTransformToTreeES4_S6_E3$_4EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5 #10 0x7f1c64308dab in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_23AsyncCompositionManager32ApplyAsyncContentTransformToTreeES4_PbE3$_3ZNS5_32ApplyAsyncContentTransformToTreeES4_S6_E3$_4EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5 #11 0x7f1c643083a3 in mozilla::layers::AsyncCompositionManager::ApplyAsyncContentTransformToTree(mozilla::layers::Layer*, bool*) /builds/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:817:3 #12 0x7f1c6430a5f6 in mozilla::layers::AsyncCompositionManager::TransformShadowTree(mozilla::TimeStamp, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>, mozilla::layers::AsyncCompositionManager::TransformsToSkip) /builds/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:1255:9 #13 0x7f1c643a4bd5 in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:990:48 #14 0x7f1c643c7435 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:243:27 #15 0x7f1c64416d20 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1149:12 #16 0x7f1c64416d20 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1155 #17 0x7f1c64416d20 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::TimeStamp>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1200 #18 0x7f1c62a800e3 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9 #19 0x7f1c62a800e3 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460 #20 0x7f1c62a800e3 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535 #21 0x7f1c62a82058 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31 #22 0x7f1c62a7d6f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #23 0x7f1c62a7d6f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #24 0x7f1c62a7d6f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #25 0x7f1c62a9ca1f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16 #26 0x7f1c62a8e4dc in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13 #27 0x7f1c824536b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #28 0x7f1c814dc41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libpthread.so.0+0x9d43) in __GI___pthread_mutex_lock Thread T35 (Compositor) created by T0 here: #0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 #1 0x7f1c62a8be3f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14 #2 0x7f1c62a8be3f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146 #3 0x7f1c62a9c3bf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8 #4 0x7f1c643b7caa in CreateCompositorThread /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:102:26 #5 0x7f1c643b7caa in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:52 #6 0x7f1c643b7ec3 in mozilla::layers::CompositorThreadHolder::Start() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:124:33 #7 0x7f1c644a8a32 in gfxPlatform::InitLayersIPC() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:1035:5 #8 0x7f1c644a47ce in gfxPlatform::Init() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:779:5 #9 0x7f1c644a1e2b in gfxPlatform::GetPlatform() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:538:9 #10 0x7f1c697c7339 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/widget/GfxInfoBase.cpp:1518:25 #11 0x7f1c61c845e1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106 #12 0x7f1c63585020 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1951:12 #13 0x7f1c63585020 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1267 #14 0x7f1c63585020 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1234 #15 0x7f1c6358c5c9 in GetAttribute /builds/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1636:17 #16 0x7f1c6358c5c9 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:949 #17 0x7f1c6e029d1e in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15 #18 0x7f1c6e029d1e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467 #19 0x7f1c6e02ba72 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:516:12 #20 0x7f1c6e02ba72 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535 #21 0x7f1c6e02ba72 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:650 #22 0x7f1c6f1cc2ee in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2155:16 #23 0x7f1c6f1cc2ee in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2208 #24 0x7f1c6f1cc2ee in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2410 #25 0x7f1c6f1cc2ee in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2446 #26 0x7f1c6e011355 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1629:12 #27 0x7f1c6e011355 in GetObjectElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:520 #28 0x7f1c6e011355 in GetElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:626 #29 0x7f1c6e011355 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2923 #30 0x7f1c6dff4904 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #31 0x7f1c6e029b17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #32 0x7f1c6e0126f0 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #33 0x7f1c6e0126f0 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085 #34 0x7f1c6dff4904 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #35 0x7f1c6e029b17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #36 0x7f1c6e0126f0 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #37 0x7f1c6e0126f0 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085 #38 0x7f1c6dff4904 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #39 0x7f1c6e029b17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #40 0x7f1c6e0126f0 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #41 0x7f1c6e0126f0 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085 #42 0x7f1c6dff4904 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #43 0x7f1c6e029b17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #44 0x7f1c6e02a883 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10 #45 0x7f1c6ec85745 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2970:12 #46 0x7f1c6356bf36 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1257:23 #47 0x7f1c61c85bbf in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28 #48 0x7f1c61c84b6a in SharedStub (/home/ubuntu/firefox/libxul.so+0x21dbb6a) #49 0x7f1c61bfebfd in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/components/nsCategoryManager.cpp:810:19 #50 0x7f1c6dd3023c in nsXREDirProvider::DoStartup() /builds/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1021:11 #51 0x7f1c6dd0cab8 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4561:16 #52 0x7f1c6dd100e8 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4869:8 #53 0x7f1c6dd117c4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4961:21 #54 0x4f6d45 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22 #55 0x4f6d45 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304 #56 0x7f1c813f582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 ==28698==ABORTING
Here's another APZ Faulty crash, kats.
Component: Layout → Panning and Zooming
Flags: needinfo?(bugmail)
Thanks!
Assignee: nobody → bugmail
Flags: needinfo?(bugmail)
I'm going to dupe this bug 1446022 since the fix will cover both issues.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: