Closed
Bug 1449398
Opened 6 years ago
Closed 3 years ago
Crash [@ get] near mozilla::WebGLContext::LoseOldestWebGLContextIfLimitExceeded()
Categories
(Core :: Graphics: CanvasWebGL, defect, P5)
Tracking
()
RESOLVED
DUPLICATE
of bug 1657375
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [fuzzblocker] [gfx-noted])
Attachments
(1 file)
|
312 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev f0d13136b358.
==15221==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f3647e8647c bp 0x7ffd230cab90 sp 0x7ffd230caa80 T0)
==15221==The signal is caused by a READ memory access.
==15221==Hint: address points to the zero page.
#0 0x7f3647e8647b in get /builds/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:287:27
#1 0x7f3647e8647b in operator-> /builds/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:319
#2 0x7f3647e8647b in NodePrincipal /builds/worker/workspace/build/src/obj-firefox/dist/include/nsINode.h:939
#3 0x7f3647e8647b in mozilla::WebGLContext::LoseOldestWebGLContextIfLimitExceeded() /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1144
#4 0x7f3647e8330d in mozilla::WebGLContext::SetDimensions(int, int) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:901:5
#5 0x7f3647dcddde in mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:243:24
#6 0x7f3647dcd88a in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:197:19
#7 0x7f3647e32dfe in mozilla::dom::OffscreenCanvas::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/OffscreenCanvas.cpp:132:35
#8 0x7f36460a1c0d in mozilla::dom::OffscreenCanvasBinding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::OffscreenCanvas*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/OffscreenCanvasBinding.cpp:185:49
#9 0x7f3647cb0d51 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3031:13
#10 0x7f364e5ceaee in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
#11 0x7f364e5ceaee in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#12 0x7f364e7c08dd in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2380:14
#13 0x2d699364565a (<unknown module>)Flags: in-testsuite?
|
||
Updated•6 years ago
|
OS: Unspecified → Linux
Priority: -- → P3
Hardware: Unspecified → x86_64
Whiteboard: [fuzzblocker] → [fuzzblocker] [gfx-noted]
|
||
Updated•6 years ago
|
Assignee: nobody → jgilbert
|
|
||
Comment 1•6 years ago
|
||
Please don't fuzz OffscreenCanvas. It's not enabled for a reason.
|
Reporter | |
Updated•6 years ago
|
Flags: needinfo?(jkratzer)
|
||
Comment 2•3 years ago
|
||
The code has changed enough that this signature is no longer valid, but in spirit, this is fixed by bug 1657375 which makes the pertinent principal accesses thread safe.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•