Closed Bug 1449398 Opened 7 years ago Closed 3 years ago

Crash [@ get] near mozilla::WebGLContext::LoseOldestWebGLContextIfLimitExceeded()

Categories

(Core :: Graphics: CanvasWebGL, defect, P5)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
59 Branch
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1657375

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [fuzzblocker] [gfx-noted])

Attachments

(1 file)

trigger.html
312 bytes, text/html
Details
Attached file trigger.html
Testcase found while fuzzing mozilla-central rev f0d13136b358. ==15221==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f3647e8647c bp 0x7ffd230cab90 sp 0x7ffd230caa80 T0) ==15221==The signal is caused by a READ memory access. ==15221==Hint: address points to the zero page. #0 0x7f3647e8647b in get /builds/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:287:27 #1 0x7f3647e8647b in operator-> /builds/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:319 #2 0x7f3647e8647b in NodePrincipal /builds/worker/workspace/build/src/obj-firefox/dist/include/nsINode.h:939 #3 0x7f3647e8647b in mozilla::WebGLContext::LoseOldestWebGLContextIfLimitExceeded() /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1144 #4 0x7f3647e8330d in mozilla::WebGLContext::SetDimensions(int, int) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:901:5 #5 0x7f3647dcddde in mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:243:24 #6 0x7f3647dcd88a in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:197:19 #7 0x7f3647e32dfe in mozilla::dom::OffscreenCanvas::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/OffscreenCanvas.cpp:132:35 #8 0x7f36460a1c0d in mozilla::dom::OffscreenCanvasBinding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::OffscreenCanvas*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/OffscreenCanvasBinding.cpp:185:49 #9 0x7f3647cb0d51 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3031:13 #10 0x7f364e5ceaee in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15 #11 0x7f364e5ceaee in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467 #12 0x7f364e7c08dd in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2380:14 #13 0x2d699364565a (<unknown module>)
Flags: in-testsuite?
OS: Unspecified → Linux
Priority: -- → P3
Hardware: Unspecified → x86_64
Whiteboard: [fuzzblocker] → [fuzzblocker] [gfx-noted]
Assignee: nobody → jgilbert
Please don't fuzz OffscreenCanvas. It's not enabled for a reason.
Assignee: jgilbert → nobody
Blocks: offscreen-canvas
Flags: needinfo?(jkratzer)
Priority: P3 → P5
Flags: needinfo?(jkratzer)

The code has changed enough that this signature is no longer valid, but in spirit, this is fixed by bug 1657375 which makes the pertinent principal accesses thread safe.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: