Open Bug 1449398 Opened 2 years ago Updated 2 years ago

Crash [@ get] near mozilla::WebGLContext::LoseOldestWebGLContextIfLimitExceeded()

Categories

(Core :: Canvas: WebGL, defect, P5)

59 Branch
x86_64
Linux
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase, Whiteboard: [fuzzblocker] [gfx-noted])

Attachments

(1 file)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev f0d13136b358.

==15221==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f3647e8647c bp 0x7ffd230cab90 sp 0x7ffd230caa80 T0)
==15221==The signal is caused by a READ memory access.
==15221==Hint: address points to the zero page.
    #0 0x7f3647e8647b in get /builds/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:287:27
    #1 0x7f3647e8647b in operator-> /builds/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:319
    #2 0x7f3647e8647b in NodePrincipal /builds/worker/workspace/build/src/obj-firefox/dist/include/nsINode.h:939
    #3 0x7f3647e8647b in mozilla::WebGLContext::LoseOldestWebGLContextIfLimitExceeded() /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1144
    #4 0x7f3647e8330d in mozilla::WebGLContext::SetDimensions(int, int) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:901:5
    #5 0x7f3647dcddde in mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:243:24
    #6 0x7f3647dcd88a in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:197:19
    #7 0x7f3647e32dfe in mozilla::dom::OffscreenCanvas::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/OffscreenCanvas.cpp:132:35
    #8 0x7f36460a1c0d in mozilla::dom::OffscreenCanvasBinding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::OffscreenCanvas*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/OffscreenCanvasBinding.cpp:185:49
    #9 0x7f3647cb0d51 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3031:13
    #10 0x7f364e5ceaee in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #11 0x7f364e5ceaee in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #12 0x7f364e7c08dd in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2380:14
    #13 0x2d699364565a  (<unknown module>)
Flags: in-testsuite?
OS: Unspecified → Linux
Priority: -- → P3
Hardware: Unspecified → x86_64
Whiteboard: [fuzzblocker] → [fuzzblocker] [gfx-noted]
Assignee: nobody → jgilbert
Please don't fuzz OffscreenCanvas. It's not enabled for a reason.
Assignee: jgilbert → nobody
Flags: needinfo?(jkratzer)
Priority: P3 → P5
Flags: needinfo?(jkratzer)
You need to log in before you can comment on or make changes to this bug.