crash in [@ MergeState::HasMatchingItemInOldList]

RESOLVED FIXED in Firefox 61

Status

()

defect
RESOLVED FIXED
a year ago
7 months ago

People

(Reporter: tsmith, Assigned: mattwoodrow, NeedInfo)

Tracking

(Blocks 2 bugs, {crash, testcase})

unspecified
mozilla62
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox-esr60 unaffected, firefox60 unaffected, firefox61 fixed, firefox62 fixed)

Details

Attachments

(3 attachments)

Reporter

Description

a year ago
Posted file testcase.html
==30121==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000055c658 bp 0x7ffd421529f0 sp 0x7ffd42152880 T0)
==30121==The signal is caused by a WRITE memory access.
==30121==Hint: address points to the zero page.
    #0 0x55c657 in MOZ_CrashPrintf src/mfbt/Assertions.cpp:63:3
    #1 0x7f19967dbffd in GetOldListIndex src/layout/painting/nsDisplayList.h:2868:7
    #2 0x7f19967dbffd in MergeState::HasMatchingItemInOldList(nsDisplayItem*, Index<OldListUnits>*) src/layout/painting/RetainedDisplayListBuilder.cpp:334
    #3 0x7f19966d2baf in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) src/layout/painting/RetainedDisplayListBuilder.cpp:281:9
    #4 0x7f19966d20c2 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&) src/layout/painting/RetainedDisplayListBuilder.cpp:506:36
    #5 0x7f19966d2fba in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) src/layout/painting/RetainedDisplayListBuilder.cpp:289:25
    #6 0x7f19966d20c2 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&) src/layout/painting/RetainedDisplayListBuilder.cpp:506:36
    #7 0x7f19966d2fba in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) src/layout/painting/RetainedDisplayListBuilder.cpp:289:25
    #8 0x7f19966d20c2 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&) src/layout/painting/RetainedDisplayListBuilder.cpp:506:36
    #9 0x7f19966db0ae in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) src/layout/painting/RetainedDisplayListBuilder.cpp:1198:7
    #10 0x7f1995e9344b in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3683:40
    #11 0x7f1995d86f57 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6312:5
    #12 0x7f1995734c4a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19
    #13 0x7f1995733a4c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33
    #14 0x7f19957390a6 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5
    #15 0x7f1995d00445 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2039:11
    #16 0x7f1995d0d21b in TickDriver src/layout/base/nsRefreshDriver.cpp:328:13
    #17 0x7f1995d0d21b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:301
    #18 0x7f1995d0cdf9 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:320:5
    #19 0x7f1995d0f93e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:760:5
    #20 0x7f1995d0f93e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:673
    #21 0x7f1995d0f53e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:574:9
    #22 0x7f19965b68ef in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
    #23 0x7f198f302034 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #24 0x7f198f1d9f43 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28
    #25 0x7f198ed4935e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25
    #26 0x7f198ed462a2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17
    #27 0x7f198ed47adc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5
    #28 0x7f198ed48138 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15
    #29 0x7f198de55c46 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
    #30 0x7f198de71b80 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #31 0x7f198ed50ffa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #32 0x7f198eca5489 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #33 0x7f198eca5489 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #34 0x7f198eca5489 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #35 0x7f19957c29da in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #36 0x7f1999a16f2b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #37 0x7f198eca5489 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #38 0x7f198eca5489 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #39 0x7f198eca5489 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #40 0x7f1999a168f0 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #41 0x4f1875 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #42 0x4f1875 in main src/browser/app/nsBrowserApp.cpp:282
    #43 0x7f19ad66b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #44 0x420f48 in _start (firefox+0x420f48)
Flags: in-testsuite?
Assignee

Updated

a year ago
Assignee: nobody → matt.woodrow
Blocks: RDLbugs
See Also: → 1462497
Comment hidden (mozreview-request)
Comment on attachment 8976756 [details]
Bug 1462477 - Always initialize the value of aOutIsTransformedFixed, even we don't have an image to paint.

https://reviewboard.mozilla.org/r/244858/#review251152
Attachment #8976756 - Flags: review?(mstange) → review+

Comment 4

a year ago
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/266c78fab1d6
Always initialize the value of aOutIsTransformedFixed, even we don't have an image to paint. r=mstange

Comment 5

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/266c78fab1d6
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Please request Beta approval on this when you get a chance.
Flags: needinfo?(matt.woodrow)
Assignee

Comment 7

a year ago
Comment on attachment 8976756 [details]
Bug 1462477 - Always initialize the value of aOutIsTransformedFixed, even we don't have an image to paint.

Approval Request Comment
[Feature/Bug causing the regression]: Retained-dl
[User impact if declined]: Crashes on some pages
[Is this code covered by automated tests?]: No, fuzzing test was too unreliable to be useful in automation.
[Has the fix been verified in Nightly?]: By me!
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: Just stops us skipping quite as much work on an early return path, matches code from the normal path.
[String changes made/needed]: None.
Flags: needinfo?(matt.woodrow)
Attachment #8976756 - Flags: approval-mozilla-beta?
Comment on attachment 8976756 [details]
Bug 1462477 - Always initialize the value of aOutIsTransformedFixed, even we don't have an image to paint.

RDL stability fix. Approved for 61.0b8.
Attachment #8976756 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment 11

10 months ago
I couldn't reproduce this crash on any affected/unaffected/fixed Fx versions (62.0a1, 61.0b6, 60.0b9 or 63.0a1)

Seeing the crash stats ( https://crash-stats.mozilla.com/signature/?signature=MergeState%3A%3AHasMatchingItemInOldList&date=%3E%3D2018-08-02T09%3A03%3A23.000Z&date=%3C2018-08-09T09%3A03%3A23.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-build_id&_sort=version&_sort=-date&page=1) 

Crashes with this signature are still reproducible on current Nightly and on beta 62.0b15.
Flags: needinfo?(matt.woodrow)
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.