Closed
Bug 1499758
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: SEGV /builds/worker/workspace/build/src/gfx/gl/../../mfbt/UniquePtr.h in get
Categories
(Core :: Graphics: CanvasWebGL, defect, P3)
Core
Graphics: CanvasWebGL
Tracking
()
RESOLVED
FIXED
mozilla65
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox63 | --- | unaffected |
firefox64 | --- | wontfix |
firefox65 | --- | fixed |
People
(Reporter: jkratzer, Assigned: mortimergoro)
References
(Blocks 3 open bugs)
Details
(Keywords: crash, regression, testcase)
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 99c45aca2d8a.
=================================================================
==11671==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000a30 (pc 0x7f1032582961 bp 0x7ffe0a30b740 sp 0x7ffe0a30b5a0 T0)
==11671==The signal is caused by a READ memory access.
==11671==Hint: address points to the zero page.
#0 0x7f1032582960 in get /builds/worker/workspace/build/src/gfx/gl/../../mfbt/UniquePtr.h
#1 0x7f1032582960 in Screen /builds/worker/workspace/build/src/gfx/gl/GLContext.h:3605
#2 0x7f1032582960 in mozilla::WebGLContext::EnsureVRReady() /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:2360
#3 0x7f10325824ed in mozilla::WebGLContext::GetVRFrame() /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:2322:3
#4 0x7f102ea118b7 in mozilla::gfx::VRLayerChild::SubmitFrame(mozilla::gfx::VRDisplayInfo const&) /builds/worker/workspace/build/src/gfx/vr/ipc/VRLayerChild.cpp:80:39
#5 0x7f1034a55ad2 in mozilla::dom::VRDisplay::SubmitFrame() /builds/worker/workspace/build/src/dom/vr/VRDisplay.cpp:689:20
#6 0x7f1030f5195b in mozilla::dom::VRDisplay_Binding::submitFrame(JSContext*, JS::Handle<JSObject*>, mozilla::dom::VRDisplay*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/VRDisplayBinding.cpp:1255:9
#7 0x7f1032315150 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3315:13
#8 0x7f103b124ffb in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468:15
#9 0x7f103b124ffb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560
#10 0x7f103b10df7e in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:620:12
#11 0x7f103b10df7e in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3458
#12 0x7f103b0f324b in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:12
#13 0x7f103b125b0e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:587:15
#14 0x7f103b1278a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:633:10
#15 0x7f1039848fdc in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.h:102:12
#16 0x7f1039848fdc in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1626
#17 0x7f103b124ffb in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468:15
#18 0x7f103b124ffb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560
#19 0x7f103b1278a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:633:10
#20 0x7f103a1faefd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2979:12
#21 0x7f103024bae0 in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PromiseBinding.cpp:26:8
#22 0x7f102af4256f in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:91:12
#23 0x7f102af4256f in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104
#24 0x7f102af4256f in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:247
#25 0x7f102af1a711 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:603:17
#26 0x7f102af1af6a in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:428:3
#27 0x7f102d32f3c5 in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:1288:30
#28 0x7f102b15ca7d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1308:24
#29 0x7f102b16472d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#30 0x7f102c37bda3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#31 0x7f102c27e98c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#32 0x7f102c27e98c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#33 0x7f102c27e98c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#34 0x7f1034f7cfc3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#35 0x7f103943b45e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
#36 0x7f102c27e98c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#37 0x7f102c27e98c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#38 0x7f102c27e98c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#39 0x7f103943a503 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34
#40 0x55d91f07db91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#41 0x55d91f07db91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
#42 0x7f104d198b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/gfx/gl/../../mfbt/UniquePtr.h in get
==11671==ABORTING
Flags: in-testsuite?
Comment 1•6 years ago
|
||
I wasn't able to reproduce myself, but maybe I don't have the right prefs/environment to make it happen. Looks like a null pointer deref? The path was added in bug 1492554.
Assignee | ||
Comment 2•6 years ago
|
||
Assignee | ||
Comment 3•6 years ago
|
||
I think it's a null pointer deref when gl is null. Posted a patch to fix than potential error.
Flags: needinfo?(imanol)
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → imanol
Assignee | ||
Updated•6 years ago
|
Keywords: checkin-needed
Pushed by csabou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fbebc15cd4f4
Fix potential null pointer deref in WebGLContext::GetVRFrame r=jgilbert
Keywords: checkin-needed
Comment 5•6 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Comment 6•6 years ago
|
||
Please nominate this for Beta approval when you get a chance. Also, is the attached testcase something we can/should land as a crashtest?
Assignee | ||
Comment 7•6 years ago
|
||
I think that Kip was working on a VR testcase when canvas was not added to the DOM (the original issue that triggered this crash).
Flags: needinfo?(imanol) → needinfo?(kgilbert)
Comment 8•6 years ago
|
||
Thanks for adding the follow-up bug for the crash test, @thomasmo
IIUC, this will merge to Beta today, Firefox 65.
Do we wish to do any uplift to get it into Firefox 64? Or perhaps letting it ride naturally would be lower risk?
Other than any uplift, this bug can be closed (with Bug 1510731 capturing the follow-up work for the test)
Flags: needinfo?(kgilbert) → needinfo?(ryanvm)
Comment 9•6 years ago
|
||
Kinda moot at this point since Fx64 ships tomorrow. We would have needed the request a couple weeks ago for it to be considered for 64.
Flags: needinfo?(ryanvm)
Updated•5 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•