Add crashtest for: AddressSanitizer: SEGV /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:198:8 in atomic_refcell::AtomicBorrowRefMut::new::h25e52f0a9daa9686

RESOLVED FIXED in Firefox 66

Status

()

defect
P3
normal
RESOLVED FIXED
5 months ago
a month ago

People

(Reporter: jkratzer, Assigned: emilio)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
mozilla66
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox64 unaffected, firefox65 disabled, firefox66 fixed)

Details

Attachments

(1 attachment)

Reporter

Description

5 months ago
Posted file testcase.html
Found while fuzzing mozilla-central rev d0e13414d651.  This bug has been fixed in the latest m-c builds and was bisected down to the following range:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d0e13414d6512c9fe84911a0dd730e4fb4a28c27&tochange=8e2a1751a0f5ec864d50f335555d08216b6c648e

Filing this bug in order to land a crash test.

==14386==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x7f62d9b44aa1 bp 0x620000036080 sp 0x7ffeb8757350 T0)
==14386==The signal is caused by a READ memory access.
==14386==Hint: address points to the zero page.
    #0 0x7f62d9b44aa0 in atomic_refcell::AtomicBorrowRefMut::new::h25e52f0a9daa9686 /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:198:8
    #1 0x7f62d9b44aa0 in _$LT$atomic_refcell..AtomicRefCell$LT$T$GT$$GT$::borrow_mut::hc1e2c2e57435505a /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:97
    #2 0x7f62d9b44aa0 in style::gecko::data::PerDocumentStyleData::borrow_mut::h2ba7f879b7c279b3 /builds/worker/workspace/build/src/servo/components/style/gecko/data.rs:169
    #3 0x7f62d9b44aa0 in Servo_ComputedValues_GetForAnonymousBox /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:3149
    #4 0x7f62d39e9a89 in mozilla::ServoStyleSet::ResolveInheritingAnonymousBoxStyle(nsAtom*, mozilla::ComputedStyle*) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:560:13
    #5 0x7f62d3e78970 in nsIFrame::UpdateStyleOfChildAnonBox(nsIFrame*, mozilla::ServoRestyleState&) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:10089:32
    #6 0x7f62d3e7bdbc in nsIFrame::DoUpdateStyleOfOwnedAnonBoxes(mozilla::ServoRestyleState&) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:10477:7
    #7 0x7f62d3b84d61 in UpdateStyleOfOwnedAnonBoxes /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3334:7
    #8 0x7f62d3b84d61 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2783
    #9 0x7f62d3b84a96 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2765:13
    #10 0x7f62d3b87bd9 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2957:28
    #11 0x7f62d3b3c6ea in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3046:3
    #12 0x7f62d3b3c6ea in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4089
    #13 0x7f62d3ac90fe in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:575:5
    #14 0x7f62d3ac90fe in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1757
    #15 0x7f62d3ad920f in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:327:13
    #16 0x7f62d3ad920f in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:304
    #17 0x7f62d3ad8d01 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:321:5
    #18 0x7f62d3adb763 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:726:5
    #19 0x7f62d3adb763 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:646
    #20 0x7f62d3adb0b1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:546:9
    #21 0x7f62d43a7e7b in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:65:16
    #22 0x7f62ccb5f01b in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #23 0x7f62cc91b201 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2788:28
    #24 0x7f62cc46ba99 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2159:21
    #25 0x7f62cc4688ac in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2086:9
    #26 0x7f62cc46a19c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1935:3
    #27 0x7f62cc46a807 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1966:13
    #28 0x7f62cb4ce963 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1157:14
    #29 0x7f62cb4d5ae8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:468:10
    #30 0x7f62cc472e2a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #31 0x7f62cc3bf51f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:314:10
    #32 0x7f62cc3bf51f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:307
    #33 0x7f62cc3bf51f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:289
    #34 0x7f62d356f349 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #35 0x7f62d77464bf in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:915:20
    #36 0x7f62cc3bf51f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:314:10
    #37 0x7f62cc3bf51f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:307
    #38 0x7f62cc3bf51f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:289
    #39 0x7f62d7745d94 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:753:34
    #40 0x562d3c2c13c4 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
    #41 0x562d3c2c13c4 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:265
    #42 0x7f62ea54eb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #43 0x562d3c1e6a98 in _start (/home/forb1dden/builds/m-c-20181219045204-asan-opt/firefox+0x29a98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:198:8 in atomic_refcell::AtomicBorrowRefMut::new::h25e52f0a9daa9686
Flags: in-testsuite?
Assignee

Updated

5 months ago
Flags: needinfo?(emilio)
Priority: -- → P3
Summary: AddressSanitizer: SEGV /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:198:8 in atomic_refcell::AtomicBorrowRefMut::new::h25e52f0a9daa9686 → Add crashtest for: AddressSanitizer: SEGV /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:198:8 in atomic_refcell::AtomicBorrowRefMut::new::h25e52f0a9daa9686
Assignee

Comment 1

5 months ago
Ah, it's a column-span bug. Was surprised for a second about that range. Will land the test.
Assignee: nobody → emilio
Flags: needinfo?(emilio)

Comment 3

5 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/4cdb357f61de
Status: NEW → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Flags: in-testsuite? → in-testsuite+
Depends on: 1531231
No longer depends on: 1531231
You need to log in before you can comment on or make changes to this bug.