Closed
Bug 1517033
Opened 5 years ago
Closed 5 years ago
Add crashtest for: AddressSanitizer: SEGV /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:198:8 in atomic_refcell::AtomicBorrowRefMut::new::h25e52f0a9daa9686
Categories
(Core :: CSS Parsing and Computation, defect, P3)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
mozilla66
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox64 | --- | unaffected |
firefox65 | --- | disabled |
firefox66 | --- | fixed |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase)
Attachments
(1 file)
1.16 KB,
text/html
|
Details |
Found while fuzzing mozilla-central rev d0e13414d651. This bug has been fixed in the latest m-c builds and was bisected down to the following range: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d0e13414d6512c9fe84911a0dd730e4fb4a28c27&tochange=8e2a1751a0f5ec864d50f335555d08216b6c648e Filing this bug in order to land a crash test. ==14386==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x7f62d9b44aa1 bp 0x620000036080 sp 0x7ffeb8757350 T0) ==14386==The signal is caused by a READ memory access. ==14386==Hint: address points to the zero page. #0 0x7f62d9b44aa0 in atomic_refcell::AtomicBorrowRefMut::new::h25e52f0a9daa9686 /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:198:8 #1 0x7f62d9b44aa0 in _$LT$atomic_refcell..AtomicRefCell$LT$T$GT$$GT$::borrow_mut::hc1e2c2e57435505a /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:97 #2 0x7f62d9b44aa0 in style::gecko::data::PerDocumentStyleData::borrow_mut::h2ba7f879b7c279b3 /builds/worker/workspace/build/src/servo/components/style/gecko/data.rs:169 #3 0x7f62d9b44aa0 in Servo_ComputedValues_GetForAnonymousBox /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:3149 #4 0x7f62d39e9a89 in mozilla::ServoStyleSet::ResolveInheritingAnonymousBoxStyle(nsAtom*, mozilla::ComputedStyle*) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:560:13 #5 0x7f62d3e78970 in nsIFrame::UpdateStyleOfChildAnonBox(nsIFrame*, mozilla::ServoRestyleState&) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:10089:32 #6 0x7f62d3e7bdbc in nsIFrame::DoUpdateStyleOfOwnedAnonBoxes(mozilla::ServoRestyleState&) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:10477:7 #7 0x7f62d3b84d61 in UpdateStyleOfOwnedAnonBoxes /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3334:7 #8 0x7f62d3b84d61 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2783 #9 0x7f62d3b84a96 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2765:13 #10 0x7f62d3b87bd9 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2957:28 #11 0x7f62d3b3c6ea in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3046:3 #12 0x7f62d3b3c6ea in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4089 #13 0x7f62d3ac90fe in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:575:5 #14 0x7f62d3ac90fe in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1757 #15 0x7f62d3ad920f in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:327:13 #16 0x7f62d3ad920f in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:304 #17 0x7f62d3ad8d01 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:321:5 #18 0x7f62d3adb763 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:726:5 #19 0x7f62d3adb763 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:646 #20 0x7f62d3adb0b1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:546:9 #21 0x7f62d43a7e7b in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:65:16 #22 0x7f62ccb5f01b in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #23 0x7f62cc91b201 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2788:28 #24 0x7f62cc46ba99 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2159:21 #25 0x7f62cc4688ac in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2086:9 #26 0x7f62cc46a19c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1935:3 #27 0x7f62cc46a807 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1966:13 #28 0x7f62cb4ce963 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1157:14 #29 0x7f62cb4d5ae8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:468:10 #30 0x7f62cc472e2a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21 #31 0x7f62cc3bf51f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:314:10 #32 0x7f62cc3bf51f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:307 #33 0x7f62cc3bf51f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:289 #34 0x7f62d356f349 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27 #35 0x7f62d77464bf in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:915:20 #36 0x7f62cc3bf51f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:314:10 #37 0x7f62cc3bf51f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:307 #38 0x7f62cc3bf51f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:289 #39 0x7f62d7745d94 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:753:34 #40 0x562d3c2c13c4 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28 #41 0x562d3c2c13c4 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:265 #42 0x7f62ea54eb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #43 0x562d3c1e6a98 in _start (/home/forb1dden/builds/m-c-20181219045204-asan-opt/firefox+0x29a98) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:198:8 in atomic_refcell::AtomicBorrowRefMut::new::h25e52f0a9daa9686
Flags: in-testsuite?
Assignee | ||
Updated•5 years ago
|
Flags: needinfo?(emilio)
Updated•5 years ago
|
Priority: -- → P3
Summary: AddressSanitizer: SEGV /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:198:8 in atomic_refcell::AtomicBorrowRefMut::new::h25e52f0a9daa9686 → Add crashtest for: AddressSanitizer: SEGV /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:198:8 in atomic_refcell::AtomicBorrowRefMut::new::h25e52f0a9daa9686
Assignee | ||
Comment 1•5 years ago
|
||
Ah, it's a column-span bug. Was surprised for a second about that range. Will land the test.
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Pushed by emilio@crisal.io: https://hg.mozilla.org/integration/mozilla-inbound/rev/4cdb357f61de Add a crashtest. r=emilio
Comment 3•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/4cdb357f61de
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Updated•5 years ago
|
status-firefox64:
--- → unaffected
status-firefox65:
--- → disabled
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
Updated•4 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•