1545789 - AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:343:7 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&)

Status: RESOLVED DUPLICATE of bug 1535945

(Core :: Web Painting, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 0160424142d1. Testcase must be served via a local webserver in order to reproduce.

==17010==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f995cbdd133 bp 0x7ffd5f169370 sp 0x7ffd5f169180 T0)
==17010==The signal is caused by a READ memory access.
==17010==Hint: address points to the zero page.
#0 0x7f995cbdd132 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:343:7
#1 0x7f995cbdbc27 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:663:31
#2 0x7f995cbddc04 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:362:25
#3 0x7f995cbdbc27 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:663:31
#4 0x7f995cbddc04 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:362:25
#5 0x7f995cbdbc27 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:663:31
#6 0x7f995cbe7d25 in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:1336:7
#7 0x7f995c10f674 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3823:40
#8 0x7f995bfa5775 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6073:5
#9 0x7f995b6fa813 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:462:19
#10 0x7f995b6f966a in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:397:33
#11 0x7f995b70044d in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1020:5
#12 0x7f995beebca8 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2065:11
#13 0x7f995befe039 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:348:13
#14 0x7f995befe039 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:325
#15 0x7f995befd904 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:342:5
#16 0x7f995bf01d8f in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:788:5
#17 0x7f995bf01d8f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:708
#18 0x7f995bf00e56 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:603:9
#19 0x7f995ca63ad5 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:65:16
#20 0x7f9952f50f8f in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:168:54
#21 0x7f9952ad1ffb in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:3941:28
#22 0x7f99522c2f4c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2151:21
#23 0x7f99522bec73 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2078:9
#24 0x7f99522c0f47 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1937:3
#25 0x7f99522c1cd7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1968:13
#26 0x7f9950f67b41 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#27 0x7f9950f6f764 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#28 0x7f99522cc38f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#29 0x7f99521a550e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#30 0x7f99521a550e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#31 0x7f99521a550e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#32 0x7f995b7fa2c3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#33 0x7f995fdc1eee in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#34 0x7f99521a550e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#35 0x7f99521a550e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#36 0x7f99521a550e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#37 0x7f995fdc105c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:757:34
#38 0x563f32fed6ce in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#39 0x563f32fed6ce in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#40 0x7f9974f28b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Comment 1

[Matt Woodrow (:mattwoodrow)]

Are any other prefs required for this?

I'm unable to reproduce with ASAN+SimpleHTTPServer :(

Comment 2

[Jason Kratzer [:jkratzer]]

(In reply to Matt Woodrow (:mattwoodrow) from comment #1)

Are any other prefs required for this?

I'm unable to reproduce with ASAN+SimpleHTTPServer :(

This issue appears to have been fixed sometime during the following build range:

Start: 20ef9d4a05c755e2154a294629b0543de11f9a5b (20190501042112)
End: a027a998b8b79bd4afa15930d7ca22c3acb7b16c (20190501155431)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=20ef9d4a05c755e2154a294629b0543de11f9a5b&tochange=a027a998b8b79bd4afa15930d7ca22c3acb7b16c

Possibly https://hg.mozilla.org/mozilla-central/rev/0e259884f052230b24601efc3cde3a5ef5d4e6ad?

Comment 3

[Matt Woodrow (:mattwoodrow)]

Oh right, almost certainly that indeed. Thanks!