AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:343:7 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&)
Categories
(Core :: Web Painting, defect, P3, critical)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox68 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Attachments
(1 file)
|
926 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 0160424142d1. Testcase must be served via a local webserver in order to reproduce.
==17010==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f995cbdd133 bp 0x7ffd5f169370 sp 0x7ffd5f169180 T0)
==17010==The signal is caused by a READ memory access.
==17010==Hint: address points to the zero page.
#0 0x7f995cbdd132 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:343:7
#1 0x7f995cbdbc27 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:663:31
#2 0x7f995cbddc04 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:362:25
#3 0x7f995cbdbc27 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:663:31
#4 0x7f995cbddc04 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:362:25
#5 0x7f995cbdbc27 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:663:31
#6 0x7f995cbe7d25 in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:1336:7
#7 0x7f995c10f674 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3823:40
#8 0x7f995bfa5775 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6073:5
#9 0x7f995b6fa813 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:462:19
#10 0x7f995b6f966a in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:397:33
#11 0x7f995b70044d in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1020:5
#12 0x7f995beebca8 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2065:11
#13 0x7f995befe039 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:348:13
#14 0x7f995befe039 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:325
#15 0x7f995befd904 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:342:5
#16 0x7f995bf01d8f in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:788:5
#17 0x7f995bf01d8f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:708
#18 0x7f995bf00e56 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:603:9
#19 0x7f995ca63ad5 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:65:16
#20 0x7f9952f50f8f in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:168:54
#21 0x7f9952ad1ffb in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:3941:28
#22 0x7f99522c2f4c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2151:21
#23 0x7f99522bec73 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2078:9
#24 0x7f99522c0f47 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1937:3
#25 0x7f99522c1cd7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1968:13
#26 0x7f9950f67b41 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#27 0x7f9950f6f764 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#28 0x7f99522cc38f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#29 0x7f99521a550e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#30 0x7f99521a550e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#31 0x7f99521a550e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#32 0x7f995b7fa2c3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#33 0x7f995fdc1eee in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#34 0x7f99521a550e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#35 0x7f99521a550e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#36 0x7f99521a550e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#37 0x7f995fdc105c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:757:34
#38 0x563f32fed6ce in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#39 0x563f32fed6ce in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#40 0x7f9974f28b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
|
||
Comment 1•11 months ago
|
||
Are any other prefs required for this?
I'm unable to reproduce with ASAN+SimpleHTTPServer :(
|
|
||
Updated•11 months ago
|
|
Reporter | |
Comment 2•11 months ago
•
|
||
(In reply to Matt Woodrow (:mattwoodrow) from comment #1)
Are any other prefs required for this?
I'm unable to reproduce with ASAN+SimpleHTTPServer :(
This issue appears to have been fixed sometime during the following build range:
Start: 20ef9d4a05c755e2154a294629b0543de11f9a5b (20190501042112)
End: a027a998b8b79bd4afa15930d7ca22c3acb7b16c (20190501155431)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=20ef9d4a05c755e2154a294629b0543de11f9a5b&tochange=a027a998b8b79bd4afa15930d7ca22c3acb7b16c
Possibly https://hg.mozilla.org/mozilla-central/rev/0e259884f052230b24601efc3cde3a5ef5d4e6ad?
|
|
Reporter | |
Updated•11 months ago
|
|
|
||
Comment 3•11 months ago
|
||
Oh right, almost certainly that indeed. Thanks!
Description
•