Open Bug 1555086 Opened 10 months ago Updated 2 months ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/gfx/gl/GLScreenBuffer.cpp:433:3 in mozilla::gl::GLScreenBuffer::Morph(mozilla::UniquePtr<mozilla::gl::SurfaceFactory, mozilla::DefaultDelete<mozilla::gl::SurfaceFactory> >)

Categories

(Core :: Canvas: WebGL, defect, P3, critical)

defect

Tracking

()

Tracking Status
firefox69 --- affected

People

(Reporter: jkratzer, Assigned: imanol)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 5cc220ddf028.

==23099==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f8c68f3de47 bp 0x7ffdc2c7caf0 sp 0x7ffdc2c7cae0 T0)
==23099==The signal is caused by a WRITE memory access.
==23099==Hint: address points to the zero page.
    #0 0x7f8c68f3de46 in mozilla::gl::GLScreenBuffer::Morph(mozilla::UniquePtr<mozilla::gl::SurfaceFactory, mozilla::DefaultDelete<mozilla::gl::SurfaceFactory> >) /builds/worker/workspace/build/src/gfx/gl/GLScreenBuffer.cpp:433:3
    #1 0x7f8c6d872322 in mozilla::WebGLContext::EnsureVRReady() /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:2200:19
    #2 0x7f8c6d871c98 in mozilla::WebGLContext::GetVRFrame() /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:2161:3
    #3 0x7f8c6999a6fb in mozilla::gfx::VRLayerChild::SubmitFrame(mozilla::gfx::VRDisplayInfo const&) /builds/worker/workspace/build/src/gfx/vr/ipc/VRLayerChild.cpp:69:39
    #4 0x7f8c70002d03 in mozilla::dom::VRDisplay::SubmitFrame() /builds/worker/workspace/build/src/dom/vr/VRDisplay.cpp:602:20
    #5 0x7f8c6c3c3aef in mozilla::dom::VRDisplay_Binding::submitFrame(JSContext*, JS::Handle<JSObject*>, mozilla::dom::VRDisplay*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/VRDisplayBinding.cpp:1332:24
    #6 0x7f8c6d666872 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3165:13
    #7 0x7f8c74f219a7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
    #8 0x7f8c74f219a7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
    #9 0x7f8c74f02142 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:599:10
    #10 0x7f8c74f02142 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3087
    #11 0x7f8c74eebc18 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
    #12 0x7f8c74f224af in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:568:13
    #13 0x7f8c74f246d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
    #14 0x7f8c75102fe9 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.h:98:10
    #15 0x7f8c75102fe9 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1704
    #16 0x7f8c74f219a7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
    #17 0x7f8c74f219a7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
    #18 0x7f8c74f246d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
    #19 0x7f8c75b95d78 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2654:10
    #20 0x7f8c6b45139c in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PromiseBinding.cpp:26:8
    #21 0x7f8c65a76d77 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:91:12
    #22 0x7f8c65a76d77 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104
    #23 0x7f8c65a76d77 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:238
    #24 0x7f8c65a477ef in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:654:17
    #25 0x7f8c65a4833a in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:486:3
    #26 0x7f8c681d8295 in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:1274:28
    #27 0x7f8c65cdffbe in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1234:24
    #28 0x7f8c65ce6d14 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #29 0x7f8c670bb21f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #30 0x7f8c66f9375e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #31 0x7f8c66f9375e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #32 0x7f8c66f9375e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #33 0x7f8c70621a43 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #34 0x7f8c749037c0 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:276:30
    #35 0x7f8c74c40207 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4550:22
    #36 0x7f8c74c42c24 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4688:8
    #37 0x7f8c74c44479 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4769:21
    #38 0x5637d36583da in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:212:22
    #39 0x5637d36583da in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:291
    #40 0x7f8c89ff5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?

I was unable to reproduce this. It seems that factory can reasonably be null on some platforms, so perhaps EnsureVRReady should actually be something that can fail gracefully?

Component: Graphics → Canvas: WebGL
Flags: needinfo?(imanol)
Priority: -- → P3

yes, it seems the factory was null in that crash. I'll add some safety checks

Assignee: nobody → imanol
Flags: needinfo?(imanol)

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
You need to log in before you can comment on or make changes to this bug.