Closed
Bug 1586059
Opened 5 years ago
Closed 4 years ago
AddressSanitizer: SEGV /src/obj-firefox/dist/include/nsTArray.h:347:37 in Length
Categories
(Core :: Graphics, defect, P3)
Core
Graphics
Tracking
()
RESOLVED
DUPLICATE
of bug 1390089
| Tracking | Status | |
|---|---|---|
| firefox71 | --- | fix-optional |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase)
Attachments
(1 file)
|
636 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 4a20e73bd624.
==123886==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f77ad5ffd28 bp 0x7fffa43e2990 sp 0x7fffa43e2420 T0)
==123886==The signal is caused by a READ memory access.
==123886==Hint: address points to the zero page.
#0 0x7f77ad5ffd27 in Length /src/obj-firefox/dist/include/nsTArray.h:347:37
#1 0x7f77ad5ffd27 in end /src/obj-firefox/dist/include/nsTArray.h:1126
#2 0x7f77ad5ffd27 in mozilla::widget::GfxInfoBase::GetFeatureStatus(int, nsTSubstring<char>&, int*) /src/widget/GfxInfoBase.cpp:636
#3 0x7f77a7b74140 in gfxUtils::ThreadSafeGetFeatureStatus(nsCOMPtr<nsIGfxInfo> const&, int, nsTSubstring<char>&, int*) /src/gfx/thebes/gfxUtils.cpp:1414:19
#4 0x7f77aada0a05 in IsFeatureInBlacklist /src/dom/canvas/WebGLContext.cpp:329:8
#5 0x7f77aada0a05 in mozilla::WebGLContext::SetContextOptions(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /src/dom/canvas/WebGLContext.cpp:377
#6 0x7f77aad3f4af in mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /src/dom/canvas/CanvasRenderingContextHelper.cpp:214:33
#7 0x7f77aad3efd7 in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /src/dom/canvas/CanvasRenderingContextHelper.cpp:179:19
#8 0x7f77aad56b94 in mozilla::dom::OffscreenCanvas::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /src/dom/canvas/OffscreenCanvas.cpp:111:62
#9 0x7f77a8fb8a24 in mozilla::dom::OffscreenCanvas_Binding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::OffscreenCanvas*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/OffscreenCanvasBinding.cpp:201:64
#10 0x7f77aac0568d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3168:13
#11 0x7f77b183dfe8 in CallJSNative /src/js/src/vm/Interpreter.cpp:458:13
#12 0x7f77b183dfe8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:551
#13 0x7f77b18263a0 in CallFromStack /src/js/src/vm/Interpreter.cpp:624:10
#14 0x7f77b18263a0 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3113
#15 0x7f77b18081ff in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:424:10
#16 0x7f77b183ea95 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:592:13
#17 0x7f77b1840db9 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /src/js/src/vm/Interpreter.cpp:637:8
#18 0x7f77b23acaeb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2728:10
#19 0x7f77aa6af6e2 in mozilla::dom::BlobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Blob*, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:88:8
#20 0x7f77aad79393 in Call /src/obj-firefox/dist/include/mozilla/dom/HTMLCanvasElementBinding.h:180:12
#21 0x7f77aad79393 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::BlobCallback&, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&)::EncodeCallback::ReceiveBlob(already_AddRefed<mozilla::dom::Blob>) /src/dom/canvas/CanvasRenderingContextHelper.cpp:47
#22 0x7f77a836225e in mozilla::dom::EncodingCompleteEvent::Run() /src/dom/base/ImageEncoder.cpp
#23 0x7f77a40fb06c in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1225:14
#24 0x7f77a41010a8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
#25 0x7f77a40f90cc in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:900:22)> /src/obj-firefox/dist/include/nsThreadUtils.h:348:25
#26 0x7f77a40f90cc in nsThread::Shutdown() /src/xpcom/threads/nsThread.cpp:900
#27 0x7f77a41066cd in nsThreadPool::Shutdown() /src/xpcom/threads/nsThreadPool.cpp:355:17
#28 0x7f77a83570d8 in mozilla::dom::EncoderThreadPoolTerminator::Observe(nsISupports*, char const*, char16_t const*) /src/dom/base/ImageEncoder.cpp:445:34
#29 0x7f77a3fb5411 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /src/xpcom/ds/nsObserverList.cpp:66:19
#30 0x7f77a3fbb0a5 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /src/xpcom/ds/nsObserverService.cpp:291:19
#31 0x7f77a41500ea in mozilla::ShutdownXPCOM(nsIServiceManager*) /src/xpcom/build/XPCOMInit.cpp:631:24
#32 0x7f77b15846fc in XRE_TermEmbedding() /src/toolkit/xre/nsEmbedFunctions.cpp:223:3
#33 0x7f77a534c621 in mozilla::ipc::ScopedXREEmbed::Stop() /src/ipc/glue/ScopedXREEmbed.cpp:90:5
#34 0x7f77b1585345 in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:773:16
#35 0x55f7d7703c4a in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#36 0x55f7d7703c4a in main /src/browser/app/nsBrowserApp.cpp:272
#37 0x7f77c6ff8b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#38 0x55f7d762526c in _start (/home/worker/builds/m-c-20190923215658-fuzzing-asan-opt/firefox+0x4926c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/obj-firefox/dist/include/nsTArray.h:347:37 in Length
==123886==ABORTING
Flags: in-testsuite?
|
Reporter | |
Comment 1•5 years ago
|
||
Testcase bisects back earlier than a year.
|
||
Comment 2•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
||
Comment 3•5 years ago
|
||
Jeff, wondering if you have any thoughts about this one?
Flags: needinfo?(jgilbert)
Priority: -- → P3
|
||
Updated•5 years ago
|
|
||
Updated•4 years ago
|
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jgilbert)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•