Open Bug 1593870 Opened 5 months ago Updated 14 days ago

Assertion failure: IsAtomic<bool>::value || NS_IsMainThread() (Non-atomic static pref 'webgl.force-layers-readback' being accessed on background thread by getter), at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StaticPrefList_webgl

Categories

(Core :: Canvas: WebGL, defect, P5)

defect

Tracking

()

Tracking Status
firefox72 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 5647ec4ba6f2.

Assertion failure: IsAtomic<bool>::value || NS_IsMainThread() (Non-atomic static pref 'webgl.force-layers-readback' being accessed on background thread by getter), at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StaticPrefList_webgl.h:162

==14705==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fc00bc63485 bp 0x7fbf52b39f10 sp 0x7fbf52b39dc0 T79)
==14705==The signal is caused by a WRITE memory access.
==14705==Hint: address points to the zero page.
    #0 0x7fc00bc63484 in webgl_force_layers_readback /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StaticPrefList_webgl.h:157:1
    #1 0x7fc00bc63484 in mozilla::gl::GLScreenBuffer::CreateFactory(mozilla::gl::GLContext*, mozilla::gl::SurfaceCaps const&, mozilla::layers::KnowsCompositor*, mozilla::layers::TextureFlags const&) /builds/worker/workspace/build/src/gfx/gl/GLScreenBuffer.cpp:73:8
    #2 0x7fc00f46e09d in mozilla::dom::OffscreenCanvas::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/OffscreenCanvas.cpp:141:13
    #3 0x7fc00da7723f in mozilla::dom::OffscreenCanvas_Binding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::OffscreenCanvas*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/OffscreenCanvasBinding.cpp:201:64
    #4 0x7fc00f31ba3c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3218:13
    #5 0x7fc016028329 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:456:13
    #6 0x7fc016028329 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:548:12
    #7 0x7fc016010e74 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:621:10
    #8 0x7fc016010e74 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3110:16
    #9 0x7fc015ff3194 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
    #10 0x7fc016028e2e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:589:13
    #11 0x7fc01602b139 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:634:8
    #12 0x7fc0162455fc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2718:10
    #13 0x7fc00ebca8ea in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
    #14 0x7fc00faff007 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:364:12
    #15 0x7fc00faff007 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:205:12
    #16 0x7fc00fab7cfc in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1039:22
    #17 0x7fc00fab9788 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1231:17
    #18 0x7fc00faa0b98 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #19 0x7fc00faa0b98 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349:17
    #20 0x7fc00fa9f3d1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #21 0x7fc00faa4cd3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1049:11
    #22 0x7fc00faab690 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #23 0x7fc00fa67ca5 in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/events/DOMEventTargetHelper.cpp:166:17
    #24 0x7fc00fac7299 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/workspace/build/src/dom/events/EventTarget.cpp:178:13
    #25 0x7fc0114b563f in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /builds/worker/workspace/build/src/dom/workers/MessageEventRunnable.cpp:102:12
    #26 0x7fc01153b54e in mozilla::dom::WorkerRunnable::Run() /builds/worker/workspace/build/src/dom/workers/WorkerRunnable.cpp:369:12
    #27 0x7fc008bc6a93 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #28 0x7fc008bcd5f1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #29 0x7fc011521889 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2872:7
    #30 0x7fc0114ebe4f in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:2330:40
    #31 0x7fc008bc6a93 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #32 0x7fc008bcd5f1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #33 0x7fc009e3f0a5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
    #34 0x7fc009d38292 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #35 0x7fc009d38292 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #36 0x7fc009d38292 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #37 0x7fc008bc043e in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:458:11
    #38 0x7fc02d10bfbd in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #39 0x7fc02cd516da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #40 0x7fc02bd2f88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StaticPrefList_webgl.h:157:1 in webgl_force_layers_readback
Thread T79 (DOM Worker) created by T0 here:
    #0 0x56522472689a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7fc02d0fe129 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7fc02d0e7e5e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7fc008bc2916 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:672:8
    #4 0x7fc01154cb88 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/workspace/build/src/dom/workers/WorkerThread.cpp:92:7
    #5 0x7fc0114bcc5f in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1439:14
    #6 0x7fc0114bb2ec in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1304:19
    #7 0x7fc01151b6ae in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2362:24
    #8 0x7fc0114cba55 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/workers/Worker.cpp:31:41
    #9 0x7fc00e8fb129 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WorkerBinding.cpp:1078:52
    #10 0x7fc01602c1ec in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:456:13
    #11 0x7fc01602c1ec in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:8
    #12 0x7fc01602c1ec in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:680:10
    #13 0x7fc016010c77 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3101:16
    #14 0x7fc015ff3194 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
    #15 0x7fc016028e2e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:589:13
    #16 0x7fc01602b139 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:634:8
    #17 0x7fc0162455fc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2718:10
    #18 0x7fc00ebcdd22 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #19 0x7fc00fab7cc5 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #20 0x7fc00fab7cc5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1033:43
    #21 0x7fc00fab972a in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1231:17
    #22 0x7fc00faa0b98 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #23 0x7fc00faa0b98 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349:17
    #24 0x7fc00fa9f3d1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #25 0x7fc00faa4cd3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1049:11
    #26 0x7fc0123d9c0d in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1164:7
    #27 0x7fc015186f69 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6354:20
    #28 0x7fc0151861f7 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6132:7
    #29 0x7fc01518b0bf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #30 0x7fc00b67e0f3 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1352:3
    #31 0x7fc00b67cd6a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:911:14
    #32 0x7fc00b678a16 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:731:9
    #33 0x7fc00b67b80a in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:619:5
    #34 0x7fc00b67c95c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #35 0x7fc008e5b4fb in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:595:22
    #36 0x7fc008e5ddc4 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:502:10
    #37 0x7fc00cd3af38 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:10687:18
    #38 0x7fc00cd3af38 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10619:9
    #39 0x7fc00cd67e7c in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7175:3
    #40 0x7fc00ce4bae4 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #41 0x7fc00ce4bae4 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130:12
    #42 0x7fc00ce4bae4 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176:13
    #43 0x7fc008bc6a93 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #44 0x7fc008bcd5f1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #45 0x7fc009e3d94f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #46 0x7fc009d38292 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #47 0x7fc009d38292 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #48 0x7fc009d38292 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #49 0x7fc011cffef8 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #50 0x7fc015b03b8f in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:276:30
    #51 0x7fc015d76e17 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4586:22
    #52 0x7fc015d78e3d in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4721:8
    #53 0x7fc015d7a680 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4802:21
    #54 0x56522476eacb in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:218:22
    #55 0x56522476eacb in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:300:16
    #56 0x7fc02bc2fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

==14705==ABORTING
Flags: in-testsuite?

OffscreenCanvas isn't enabled by default. Does this testcase require enabling its pref, or are we accidentally exposing a corner of it?

Flags: needinfo?(jkratzer)

(In reply to Jeff Gilbert [:jgilbert] from comment #1)

OffscreenCanvas isn't enabled by default. Does this testcase require enabling its pref, or are we accidentally exposing a corner of it?

Jeff, no you are correct - this testcase requires OffscreenCanvas to be enabled.

Flags: needinfo?(jkratzer)

Ok, thanks!

Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.