Closed Bug 1611626 Opened 5 years ago Closed 2 years ago

Null pointer dereference when toggling gfx.webrender.blob-images option

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Version:
74 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
120 Branch
Tracking Flags:
Tracking Status
firefox74 --- wontfix
firefox120 --- fixed

People

(Reporter: jaso35, Assigned: mstange)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Bug 1611626 - Remove gfx.webrender.blob-images. r=nical
48 bytes, text/x-phabricator-request
Details | Review
Bug 1611626 - Simplify condition. r=nical
48 bytes, text/x-phabricator-request
Details | Review

Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

Steps to reproduce:

Open about:config and toogle gfx.webrender.blob-images twice

Expected results:

gfx.webrender.blob-images should return to true

Actual results:

Firefox ASAN build exits with a null pointer dereference

ASAN log

=================================================================
==9662==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4d83a0f4cd bp 0x7ffe03f3ad40 sp 0x7ffe03f3a3c0 T0)
==9662==The signal is caused by a WRITE memory access.
==9662==Hint: address points to the zero page.
    #0 0x7f4d83a0f4cc in mozilla::layers::WebRenderCommandBuilder::GenerateFallbackData(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float>&) /builds/worker/workspace/build/src/gfx/layers/wr/WebRenderCommandBuilder.cpp:2337:13
    #1 0x7f4d83a07f16 in mozilla::layers::WebRenderCommandBuilder::PushItemAsImage(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /builds/worker/workspace/build/src/gfx/layers/wr/WebRenderCommandBuilder.cpp:2587:48
    #2 0x7f4d83a056f4 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /builds/worker/workspace/build/src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1780:9
    #3 0x7f4d83a021b0 in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, nsDisplayList*, nsDisplayListBuilder*, mozilla::wr::RenderRootArray<mozilla::layers::WebRenderScrollData>&, WrFiltersHolder&&) /builds/worker/workspace/build/src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1624:5
    #4 0x7f4d83a4ad2b in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(nsDisplayList*, nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*) /builds/worker/workspace/build/src/gfx/layers/wr/WebRenderLayerManager.cpp:326:30
    #5 0x7f4d8a5806ba in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:3037:18
    #6 0x7f4d89c83855 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:4133:13
    #7 0x7f4d89b6a066 in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6057:5
    #8 0x7f4d89496d8d in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:461:18
    #9 0x7f4d89495feb in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:396:22
    #10 0x7f4d8949b5d1 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1019:5
    #11 0x7f4d89ad5879 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2183:11
    #12 0x7f4d89ae5600 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:374:13
    #13 0x7f4d89ae5600 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:351:7
    #14 0x7f4d89ae516b in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:368:5
    #15 0x7f4d89ae44f3 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:820:5
    #16 0x7f4d89ae44f3 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:740:16
    #17 0x7f4d89ae1a95 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:538:20
    #18 0x7f4d80debf29 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #19 0x7f4d80df5451 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #20 0x7f4d81f5681d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
    #21 0x7f4d81e7b382 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #22 0x7f4d81e7b382 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #23 0x7f4d81e7b382 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #24 0x7f4d8953aa3a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #25 0x7f4d8d23097f in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:272:30
    #26 0x7f4d8d4aadb4 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4624:22
    #27 0x7f4d8d4ad2ae in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4761:8
    #28 0x7f4d8d4ae6d0 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4842:21
    #29 0x562f1b4e6511 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:217:22
    #30 0x562f1b4e6511 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:339:16
    #31 0x7f4d9a498152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
    #32 0x562f1b43bc68 in _start (/opt/firefox-nightly-asan/firefox-bin+0x45c68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/gfx/layers/wr/WebRenderCommandBuilder.cpp:2337:13 in mozilla::layers::WebRenderCommandBuilder::GenerateFallbackData(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float>&)
==9662==ABORTING

We should just remove the gfx.webrender.blob-images option. Toggling it is expected to be completely broken.

Priority: -- → P3
Severity: normal → S3
Assignee: nobody → mstange.moz
Status: NEW → ASSIGNED

useBlobImage || paintOnContentSide is now always true.

Depends on D188489

Pushed by mstange@themasta.com: https://hg.mozilla.org/integration/autoland/rev/7c6aa171ddd8 Remove gfx.webrender.blob-images. r=nical,webcompat-reviewers,twisniewski https://hg.mozilla.org/integration/autoland/rev/331109b69449 Simplify condition. r=nical

https://hg.mozilla.org/mozilla-central/rev/7c6aa171ddd8
https://hg.mozilla.org/mozilla-central/rev/331109b69449

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox120: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 120 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: