1614210 - member call on null pointer of type 'mozilla::widget::nsWaylandDisplay' in widget/gtk/WaylandDMABufSurface.cpp:229

Status: RESOLVED FIXED

(Core :: Graphics: Layers, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.bin

Info

Reproduced with: 20200209-be2a7d1a4d0d
Fuzz Target: CompositorManagerParentIPC
Reliably Reproduces: Yes

STR

Build info can be found here: https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Fuzzing_Interface

With a recent build of m-c run:
FUZZER=CompositorManagerParentIPC ./<path-to-build>/firefox testcase.bin

Callstack

/mozilla-central/widget/gtk/WaylandDMABufSurface.cpp:229:37: runtime error: member call on null pointer of type 'mozilla::widget::nsWaylandDisplay'
    #0 0x7f3b4b772288 in WaylandDMABufSurface::ImportSurfaceDescriptor(mozilla::layers::SurfaceDescriptor const&) /mozilla-central/widget/gtk/WaylandDMABuf
Surface.cpp:229:37
    #1 0x7f3b4b772370 in WaylandDMABufSurface::Create(mozilla::layers::SurfaceDescriptor const&) /mozilla-central/widget/gtk/WaylandDMABufSurface.cpp:244:3
    #2 0x7f3b4b774ea1 in WaylandDMABufSurface::CreateDMABufSurface(mozilla::layers::SurfaceDescriptor const&) /mozilla-central/widget/gtk/WaylandDMABufSurf
ace.cpp:520:14
    #3 0x7f3b462b31d9 in mozilla::layers::WaylandDMABUFTextureHostOGL::WaylandDMABUFTextureHostOGL(mozilla::layers::TextureFlags, mozilla::layers::SurfaceDescriptor const&) 
/mozilla-central/gfx/layers/opengl/WaylandDMABUFTextureHostOGL.cpp:21:14
    #4 0x7f3b464deba9 in mozilla::layers::CreateTextureHostOGL(mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ISurfaceAllocator*, mozilla::layers::LayersBackend, mozilla::layers::TextureFlags) /mozilla-central/gfx/layers/opengl/TextureHostOGL.cpp:86:20
    #5 0x7f3b469c8ec9 in mozilla::layers::TextureHost::Create(mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ReadLockDescriptor const&, mozilla::layers::ISurfaceAllocator*, mozilla::layers::LayersBackend, mozilla::layers::TextureFlags, mozilla::Maybe<mozilla::wr::ExternalImageId>&) /mozilla-central/gfx/layers/composite/TextureHost.cpp:186:16
    #6 0x7f3b469c85bf in mozilla::layers::TextureParent::Init(mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ReadLockDescriptor const&, mozilla::layers::LayersBackend const&, mozilla::layers::TextureFlags const&) /mozilla-central/gfx/layers/composite/TextureHost.cpp:1223:18
    #7 0x7f3b469c82c6 in mozilla::layers::TextureHost::CreateIPDLActor(mozilla::layers::HostIPCAllocator*, mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ReadLockDescriptor const&, mozilla::layers::LayersBackend, mozilla::layers::TextureFlags, unsigned long, mozilla::Maybe<mozilla::wr::ExternalImageId> const&) /mozilla-central/gfx/layers/composite/TextureHost.cpp:125:15
    #8 0x7f3b46a6b3a2 in mozilla::layers::ContentCompositorBridgeParent::AllocPTextureParent(mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ReadLockDescriptor const&, mozilla::layers::LayersBackend const&, mozilla::layers::TextureFlags const&, mozilla::layers::LayersId const&, unsigned long const&, mozilla::Maybe<mozilla::wr::ExternalImageId> const&) /mozilla-central/gfx/layers/ipc/ContentCompositorBridgeParent.cpp:633:10
    #9 0x7f3b447ff914 in mozilla::layers::PCompositorBridgeParent::OnMessageReceived(IPC::Message const&) /mozilla-central/objdir-ff-ubsan/ipc/ipdl/PCompositorBridgeParent.cpp:1579:87
    #10 0x7f3b44817c40 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /mozilla-central/objdir-ff-ubsan/ipc/ipdl/PCompositorManagerParent.cpp:197:32
    #11 0x7f3b422f21bb in void mozilla::ipc::FuzzProtocol<mozilla::layers::CompositorManagerParent>(mozilla::layers::CompositorManagerParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /mozilla-central/objdir-ff-ubsan/dist/include/ProtocolFuzzer.h:96:18
    #12 0x7f3b422f1938 in RunCompositorManagerParentIPCFuzzing(unsigned char const*, unsigned long) /mozilla-central/gfx/layers/ipc/fuzztest/compositor_manager_parent_ipc_libfuzz.cpp:30:3
    #13 0x5624958f8075 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /mozilla-central/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:529:15
    #14 0x5624958e4b6e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /mozilla-central/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:286:6
    #15 0x5624958e6bd9 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /mozilla-central/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:715:9
    #16 0x7f3b4f7cd1fc in mozilla::FuzzerRunner::Run(int*, char***) /mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:54:10
    #17 0x7f3b4f6f40f8 in XREMain::XRE_mainStartup(bool*) /mozilla-central/toolkit/xre/nsAppRunner.cpp:3696:35
    #18 0x7f3b4f6fd07b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /mozilla-central/toolkit/xre/nsAppRunner.cpp:4688:12
    #19 0x7f3b4f6fd863 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /mozilla-central/toolkit/xre/nsAppRunner.cpp:4752:21
    #20 0x562495779da2 in do_main(int, char**, char**) /mozilla-central/browser/app/nsBrowserApp.cpp:217:22
    #21 0x5624957794fb in main /mozilla-central/browser/app/nsBrowserApp.cpp:331:16

Comment 1

[Martin Stránský [:stransky] (ni? me) (PTO, back on Feb 17)]

We can fix that when recent batch of GL changes landed.

Comment 2

[Martin Stránský [:stransky] (ni? me) (PTO, back on Feb 17)]

Attachment: Bug 1614210 [Wayland] Explicitly crash when creating wayland surface on non-wayland session, r?jhorak

Comment 3

[Pulsebot]

Pushed by nerli@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6894dcb0651c
[Wayland] Explicitly crash when creating wayland surface on non-wayland session, r=jhorak

Comment 4

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/6894dcb0651c

Comment 5

[Ryan VanderMeulen [:RyanVM]]

Is this something we should uplift to Beta for 74?

Comment 6

[Martin Stránský [:stransky] (ni? me) (PTO, back on Feb 17)]

No, this is a corner case which can't happen in a real scenario.