Open Bug 1619334 Opened 5 years ago Updated 9 months ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/widget/gtk/GtkCompositorWidget.cpp:31:5 in mozilla::widget::GtkCompositorWidget::GtkCompositorWidget(mozilla::widget::GtkCompositorWidgetInitData const&, mozilla::layers::CompositorOptions const&,

Categories

(Core :: Graphics, defect, P3)

defect

Tracking

()

Tracking Status
firefox75 --- disabled

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:confirmed])

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 51efc4b931f7.

==27416==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f1a5e5fe8b6 bp 0x7f1a50fcade0 sp 0x7f1a50fcac20 T3)
==27416==The signal is caused by a WRITE memory access.
==27416==Hint: address points to the zero page.
    #0 0x7f1a5e5fe8b5 in mozilla::widget::GtkCompositorWidget::GtkCompositorWidget(mozilla::widget::GtkCompositorWidgetInitData const&, mozilla::layers::CompositorOptions const&, nsWindow*) /builds/worker/workspace/build/src/widget/gtk/GtkCompositorWidget.cpp:31:5
    #1 0x7f1a5e5fe156 in mozilla::widget::CompositorWidgetParent::CompositorWidgetParent(mozilla::widget::CompositorWidgetInitData const&, mozilla::layers::CompositorOptions const&) /builds/worker/workspace/build/src/widget/gtk/CompositorWidgetParent.cpp:16:7
    #2 0x7f1a5989ecf1 in mozilla::layers::CompositorBridgeParent::AllocPCompositorWidgetParent(mozilla::widget::CompositorWidgetInitData const&) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:2227:11
    #3 0x7f1a577f8e6d in mozilla::layers::PCompositorBridgeParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorBridgeParent.cpp:1073:96
    #4 0x7f1a578135ce in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorManagerParent.cpp:197:32
    #5 0x7f1a574e4f42 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2187:25
    #6 0x7f1a574e014a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2111:9
    #7 0x7f1a574e264f in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1959:3
    #8 0x7f1a574e3550 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1990:13
    #9 0x7f1a573e3be2 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:442:9
    #10 0x7f1a573e49c4 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:450:5
    #11 0x7f1a573e521b in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:523:13
    #12 0x7f1a573e6bc6 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:35:31
    #13 0x7f1a573e37c7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #14 0x7f1a573e37c7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #15 0x7f1a573e37c7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #16 0x7f1a57402a0a in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:192:16
    #17 0x7f1a573f452c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #18 0x7f1a79ffe6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #19 0x7f1a78fdc88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/widget/gtk/GtkCompositorWidget.cpp:31:5 in mozilla::widget::GtkCompositorWidget::GtkCompositorWidget(mozilla::widget::GtkCompositorWidgetInitData const&, mozilla::layers::CompositorOptions const&, nsWindow*)
Thread T3 (Compositor) created by T0 (GPU Process) here:
    #0 0x55731cefe00a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7f1a573ef61c in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7f1a573ef61c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7f1a574021ed in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7f1a598b15ab in CreateCompositorThread /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:86:26
    #5 0x7f1a598b15ab in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:38:25
    #6 0x7f1a598b1e80 in mozilla::layers::CompositorThreadHolder::Start() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:107:33
    #7 0x7f1a59ba1b4b in mozilla::gfx::GPUParent::Init(int, char const*, MessageLoop*, mozilla::UniquePtr<IPC::Channel, mozilla::DefaultDelete<IPC::Channel> >) /builds/worker/workspace/build/src/gfx/ipc/GPUParent.cpp:134:3
    #8 0x7f1a59bb1588 in mozilla::gfx::GPUProcessImpl::Init(int, char**) /builds/worker/workspace/build/src/gfx/ipc/GPUProcessImpl.cpp:76:15
    #9 0x7f1a620f620d in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:727:21
    #10 0x55731cf45f83 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #11 0x55731cf45f83 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
    #12 0x7f1a78edcb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

==27416==ABORTING
Flags: in-testsuite?
Attached file prefs.js
BugMon: Verified bug as reproducible on 51efc4b931f7
BugMon: Reduced build range to... > Start: 8384972e1f6a408c9c724a9082939bd2ba91dab2 (20190531170346) > End: b2d39cc7a2db1ee5cbadab043d94790470aa48ca (20190531170618) > Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8384972e1f6a408c9c724a9082939bd2ba91dab2&tochange=b2d39cc7a2db1ee5cbadab043d94790470aa48ca
Whiteboard: [bugmon:confirm] → [bugmon:confirmed]

(In reply to Jason Kratzer [:jkratzer] from comment #3)

BugMon: Reduced build range to...

Start: 8384972e1f6a408c9c724a9082939bd2ba91dab2 (20190531170346)
End: b2d39cc7a2db1ee5cbadab043d94790470aa48ca (20190531170618)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8384972e1f6a408c9c724a9082939bd2ba91dab2&tochange=b2d39cc7a2db1ee5cbadab043d94790470aa48ca

Enabling the gpu process by default on linux perhaps?

The priority flag is not set for this bug.
:jbonisteel, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jbonisteel)

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Flags: needinfo?(jbonisteel) → needinfo?(aosmond)
Priority: -- → P3

AFAIK webrender and gpu process are still disabled on linux for 75.

Flags: needinfo?(aosmond)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: