Closed
Bug 1636517
Opened 5 years ago
Closed 5 years ago
Assertion failure: (detail::IsInBounds<From, To>(aFrom)), at /builds/worker/workspace/obj-build/dist/include/mozilla/Casting.h:207
Categories
(Core :: Graphics: CanvasWebGL, defect, P1)
Core
Graphics: CanvasWebGL
Tracking
()
VERIFIED
FIXED
mozilla78
People
(Reporter: jkratzer, Assigned: jgilbert)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 19e273db8019 (built with --enable-debug).
Assertion failure: (detail::IsInBounds<From, To>(aFrom)), at /builds/worker/workspace/obj-build/dist/include/mozilla/Casting.h:207
rax = 0x00007fad522a57db rdx = 0x0000000000000000
rcx = 0x0000562030f01a48 rbx = 0x00007ffdc054b970
rsi = 0x00007fad642c38b0 rdi = 0x00007fad642c2680
rbp = 0x00007ffdc054b8c0 rsp = 0x00007ffdc054b8a0
r8 = 0x00007fad642c38b0 r9 = 0x00007fad65429780
r10 = 0x0000000000000002 r11 = 0x0000000000000000
r12 = 0x00007face0006290 r13 = 0x0000562032e0af50
r14 = 0x0000562033179bf0 r15 = 0x00007face0006320
rip = 0x00007fad4d1ee6cb
OS|Linux|0.0.0 Linux 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::WebGLFBAttachPoint::Set(mozilla::gl::GLContext*, mozilla::webgl::FbAttachInfo const&)|hg:hg.mozilla.org/mozilla-central:dom/canvas/WebGLFramebuffer.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|0|0x29
0|1|libxul.so|mozilla::WebGLFramebuffer::FramebufferAttach(unsigned int, mozilla::webgl::FbAttachInfo const&)|hg:hg.mozilla.org/mozilla-central:dom/canvas/WebGLFramebuffer.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|0|0x8
0|2|libxul.so|mozilla::WebGLContext::FramebufferAttach(unsigned int, unsigned int, unsigned int, mozilla::webgl::FbAttachInfo const&)|hg:hg.mozilla.org/mozilla-central:dom/canvas/WebGLContextGL.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|351|0xe
0|3|libxul.so|mozilla::HostWebGLContext::FramebufferAttach(unsigned int, unsigned int, unsigned int, unsigned long, int, int, int) const|hg:hg.mozilla.org/mozilla-central:dom/canvas/HostWebGLContext.h:19e273db80195cc5de59647fcaf16bafad9bbcce|354|0x21
0|4|libxul.so|void mozilla::RunOn<void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, unsigned long, int, int, int) const, &(mozilla::HostWebGLContext::FramebufferAttach(unsigned int, unsigned int, unsigned int, unsigned long, int, int, int) const), void, unsigned int const&, unsigned int const&, unsigned int const&, unsigned long&, unsigned int const&, unsigned int const&, unsigned int const&>(mozilla::ClientWebGLContext const&, unsigned int const&, unsigned int const&, unsigned int const&, unsigned long&, unsigned int const&, unsigned int const&, unsigned int const&)|hg:hg.mozilla.org/mozilla-central:dom/canvas/ClientWebGLContext.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|372|0x1a
0|5|libxul.so|mozilla::ClientWebGLContext::FramebufferAttach(unsigned int, unsigned int, unsigned int, mozilla::WebGLRenderbufferJS*, mozilla::WebGLTextureJS*, unsigned int, unsigned int, unsigned int) const|hg:hg.mozilla.org/mozilla-central:dom/canvas/ClientWebGLContext.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|0|0x7
0|6|libxul.so|mozilla::ClientWebGLContext::FramebufferTextureLayer(unsigned int, unsigned int, mozilla::WebGLTextureJS*, int, int) const|hg:hg.mozilla.org/mozilla-central:dom/canvas/ClientWebGLContext.h:19e273db80195cc5de59647fcaf16bafad9bbcce|1383|0x19
0|7|libxul.so|mozilla::dom::WebGL2RenderingContext_Binding::framebufferTextureLayer(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:31bb1b01d03e6fca5d278983c21d284828c80bc94ea706cd3bad91a7446ca3199512dcf3d1c39abc0d9d644a88da42a33e85ca815b69fd7c7cd72197e96a1edb/dom/bindings/WebGL2RenderingContextBinding.cpp:|1542|0x1a
0|8|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|3203|0x21
0|9|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|493|0x12
0|10|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|585|0xe
0|11|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|652|0xa
0|12|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|465|0xb
0|13|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|620|0x8
0|14|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|665|0xb
0|15|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|2840|0x23
0|16|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:2563ad09677feb8ddf64827a409899848ef6a80bfacaa11f581c512536a6fb0c779d8b29517ba6358a054c6d475f770bf7bac2913a941d0394881c5649b08603/dom/bindings/EventListenerBinding.cpp:|55|0xe
0|17|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x21
0|18|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1073|0x2c
0|19|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1271|0x16
0|20|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|356|0xb
0|21|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|558|0x19
0|22|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1055|0x5
0|23|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|0|0x8
0|24|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1302|0x10
0|25|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|4026|0x23
0|26|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|3996|0x23
0|27|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|7216|0x21
0|28|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:19e273db80195cc5de59647fcaf16bafad9bbcce|1220|0x17
0|29|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|146|0x11
0|30|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1200|0x11
0|31|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|481|0xc
0|32|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|87|0x7
0|33|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|315|0x17
0|34|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|290|0x8
0|35|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|137|0xd
0|36|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|909|0xe
0|37|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|237|0x5
0|38|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|315|0x17
0|39|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|290|0x8
0|40|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|740|0x5
0|41|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|56|0x11
0|42|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|303|0x20
0|43|libc.so.6||||0x21b97
0|44|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:19e273db80195cc5de59647fcaf16bafad9bbcce|253|0x17
Flags: in-testsuite?
|
||
Comment 1•5 years ago
|
||
Because this bug's Severity is normal and has not been changed, and this bug's priority is -- (none,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)
Severity: normal → --
|
Reporter | |
Updated•5 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 2•5 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200518214824-a3941f42e662.
The bug appears to have been introduced in the following build range:
> Start: 2196d50bfb2d53fd40ed2705d496da3c6a4b10ba (20190523205621)
> End: a9e860d35d5b7074e68e2cd2d50e53cdb69e7523 (20190523205940)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2196d50bfb2d53fd40ed2705d496da3c6a4b10ba&tochange=a9e860d35d5b7074e68e2cd2d50e53cdb69e7523
|
||
Comment 3•5 years ago
|
||
The severity field is not set for this bug.
:jgilbert, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(jgilbert)
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → jgilbert
Flags: needinfo?(jgilbert)
Priority: -- → P1
|
|
Assignee | |
Updated•5 years ago
|
Severity: -- → S4
|
|
Assignee | |
Comment 4•5 years ago
|
||
Upstreaming test: https://github.com/KhronosGroup/WebGL/pull/3084
This test only asserts and fails in debug builds. Non-debug builds pass the test, and have safe behavior.
We don't need the assert in this case (detachment), but we really want the assert for attachment.
|
|
Assignee | |
Comment 5•5 years ago
|
||
Pushed by jgilbert@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/095ff1c0aa57
When detaching a webgl fb attachment, reset params to defaults. r=lsalzman
|
||
Comment 7•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
|
|
Reporter | |
Updated•5 years ago
|
|
|
Reporter | |
Comment 8•5 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200529095426-2ea544687871.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•5 years ago
|
status-firefox76:
--- → wontfix
status-firefox77:
--- → wontfix
status-firefox-esr68:
--- → wontfix
Regressed by: 1536672
|
||
Updated•5 years ago
|
Has Regression Range: --- → yes
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•