Open
Bug 1645105
Opened 5 years ago
Updated 1 year ago
Assertion failure: [GFX1]: invalid offset 252 for gfxSkipChars length 138, at /builds/worker/checkouts/gecko/gfx/2d/Logging.h:756
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs, )
Details
(Keywords: assertion, pernosco, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file, 2 obsolete files)
|
376 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 10ad7868f3ca (built with --enable-debug).
Assertion failure: [GFX1]: invalid offset 252 for gfxSkipChars length 138, at /builds/worker/checkouts/gecko/gfx/2d/Logging.h:756
rax = 0x00007f776e01d127 rdx = 0x0000000000000000
rcx = 0x0000556cf81d3a58 rbx = 0x00007f776e01d0cf
rsi = 0x00007f777f4e98b0 rdi = 0x00007f777f4e8680
rbp = 0x00007ffe2187e290 rsp = 0x00007ffe2187e280
r8 = 0x00007f777f4e98b0 r9 = 0x00007f778064f780
r10 = 0x0000000000000002 r11 = 0x0000000000000000
r12 = 0x00000000000000df r13 = 0x00007ffe2187e710
r14 = 0x00007ffe2187e2d0 r15 = 0x00007ffe2187e2d0
rip = 0x00007f7766694c9d
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::WriteLog(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)|hg:hg.mozilla.org/mozilla-central:gfx/2d/Logging.h:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|757|0x25
0|1|libxul.so|mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::Flush()|hg:hg.mozilla.org/mozilla-central:gfx/2d/Logging.h:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|279|0x8
0|2|libxul.so|mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::~Log()|hg:hg.mozilla.org/mozilla-central:gfx/2d/Logging.h:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|272|0xe
0|3|libxul.so|gfxSkipCharsIterator::SetOriginalOffset(int)|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxSkipChars.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|22|0x5
0|4|libxul.so|nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|9157|0x29
0|5|libxul.so|nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineLayout.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|881|0x1b
0|6|libxul.so|nsFirstLetterFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFirstLetterFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|226|0x16
0|7|libxul.so|nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineLayout.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|878|0x31
0|8|libxul.so|nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|4448|0x10
0|9|libxul.so|nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|4250|0x2a
0|10|libxul.so|nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|4135|0x51
0|11|libxul.so|nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|3124|0x15
0|12|libxul.so|nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|2660|0x24
0|13|libxul.so|nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|1374|0xb
0|14|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|1074|0x1a
0|15|libxul.so|nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|750|0x22
0|16|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|1074|0x1a
0|17|libxul.so|nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|661|0x3a
0|18|libxul.so|nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|775|0x15
0|19|libxul.so|nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsGfxScrollFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|1161|0x15
0|20|libxul.so|nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|1114|0x18
0|21|libxul.so|mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)|hg:hg.mozilla.org/mozilla-central:layout/generic/ViewportFrame.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|296|0x2b
0|22|libxul.so|mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|9576|0x1c
0|23|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|9749|0x12
0|24|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|4229|0x12
0|25|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.h:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|1440|0xb
0|26|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|373|0xb
0|27|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|367|0x12
0|28|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|737|0x17
0|29|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|639|0x10
0|30|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|538|0x14
0|31|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|1236|0xe
0|32|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|501|0xc
0|33|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|87|0x7
0|34|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|315|0x17
0|35|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|290|0x8
0|36|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|137|0xd
0|37|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|913|0xe
0|38|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|237|0x5
0|39|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|315|0x17
0|40|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|290|0x8
0|41|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|744|0x5
0|42|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|56|0x11
0|43|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|303|0x20
0|44|libc.so.6||||0x21b97
0|45|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd|253|0x17
Flags: in-testsuite?
|
Reporter | |
Updated•5 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•5 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200611093454-10ad7868f3ca.
Failed to bisect testcase (Start build crashes!):
> Start: 4a63f0a3a1f26e2a377ffbd477ba050e16577445 (20190613035031)
> End: 10ad7868f3ca27cb90db9bd1d392ff4d7852a0cd (20200611093454)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
|
||
Comment 3•3 years ago
•
|
||
A Pernosco session is available here: https://pernos.co/debug/_HS7vq5dGzzKzKhRO64nPA/index.html
status-firefox103:
--- → wontfix
status-firefox104:
--- → affected
status-firefox105:
--- → affected
status-firefox-esr102:
--- → affected
status-firefox-esr91:
--- → affected
|
||
Comment 4•3 years ago
|
||
Bugmon Analysis
Unable to reproduce bug 1645105 using build mozilla-central 20210821093516-3db432e28208. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Severity: normal → S3
|
|
||
Comment 5•1 year ago
|
||
This has been detected by live site testing.
Blocks: site-scout
URL: http://france.tv/
|
||
Comment 6•1 year ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #5)
This has been detected by live site testing.
Can you share a crash report or any other info from this? Just visiting the france.tv site doesn't seem to reproduce it for me, so it's unclear exactly what is involved.
Flags: needinfo?(twsmith)
|
|
||
Comment 7•1 year ago
|
||
The site links I have are not reliable but the fuzzers are also finding it. Would you like a new test case and Pernosco session or is the existing Pernosco session sufficient?
Flags: needinfo?(twsmith) → needinfo?(jfkthame)
|
|
||
Comment 8•1 year ago
|
||
The original stack includes code that has changed quite a bit since the report, so a new testcase and pernosco session would be great -- thanks!
Flags: needinfo?(jfkthame)
|
|
||
Comment 9•1 year ago
|
||
Attachment #9290176 -
Attachment is obsolete: true
|
|
||
Comment 10•1 year ago
|
||
A Pernosco session is available here: https://pernos.co/debug/Eg3YToA0Kre1ee3NsMp7LQ/index.html
status-firefox132:
--- → affected
status-firefox-esr115:
--- → affected
status-firefox-esr128:
--- → affected
Keywords: pernosco
You need to log in
before you can comment on or make changes to this bug.
Description
•