Open Bug 1649323 Opened 1 year ago Updated 1 year ago

null pointer passed as argument 2, which is declared to never be null in gfx/2d/RecordedEvent.h

Categories

(Core :: Graphics, defect, P3)

Desktop
Linux
defect

Tracking

()

Tracking Status
firefox79 --- affected
firefox80 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

This can be triggered with crash tests. To enable this check add the following to your mozconfig:
ac_add_options --enable-undefined-sanitizer="nonnull-attribute"

REFTEST TEST-START | layout/painting/crashtests/1504033.html
REFTEST TEST-LOAD | file:///builds/worker/workspace/build/tests/reftest/tests/layout/painting/crashtests/1504033.html | 2894 / 3821 (75%)
src/gfx/2d/RecordedEvent.h:279:39: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:47:28: note: nonnull attribute specified here
    #0 0x7fa3b82fc29d in mozilla::gfx::MemStream::write(char const*, unsigned long) src/gfx/2d/RecordedEvent.h:279:7
    #1 0x7fa3b82fc097 in mozilla::gfx::DrawEventRecorderMemory::Finish() src/gfx/2d/DrawEventRecorder.cpp:154:17
    #2 0x7fa3b872a46b in mozilla::layers::DIGroup::EndGroup(mozilla::layers::WebRenderLayerManager*, nsDisplayListBuilder*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::Grouper*, nsDisplayItem*, nsDisplayItem*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:684:31
    #3 0x7fa3b87280a8 in mozilla::layers::Grouper::ConstructGroups(nsDisplayListBuilder*, mozilla::layers::WebRenderCommandBuilder*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::DIGroup*, nsDisplayList*, mozilla::layers::StackingContextHelper const&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1245:17
    #4 0x7fa3b872f598 in mozilla::layers::WebRenderCommandBuilder::DoGroupingForDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1507:5
    #5 0x7fa3b87331a6 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1670:5
    #6 0x7fa3be1ae056 in nsDisplayWrapList::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:5583:30
    #7 0x7fa3be1d58a8 in nsDisplaySVGWrapper::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:9844:29
    #8 0x7fa3b87341ed in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1652:41
    #9 0x7fa3b8732a73 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1757:7
    #10 0x7fa3be1c4583 in nsDisplayTransform::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:7987:30
    #11 0x7fa3b87341ed in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1652:41
    #12 0x7fa3b8732a73 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1757:7
    #13 0x7fa3be1c4583 in nsDisplayTransform::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:7987:30
    #14 0x7fa3b87341ed in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1652:41
    #15 0x7fa3b8732a73 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1757:7
    #16 0x7fa3be1c4583 in nsDisplayTransform::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:7987:30
    #17 0x7fa3b87341ed in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1652:41
    #18 0x7fa3b8732a73 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1757:7
    #19 0x7fa3be1c4583 in nsDisplayTransform::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:7987:30
    #20 0x7fa3b87341ed in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1652:41
    #21 0x7fa3b8732a73 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1757:7
    #22 0x7fa3be1c4583 in nsDisplayTransform::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:7987:30
    #23 0x7fa3b87341ed in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1652:41
    #24 0x7fa3b8732a73 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1757:7
    #25 0x7fa3b87315c2 in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, nsDisplayList*, nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1578:5
    #26 0x7fa3b874d3cb in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(nsDisplayList*, nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*) src/gfx/layers/wr/WebRenderLayerManager.cpp:322:30
    #27 0x7fa3be18aeb6 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2400:18
    #28 0x7fa3bda0ceb6 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:4234:13
    #29 0x7fa3bd9226d6 in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) src/layout/base/PresShell.cpp:6376:5
    #30 0x7fa3bd36073e in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:460:18
    #31 0x7fa3bd35fded in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:395:22
    #32 0x7fa3bd3626cd in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1018:5
    #33 0x7fa3bd89cb7e in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2191:11
    #34 0x7fa3bd8a8fd6 in TickDriver src/layout/base/nsRefreshDriver.cpp:373:13
    #35 0x7fa3bd8a8fd6 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:350:7
    #36 0x7fa3bd8a8bd5 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:367:5
    #37 0x7fa3bd8b82f2 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:819:5
    #38 0x7fa3bd8b82f2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:737:16
    #39 0x7fa3bd8b791c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:639:7
    #40 0x7fa3bd8a5fa2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() src/layout/base/nsRefreshDriver.cpp:538:20
    #41 0x7fa3b618ca83 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1234:14
    #42 0x7fa3b619700c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:504:10
    #43 0x7fa3b729e1ca in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
    #44 0x7fa3b71bbed7 in RunInternal src/ipc/chromium/src/base/message_loop.cc:316:10
    #45 0x7fa3b71bbed7 in RunHandler src/ipc/chromium/src/base/message_loop.cc:309:3
    #46 0x7fa3b71bbed7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:291:3
    #47 0x7fa3bd407e48 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #48 0x7fa3c0c12da6 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #49 0x7fa3b71bbed7 in RunInternal src/ipc/chromium/src/base/message_loop.cc:316:10
    #50 0x7fa3b71bbed7 in RunHandler src/ipc/chromium/src/base/message_loop.cc:309:3
    #51 0x7fa3b71bbed7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:291:3
    #52 0x7fa3c0c12378 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #53 0x55afd3684044 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #54 0x55afd3684044 in main src/browser/app/nsBrowserApp.cpp:303:18

Thanks Tyson. Which platform is this on? In particular I'm curious which string.h is being used here.

Looking at the code, either there is a problem due to mData being null but mLength > 0, or, we never wrote to mIndex prior to this copy, and then memcpy should ignore the fact that src == nullptr whenever length == 0. If we can confirm it's the latter that's missing, a simple fix should be to not call MemStream::write if !has_items.

(I'm speculating, I'm not familiar with this code)

Severity: -- → S3
Flags: needinfo?(twsmith)
Priority: -- → P3

(In reply to Bert Peers [:bpeers] from comment #1)
Thank for the quick response. This was found with a UBSan build on Linux. The log from the run can be found here: https://firefoxci.taskcluster-artifacts.net/YgAivdpvRuS6Icm_eBhCNQ/0/public/logs/live_backing.log

If we can confirm it's the latter that's missing, a simple fix should be to not call MemStream::write if !has_items.

This is very likely the case otherwise we'd probably be seeing a crash with other builds.

Flags: needinfo?(twsmith)
OS: Unspecified → Linux
Hardware: Unspecified → Desktop
You need to log in before you can comment on or make changes to this bug.