1665779 - crash near null in [@ nsPrintJob::InitPrintDocConstruction]

Status: RESOLVED FIXED

(Core :: Print Preview, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Report from m-c 20200917-084477976b2d

==27030==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f1390842f2c bp 0x7ffc2bbd63b0 sp 0x7ffc2bbd62a0 T0)
==27030==The signal is caused by a READ memory access.
==27030==Hint: address points to the zero page.
    #0 0x7f1390842f2c in get /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:287:32
    #1 0x7f1390842f2c in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:282:12
    #2 0x7f1390842f2c in nsPrintJob::InitPrintDocConstruction(bool) /gecko/layout/printing/nsPrintJob.cpp:1494:25
    #3 0x7f13908506d8 in nsPrintJob::Observe(nsISupports*, char const*, char16_t const*) /gecko/layout/printing/nsPrintJob.cpp:2622:17
    #4 0x7f1393631678 in nsPrintProgress::DoneIniting() /gecko/toolkit/components/printingui/nsPrintProgress.cpp:165:17
    #5 0x7f1387ab7431 in NS_InvokeByIndex /gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #6 0x7f1389b51948 in Invoke /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1620:10
    #7 0x7f1389b51948 in Call /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #8 0x7f1389b51948 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #9 0x7f1389b56f24 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:947:10
    #10 0x7f1393908068 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:508:13
    #11 0x7f1393908068 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:600:12
    #12 0x7f139390a38b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:665:10
    #13 0x7f13938f1101 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:669:10
    #14 0x7f13938f1101 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3337:16
    #15 0x7f13938d1cd0 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:469:13
    #16 0x7f13939081f9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:637:13
    #17 0x7f139390a38b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:665:10
    #18 0x7f139390a710 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:682:8
    #19 0x7f1393a99a32 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2821:10
    #20 0x7f138cea7864 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:45:8
    #21 0x7f138b609a2a in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:73:12
    #22 0x7f138b609693 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /gecko/dom/base/TimeoutHandler.cpp:167:29
    #23 0x7f138b23ea05 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /gecko/dom/base/nsGlobalWindowInner.cpp:6094:38
    #24 0x7f138b604b1a in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /gecko/dom/base/TimeoutManager.cpp:916:44
    #25 0x7f138b6036a5 in mozilla::dom::TimeoutExecutor::MaybeExecute() /gecko/dom/base/TimeoutExecutor.cpp:179:11
    #26 0x7f138b6070fb in mozilla::dom::TimeoutExecutor::Run() /gecko/dom/base/TimeoutExecutor.cpp:234:5
    #27 0x7f1387a943f3 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
    #28 0x7f1387a873ef in mozilla::ThrottledEventQueue::Inner::Executor::Run() /gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15
    #29 0x7f1387a88b59 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:244:16
    #30 0x7f1387a479f3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:514:26
    #31 0x7f1387a453d7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:373:15
    #32 0x7f1387a4582d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:170:36
    #33 0x7f1387a966f1 in operator() /gecko/xpcom/threads/TaskController.cpp:84:37
    #34 0x7f1387a966f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #35 0x7f1387a6ae03 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:14
    #36 0x7f1387a74efc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #37 0x7f1388d4aa8f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #38 0x7f1388c4f281 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #39 0x7f1388c4f281 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #40 0x7f1388c4f281 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #41 0x7f138f9b0ee7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #42 0x7f139348006a in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:270:30
    #43 0x7f139369cec8 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:4753:22
    #44 0x7f139369f23b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:4945:8
    #45 0x7f139369fb43 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5002:21
    #46 0x561be5654ab5 in do_main /gecko/browser/app/nsBrowserApp.cpp:218:22
    #47 0x561be5654ab5 in main /gecko/browser/app/nsBrowserApp.cpp:336:16

Comment 1

[Hiroyuki Ikezoe (:hiro)]

Presumably it doesn't happen on the old print preview UI, but I am not 100% sure.

Comment 2

[Tyson Smith [:tsmith]]

Xvfb seems to be required which is used in automation.

The same test case also triggers:

Assertion failure: aSource->GetFormat() == gfx::SurfaceFormat::R8G8B8X8 || aSource->GetFormat() == gfx::SurfaceFormat::B8G8R8X8, at obj-build/dist/include/mozilla/layers/Effects.h:281

#0 0x7f149b18ee88 in mozilla::layers::CreateTexturedEffect(mozilla::layers::TextureSource*, mozilla::layers::TextureSource*, mozilla::gfx::SamplingFilter, bool) /builds/worker/workspace/obj-build/dist/include/mozilla/layers/Effects.h:280:5
#1 0x7f149b18d3d6 in mozilla::layers::ContentHostTexture::Composite(mozilla::layers::Compositor*, mozilla::layers::LayerComposite*, mozilla::layers::EffectChain&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::SamplingFilter, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ContentHost.cpp:56:35
#2 0x7f149b1b1f22 in operator() src/gfx/layers/composite/PaintedLayerComposite.cpp:111:18
#3 0x7f149b1b1f22 in RenderWithAllMasks<(lambda at src/gfx/layers/composite/PaintedLayerComposite.cpp:108:7)> src/gfx/layers/composite/LayerManagerComposite.h:747:5
#4 0x7f149b1b1f22 in mozilla::layers::PaintedLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/PaintedLayerComposite.cpp:106:3
#5 0x7f149b1c5ff4 in void mozilla::layers::RenderLayers<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ContainerLayerComposite.cpp:475:22
#6 0x7f149b1898d1 in void mozilla::layers::ContainerRender<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ContainerLayerComposite.cpp:647:5
#7 0x7f149b1ad6a7 in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&)::$_2::operator()(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) const src/gfx/layers/composite/LayerManagerComposite.cpp:1184:18
#8 0x7f149b1a7300 in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) src/gfx/layers/composite/LayerManagerComposite.cpp:1242:7
#9 0x7f149b1a63fb in mozilla::layers::LayerManagerComposite::UpdateAndRender() src/gfx/layers/composite/LayerManagerComposite.cpp:662:19
#10 0x7f149b1a5d24 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/composite/LayerManagerComposite.cpp:579:5
#11 0x7f149b1f149b in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) src/gfx/layers/ipc/CompositorBridgeParent.cpp:1042:18
#12 0x7f149b2081e0 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::VsyncEvent const&) src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:256:27
#13 0x7f149b221c48 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(const mozilla::VsyncEvent &), StoreCopyPassByConstLRef<mozilla::VsyncEvent> , 0> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
#14 0x7f149b221c48 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(const mozilla::VsyncEvent &)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
#15 0x7f149b221c48 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::VsyncEvent const&), true, (mozilla::RunnableKind)1, mozilla::VsyncEvent>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
#16 0x7f149995a4a7 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1234:14
#17 0x7f149995fcba in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:513:10
#18 0x7f149a25644d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:302:20
#19 0x7f149a1c8063 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#20 0x7f149a1c7f7d in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#21 0x7f149a1c7f7d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#22 0x7f1499956921 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:442:10
#23 0x7f14ae085abb in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#24 0x7f14ae5ff608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477:8
#25 0x7f14ae1c8102 in clone /build/glibc-YYA7BZ/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 3

[Jonathan Watt [:jwatt]]

It looks like mPrintObject is null when we try to dereference it in InitPrintDocConstruction. I'm not sure how mPrt->mPrintObject can be null when mPrt must be non-null. We don't appear to null out mPrt->mPrintObject.

At any rate, it looks like nsPrintJob::Observe should be checking mIsDestroying before trying to call InitPrintDocConstruction. (I would have said it should check mPrt, but...)

Emilio, Bob, you were both involved it changing the lifetime of nsPrintJob. Any thoughts on this?

Comment 4

[Bob Owen (:bobowen)]

(In reply to Jonathan Watt [:jwatt] from comment #3)

It looks like mPrintObject is null when we try to dereference it in InitPrintDocConstruction. I'm not sure how mPrt->mPrintObject can be null when mPrt must be non-null. We don't appear to null out mPrt->mPrintObject.

At any rate, it looks like nsPrintJob::Observe should be checking mIsDestroying before trying to call InitPrintDocConstruction. (I would have said it should check mPrt, but...)

Emilio, Bob, you were both involved it changing the lifetime of nsPrintJob. Any thoughts on this?

Isn't it that mPrt is null?

Comment 5

[Emilio Cobos Álvarez [:emilio]]

I should be able to repro this.

Comment 6

[Emilio Cobos Álvarez [:emilio]]

Actually, I lie... Tyson, is there any chance you can create a pernosco recording of this, or any pref that we may be missing?

Comment 7

[Emilio Cobos Álvarez [:emilio]]

But yeah, I agree with bob that given the test-case this is just mPrt just being null, and a null-check is the right thing to do because the page is already gone due to the reload(true).

Comment 8

[Emilio Cobos Álvarez [:emilio]]

Attachment: Bug 1665779 - Null-check mPrt in nsPrintJob::InitPrintDocConstruction. r=bobowen

Comment 9

[Tyson Smith [:tsmith]]

(In reply to Emilio Cobos Álvarez (:emilio) from comment #6)

Actually, I lie... Tyson, is there any chance you can create a pernosco recording of this, or any pref that we may be missing?

Sorry this one does not want to repro under rr. I'm not sure if it's rr or the -O0 -g builds.

Comment 10

[Tyson Smith [:tsmith]]

Attachment: prefs.js

Here is the prefs.js file that was used. browser.tabs.remote.autostart=false also we were running under Xvfb.

Comment 11

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/205b2ad31740
Null-check mPrt in nsPrintJob::InitPrintDocConstruction. r=bobowen

Comment 12

[Atila Butkovits]

https://hg.mozilla.org/mozilla-central/rev/205b2ad31740

Comment 13

[Jonathan Watt [:jwatt]]

Can you request beta uplift?

Comment 14

[Emilio Cobos Álvarez [:emilio]]

Comment on attachment 9177221 [details]
Bug 1665779 - Null-check mPrt in nsPrintJob::InitPrintDocConstruction. r=bobowen

Beta/Release Uplift Approval Request

• User impact if declined: potential crashes
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: No
• Needs manual test from QE?: No
• If yes, steps to reproduce: I couldn't reproduce this locally, only fuzzers have hit this so far.
• List of other uplifts needed: none
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): null-check
• String changes made/needed: none

Comment 15

[Julien Cristau [:jcristau]]

Comment on attachment 9177221 [details]
Bug 1665779 - Null-check mPrt in nsPrintJob::InitPrintDocConstruction. r=bobowen

approved for 82.0b3

Comment 16

[Julien Cristau [:jcristau]]

https://hg.mozilla.org/releases/mozilla-beta/rev/c1a2f1adda21