Closed Bug 1676232 Opened 4 years ago Closed 3 years ago

Crash [@ mozilla::ipc::ProcessLink::SendMessage | @ mozilla::layers::ShadowLayerForwarder::EndTransaction]

Categories

(Core :: Graphics: Layers, defect)

defect
Not set
normal

Tracking

()

RESOLVED WONTFIX
Tracking Status
firefox84 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev 39d4fdb9f815.

==2012857==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fa7e7b98984 bp 0x7ffd950e0f30 sp 0x7ffd950e0e40 T0)
==2012857==The signal is caused by a WRITE memory access.
==2012857==Hint: address points to the zero page.
    #0 0x7fa7e7b98984 in mozilla::ipc::ProcessLink::SendMessage(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageLink.cpp:143:5
    #1 0x7fa7e7b81b3d in mozilla::ipc::MessageChannel::SendMessageToLink(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:979:10
    #2 0x7fa7e7b8008b in mozilla::ipc::MessageChannel::Send(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:970:3
    #3 0x7fa7e7ba605e in mozilla::ipc::IProtocol::ChannelSend(IPC::Message*) /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:507:22
    #4 0x7fa7e8168288 in mozilla::layers::PLayerTransactionChild::SendUpdate(mozilla::layers::TransactionInfo const&) /builds/worker/workspace/obj-build/ipc/ipdl/PLayerTransactionChild.cpp:72:21
    #5 0x7fa7e96cbed4 in mozilla::layers::ShadowLayerForwarder::EndTransaction(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType>, bool, unsigned int, bool, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool, nsTString<char> const&, bool*, nsTArray<mozilla::layers::CompositionPayload> const&) /builds/worker/checkouts/gecko/gfx/layers/ipc/ShadowLayers.cpp:727:24
    #6 0x7fa7e95264b7 in mozilla::layers::ClientLayerManager::ForwardTransaction(bool) /builds/worker/checkouts/gecko/gfx/layers/client/ClientLayerManager.cpp:723:25
    #7 0x7fa7e95257a3 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/checkouts/gecko/gfx/layers/client/ClientLayerManager.cpp:410:3
    #8 0x7fa7ef6a8c8d in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2593:19
    #9 0x7fa7eef384f7 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3423:13
    #10 0x7fa7eee40810 in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6359:5
    #11 0x7fa7ee7fadce in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:460:18
    #12 0x7fa7ee7fa43e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:395:22
    #13 0x7fa7ee7fce4c in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:1018:5
    #14 0x7fa7eedb6489 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2382:11
    #15 0x7fa7eedc2eb9 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
    #16 0x7fa7eedc2eb9 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
    #17 0x7fa7eedc2b31 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
    #18 0x7fa7eedc1d44 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:829:5
    #19 0x7fa7eedc1d44 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:16
    #20 0x7fa7eedc1185 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:649:7
    #21 0x7fa7eedc0940 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:570:9
    #22 0x7fa7ef56e258 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/ipc/VsyncChild.cpp:55:16
    #23 0x7fa7e854cd16 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
    #24 0x7fa7e813ce3b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6268:32
    #25 0x7fa7e7b9161e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2150:25
    #26 0x7fa7e7b8d5d4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2074:9
    #27 0x7fa7e7b8f3d8 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1922:3
    #28 0x7fa7e7b8fea8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1953:13
    #29 0x7fa7e6892019 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:450:16
    #30 0x7fa7e688ead7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:720:26
    #31 0x7fa7e688ca17 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:579:15
    #32 0x7fa7e688ce6d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:36
    #33 0x7fa7e6899b01 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:120:37
    #34 0x7fa7e6899b01 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #35 0x7fa7e68ba53b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:14
    #36 0x7fa7e68c523c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #37 0x7fa7e7b9a2bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #38 0x7fa7e7a9bf71 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #39 0x7fa7e7a9bf71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #40 0x7fa7e7a9bf71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #41 0x7fa7ee8a9487 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #42 0x7fa7f25e669f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #43 0x7fa7e7a9bf71 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #44 0x7fa7e7a9bf71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #45 0x7fa7e7a9bf71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #46 0x7fa7f25e5c3c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #47 0x55e479a6555d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #48 0x55e479a65997 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
    #49 0x7fa802e070b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201109215349-6659b306f585.
The bug appears to have been introduced in the following build range:

Start: 3d06403ffd5cea9cd14680acb434bfe3b85cbde2 (20200603184924)
End: 689892f0856646ff97dcd37d4fa6ec777a5a2ff4 (20200603191041)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3d06403ffd5cea9cd14680acb434bfe3b85cbde2&tochange=689892f0856646ff97dcd37d4fa6ec777a5a2ff4

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX

No valid actions for resolution (WONTFIX).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: