Closed
Bug 1676232
Opened 4 years ago
Closed 3 years ago
Crash [@ mozilla::ipc::ProcessLink::SendMessage | @ mozilla::layers::ShadowLayerForwarder::EndTransaction]
Categories
(Core :: Graphics: Layers, defect)
Core
Graphics: Layers
Tracking
()
RESOLVED
WONTFIX
Tracking | Status | |
---|---|---|
firefox84 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
8.92 KB,
application/zip
|
Details |
Testcase found while fuzzing mozilla-central rev 39d4fdb9f815.
==2012857==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fa7e7b98984 bp 0x7ffd950e0f30 sp 0x7ffd950e0e40 T0)
==2012857==The signal is caused by a WRITE memory access.
==2012857==Hint: address points to the zero page.
#0 0x7fa7e7b98984 in mozilla::ipc::ProcessLink::SendMessage(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageLink.cpp:143:5
#1 0x7fa7e7b81b3d in mozilla::ipc::MessageChannel::SendMessageToLink(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:979:10
#2 0x7fa7e7b8008b in mozilla::ipc::MessageChannel::Send(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:970:3
#3 0x7fa7e7ba605e in mozilla::ipc::IProtocol::ChannelSend(IPC::Message*) /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:507:22
#4 0x7fa7e8168288 in mozilla::layers::PLayerTransactionChild::SendUpdate(mozilla::layers::TransactionInfo const&) /builds/worker/workspace/obj-build/ipc/ipdl/PLayerTransactionChild.cpp:72:21
#5 0x7fa7e96cbed4 in mozilla::layers::ShadowLayerForwarder::EndTransaction(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType>, bool, unsigned int, bool, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool, nsTString<char> const&, bool*, nsTArray<mozilla::layers::CompositionPayload> const&) /builds/worker/checkouts/gecko/gfx/layers/ipc/ShadowLayers.cpp:727:24
#6 0x7fa7e95264b7 in mozilla::layers::ClientLayerManager::ForwardTransaction(bool) /builds/worker/checkouts/gecko/gfx/layers/client/ClientLayerManager.cpp:723:25
#7 0x7fa7e95257a3 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/checkouts/gecko/gfx/layers/client/ClientLayerManager.cpp:410:3
#8 0x7fa7ef6a8c8d in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2593:19
#9 0x7fa7eef384f7 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3423:13
#10 0x7fa7eee40810 in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6359:5
#11 0x7fa7ee7fadce in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:460:18
#12 0x7fa7ee7fa43e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:395:22
#13 0x7fa7ee7fce4c in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:1018:5
#14 0x7fa7eedb6489 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2382:11
#15 0x7fa7eedc2eb9 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
#16 0x7fa7eedc2eb9 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
#17 0x7fa7eedc2b31 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
#18 0x7fa7eedc1d44 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:829:5
#19 0x7fa7eedc1d44 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:16
#20 0x7fa7eedc1185 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:649:7
#21 0x7fa7eedc0940 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:570:9
#22 0x7fa7ef56e258 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/ipc/VsyncChild.cpp:55:16
#23 0x7fa7e854cd16 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
#24 0x7fa7e813ce3b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6268:32
#25 0x7fa7e7b9161e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2150:25
#26 0x7fa7e7b8d5d4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2074:9
#27 0x7fa7e7b8f3d8 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1922:3
#28 0x7fa7e7b8fea8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1953:13
#29 0x7fa7e6892019 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:450:16
#30 0x7fa7e688ead7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:720:26
#31 0x7fa7e688ca17 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:579:15
#32 0x7fa7e688ce6d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:36
#33 0x7fa7e6899b01 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:120:37
#34 0x7fa7e6899b01 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#35 0x7fa7e68ba53b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:14
#36 0x7fa7e68c523c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#37 0x7fa7e7b9a2bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#38 0x7fa7e7a9bf71 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#39 0x7fa7e7a9bf71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#40 0x7fa7e7a9bf71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#41 0x7fa7ee8a9487 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#42 0x7fa7f25e669f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#43 0x7fa7e7a9bf71 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#44 0x7fa7e7a9bf71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#45 0x7fa7e7a9bf71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#46 0x7fa7f25e5c3c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#47 0x55e479a6555d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#48 0x55e479a65997 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
#49 0x7fa802e070b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?
Reporter | ||
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201109215349-6659b306f585.
The bug appears to have been introduced in the following build range:
Start: 3d06403ffd5cea9cd14680acb434bfe3b85cbde2 (20200603184924)
End: 689892f0856646ff97dcd37d4fa6ec777a5a2ff4 (20200603191041)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3d06403ffd5cea9cd14680acb434bfe3b85cbde2&tochange=689892f0856646ff97dcd37d4fa6ec777a5a2ff4
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Comment 2•3 years ago
|
||
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
Comment 3•2 years ago
|
||
No valid actions for resolution (WONTFIX).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•