Closed
Bug 1683981
Opened 4 years ago
Closed 3 years ago
heap-use-after-free in [@ mozilla::wr::WebRenderAPI::~WebRenderAPI]
Categories
(Core :: Graphics: WebRender, defect, P3)
Core
Graphics: WebRender
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox86 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-uaf, sec-high)
Test case is currently reducing I will attach it once it is reduced.
==1150==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110006d80e0 at pc 0x7f926c370645 bp 0x7f920b6667b0 sp 0x7f920b6667a8
READ of size 8 at 0x6110006d80e0 thread T484 (WRScene~lder#62)
#0 0x7f926c370644 in crossbeam_channel::channel::Sender$LT$T$GT$::send::h2a26d6adf06c5856 /gecko/third_party/rust/crossbeam-channel/src/channel.rs:386:13
#1 0x7f926cb6eb3a in _$LT$webrender..render_api..RenderApi$u20$as$u20$core..ops..drop..Drop$GT$::drop::h38bb9197c883ac19 /gecko/gfx/wr/webrender/src/render_api.rs:1496:17
#2 0x7f926ced525f in core::ptr::drop_in_place::hc4a566e4ebeb4476 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
#3 0x7f926ced525f in core::ptr::drop_in_place::h792accf29b0c6fc9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
#4 0x7f926ced525f in core::ptr::drop_in_place::h710fa46a8b73339a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
#5 0x7f926ced525f in wr_api_delete /gecko/gfx/webrender_bindings/src/bindings.rs:1706:30
#6 0x7f925de25cc1 in mozilla::wr::WebRenderAPI::~WebRenderAPI() /gecko/gfx/webrender_bindings/WebRenderAPI.cpp:445:3
#7 0x7f925da814a6 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/webrender/WebRenderAPI.h:230:3
#8 0x7f925da814a6 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#9 0x7f925da814a6 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#10 0x7f925da814a6 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#11 0x7f925da814a6 in mozilla::layers::CompositorBridgeParent::GetCompositorBridgeParentFromWindowId(mozilla::wr::WrWindowId const&) /gecko/gfx/layers/ipc/CompositorBridgeParent.cpp:1167:34
#12 0x7f925de0d7d2 in wr_schedule_render /gecko/gfx/webrender_bindings/RenderThread.cpp:1166:57
#13 0x7f926ce169e3 in _$LT$webrender_bindings..bindings..APZCallbacks$u20$as$u20$webrender..renderer..SceneBuilderHooks$GT$::post_resource_update::h48b615b185dc17b7 /gecko/gfx/webrender_bindings/src/bindings.rs:994:18
#14 0x7f926c9a6a40 in webrender::scene_builder_thread::SceneBuilderThread::forward_built_transactions::h42f4fe58704c2f39 /gecko/gfx/wr/webrender/src/scene_builder_thread.rs:771:17
#15 0x7f926c9a6a40 in webrender::scene_builder_thread::SceneBuilderThread::run::hfc3c534fc48c8ee7 /gecko/gfx/wr/webrender/src/scene_builder_thread.rs:315:21
#16 0x7f926c98ad72 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::hfc7d10846e9d2f86 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1209:13
#17 0x7f926c98ad72 in std::sys_common::backtrace::__rust_begin_short_backtrace::h2b4c98faf072c625 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:125:18
#18 0x7f926c98a27f in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h839a57fd6479d092 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:474:17
#19 0x7f926c98a27f in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h9fad96acf5cfbbcd /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
#20 0x7f926c98a27f in std::panicking::try::do_call::h36f9c440a74a0f8f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
#21 0x7f926c98a27f in std::panicking::try::hb44df6b731e14369 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
#22 0x7f926c98a27f in std::panic::catch_unwind::h23d04f7405faa7a9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
#23 0x7f926c98a27f in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h5c82fcfb826e7d42 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:473:30
#24 0x7f926c98a27f in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h99cb10b5d840ebb6 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
#25 0x7f926af73d94 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h9e7afb7a0a438236 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/boxed.rs:1307:9
#26 0x7f926af73d94 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h70c646c4271337a1 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/boxed.rs:1307:9
#27 0x7f926af73d94 in std::sys::unix::thread::Thread::new::thread_start::h35d2b8d36f210d02 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/std/src/sys/unix/thread.rs:71:17
#28 0x7f927b949608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8
#29 0x7f927b512292 in clone /build/glibc-ZN95T4/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x6110006d80e0 is located 32 bytes inside of 216-byte region [0x6110006d80c0,0x6110006d8198)
freed by thread T65 (Compositor) here:
#0 0x557b5cdaa18d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#1 0x7f925de25cc1 in mozilla::wr::WebRenderAPI::~WebRenderAPI() /gecko/gfx/webrender_bindings/WebRenderAPI.cpp:445:3
#2 0x7f925d704c10 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/webrender/WebRenderAPI.h:230:3
#3 0x7f925d704c10 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#4 0x7f925d704c10 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#5 0x7f925d704c10 in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:69:7
#6 0x7f925d704c10 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:168:5
#7 0x7f925d704c10 in mozilla::layers::WebRenderBridgeParent::ClearResources() /gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:2405:8
#8 0x7f925d703c69 in mozilla::layers::WebRenderBridgeParent::HandleShutdown() /gecko/gfx/layers/wr/WebRenderBridgeParent.cpp:420:3
#9 0x7f925c9c1cd7 in mozilla::layers::PWebRenderBridgeParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebRenderBridgeParent.cpp:881:28
#10 0x7f925c1b3ba7 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:205:32
#11 0x7f925bf969fe in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2153:25
#12 0x7f925bf92864 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2077:9
#13 0x7f925bf94668 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1925:3
#14 0x7f925bf95288 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1956:13
#15 0x7f925ac96605 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1200:14
#16 0x7f925aca17cc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#17 0x7f925bfa0ce4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:302:20
#18 0x7f925be95e11 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#19 0x7f925be95e11 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#20 0x7f925be95e11 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#21 0x7f925ac8f668 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:441:10
#22 0x7f927803b42e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#23 0x7f927b949608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8
previously allocated by thread T65 (Compositor) here:
#0 0x557b5cdaa40d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x7f926cee946a in alloc::alloc::alloc::ha5d8a14cce03bc63 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:84:14
#2 0x7f926cee946a in alloc::alloc::Global::alloc_impl::h1db8143211b9bb91 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:164:73
#3 0x7f926cee946a in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..AllocRef$GT$::alloc::h982bde6b3a4ffa5c /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:224:9
#4 0x7f926cee946a in alloc::alloc::exchange_malloc::h7da272848c4b14e1 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:314:11
#5 0x7f926cee946a in alloc::boxed::Box$LT$T$GT$::new::he47ed6a1aa2f26e1 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/boxed.rs:178:9
#6 0x7f926cee946a in wr_api_clone /gecko/gfx/webrender_bindings/src/bindings.rs:1701:33
#7 0x7f925de253e9 in mozilla::wr::WebRenderAPI::Clone() /gecko/gfx/webrender_bindings/WebRenderAPI.cpp:394:3
#8 0x7f925daa351c in mozilla::layers::ContentCompositorBridgeParent::AllocPWebRenderBridgeParent(mozilla::wr::PipelineId const&, mozilla::gfx::IntSizeTyped<mozilla::LayoutDevicePixel> const&, mozilla::layers::WindowKind const&) /gecko/gfx/layers/ipc/ContentCompositorBridgeParent.cpp:248:14
#9 0x7f925c19fffc in mozilla::layers::PCompositorBridgeParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorBridgeParent.cpp:1740:95
#10 0x7f925c1b3ba7 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:205:32
#11 0x7f925bf969fe in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2153:25
#12 0x7f925bf92864 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2077:9
#13 0x7f925bf94668 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1925:3
#14 0x7f925bf95288 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1956:13
#15 0x7f925ac96605 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1200:14
#16 0x7f925aca17cc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#17 0x7f925bfa0ee2 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:332:5
#18 0x7f925be95e11 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#19 0x7f925be95e11 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#20 0x7f925be95e11 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#21 0x7f925ac8f668 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:441:10
#22 0x7f927803b42e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#23 0x7f927b949608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8
Thread T484 (WRScene~lder#62) created by T48 (Renderer) here:
#0 0x557b5cd94e7a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#1 0x7f926af73b01 in std::sys::unix::thread::Thread::new::h22569b440084b552 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/std/src/sys/unix/thread.rs:50:19
Thread T48 (Renderer) created by T0 here:
#0 0x557b5cd94e7a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#1 0x7f925bea294c in CreateThread /gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
#2 0x7f925bea294c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
#3 0x7f925beb642d in base::Thread::StartWithOptions(base::Thread::Options const&) /gecko/ipc/chromium/src/base/thread.cc:97:8
#4 0x7f925de0175f in mozilla::wr::RenderThread::Start() /gecko/gfx/webrender_bindings/RenderThread.cpp:90:16
#5 0x7f925db57fd9 in gfxPlatform::InitLayersIPC() /gecko/gfx/thebes/gfxPlatform.cpp:1336:7
#6 0x7f925db537a0 in gfxPlatform::Init() /gecko/gfx/thebes/gfxPlatform.cpp:976:3
#7 0x7f925db5213b in gfxPlatform::GetPlatform() /gecko/gfx/thebes/gfxPlatform.cpp:509:5
#8 0x7f9262d77bcc in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /gecko/widget/GfxInfoBase.cpp:1789:25
#9 0x7f925ace3e91 in NS_InvokeByIndex /gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#10 0x7f925cdbebc8 in Invoke /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1620:10
#11 0x7f925cdbebc8 in Call /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
#12 0x7f925cdbebc8 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
#13 0x7f925cdc4b8b in GetAttribute /gecko/js/xpconnect/src/xpcprivate.h:1468:12
#14 0x7f925cdc4b8b in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
#15 0x7f9266d59226 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:503:13
#16 0x7f9266d59226 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:594:12
#17 0x7f9266d5b0ce in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:647:10
#18 0x7f9266d5b450 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:8
#19 0x7f9266d5cdd8 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:788:10
#20 0x7f92672ce5fc in CallGetter /gecko/js/src/vm/NativeObject.cpp:2131:12
#21 0x7f92672ce5fc in GetExistingProperty<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2161:12
#22 0x7f92672ce5fc in NativeGetPropertyInline<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2306:14
#23 0x7f92672ce5fc in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2343:10
#24 0x7f9266d45cc1 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:116:10
#25 0x7f9266d45cc1 in GetObjectElementOperation /gecko/js/src/vm/Interpreter-inl.h:452:10
#26 0x7f9266d45cc1 in GetElementOperationWithStackIndex /gecko/js/src/vm/Interpreter-inl.h:559:10
#27 0x7f9266d45cc1 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3116:14
#28 0x7f9266d2454b in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:473:13
#29 0x7f9266d59029 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:619:13
#30 0x7f9266d5b0ce in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:647:10
#31 0x7f9266d5b450 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:8
#32 0x7f926767b040 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2798:10
#33 0x7f925cdb1419 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:970:17
#34 0x7f925ace57e0 in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#35 0x7f925ace457a in SharedStub (/home/worker/builds/m-c-20201222215026-fuzzing-asan-opt/libxul.so+0x509e57a)
#36 0x7f925ac3c15d in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /gecko/xpcom/components/nsCategoryManager.cpp:686:19
#37 0x7f9266b0c491 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:982:11
#38 0x7f9266aeb377 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:4913:16
#39 0x7f9266aeded5 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5330:8
#40 0x7f9266aeeb23 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5389:21
#41 0x557b5cddd675 in do_main /gecko/browser/app/nsBrowserApp.cpp:219:22
#42 0x557b5cddd675 in main /gecko/browser/app/nsBrowserApp.cpp:337:16
#43 0x7f927b4170b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Thread T65 (Compositor) created by T0 here:
#0 0x557b5cd94e7a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#1 0x7f927802b6a4 in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f927801c7ee in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f925ac9230b in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:658:8
#4 0x7f925ac9fbd8 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /gecko/xpcom/threads/nsThreadManager.cpp:641:12
#5 0x7f925acabca8 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:169:57
#6 0x7f925da9df6f in NS_NewNamedThread<11> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
#7 0x7f925da9df6f in mozilla::layers::CompositorThreadHolder::CreateCompositorThread() /gecko/gfx/layers/ipc/CompositorThread.cpp:54:17
#8 0x7f925da9e546 in CompositorThreadHolder /gecko/gfx/layers/ipc/CompositorThread.cpp:38:25
#9 0x7f925da9e546 in mozilla::layers::CompositorThreadHolder::Start() /gecko/gfx/layers/ipc/CompositorThread.cpp:93:33
#10 0x7f925db537a0 in gfxPlatform::Init() /gecko/gfx/thebes/gfxPlatform.cpp:976:3
#11 0x7f925db5213b in gfxPlatform::GetPlatform() /gecko/gfx/thebes/gfxPlatform.cpp:509:5
#12 0x7f9262d77bcc in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /gecko/widget/GfxInfoBase.cpp:1789:25
#13 0x7f925ace3e91 in NS_InvokeByIndex /gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#14 0x7f925cdbebc8 in Invoke /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1620:10
#15 0x7f925cdbebc8 in Call /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
#16 0x7f925cdbebc8 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
#17 0x7f925cdc4b8b in GetAttribute /gecko/js/xpconnect/src/xpcprivate.h:1468:12
#18 0x7f925cdc4b8b in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
#19 0x7f9266d59226 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:503:13
#20 0x7f9266d59226 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:594:12
#21 0x7f9266d5b0ce in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:647:10
#22 0x7f9266d5b450 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:8
#23 0x7f9266d5cdd8 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:788:10
#24 0x7f92672ce5fc in CallGetter /gecko/js/src/vm/NativeObject.cpp:2131:12
#25 0x7f92672ce5fc in GetExistingProperty<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2161:12
#26 0x7f92672ce5fc in NativeGetPropertyInline<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2306:14
#27 0x7f92672ce5fc in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2343:10
#28 0x7f9266d45cc1 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:116:10
#29 0x7f9266d45cc1 in GetObjectElementOperation /gecko/js/src/vm/Interpreter-inl.h:452:10
#30 0x7f9266d45cc1 in GetElementOperationWithStackIndex /gecko/js/src/vm/Interpreter-inl.h:559:10
#31 0x7f9266d45cc1 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3116:14
#32 0x7f9266d2454b in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:473:13
#33 0x7f9266d59029 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:619:13
#34 0x7f9266d5b0ce in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:647:10
#35 0x7f9266d5b450 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:8
#36 0x7f926767b040 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2798:10
#37 0x7f925cdb1419 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:970:17
#38 0x7f925ace57e0 in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#39 0x7f925ace457a in SharedStub (/home/worker/builds/m-c-20201222215026-fuzzing-asan-opt/libxul.so+0x509e57a)
#40 0x7f925ac3c15d in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /gecko/xpcom/components/nsCategoryManager.cpp:686:19
#41 0x7f9266b0c491 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:982:11
#42 0x7f9266aeb377 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:4913:16
#43 0x7f9266aeded5 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5330:8
#44 0x7f9266aeeb23 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5389:21
#45 0x557b5cddd675 in do_main /gecko/browser/app/nsBrowserApp.cpp:219:22
#46 0x557b5cddd675 in main /gecko/browser/app/nsBrowserApp.cpp:337:16
#47 0x7f927b4170b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Reporter | ||
Comment 1•4 years ago
|
||
ni? so I don't forget about a test or Pernosco session
Flags: needinfo?(twsmith)
![]() |
||
Updated•4 years ago
|
Blocks: gfx-triage
Reporter | ||
Comment 2•4 years ago
|
||
So far I've been unable to reproduce this. We are still see this but it is rare. It was last reported fuzzing m-c 20210204-f259675c88bf
.
![]() |
||
Updated•4 years ago
|
Severity: -- → S4
Priority: -- → P2
![]() |
||
Updated•4 years ago
|
Comment 3•3 years ago
|
||
Tyson, have we seen this recently?
Reporter | ||
Comment 4•3 years ago
|
||
This was last reported by fuzzers running m-c 20210308-ae94c83c78f4. I think it's safe to close this.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(twsmith)
Resolution: --- → WORKSFORME
Comment 5•3 years ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.
Keywords: stalled
Updated•2 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•