Closed Bug 1685439 Opened 4 years ago Closed 4 years ago

crash in [@ DeleteTexture]

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox84 --- unaffected
firefox85 --- unaffected
firefox86 --- fixed

People

(Reporter: tsmith, Assigned: lsalzman)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-bounds, testcase)

Attachments

(3 files)

testcase.html
339 bytes, text/html
Details
prefs.js
9.04 KB, application/x-javascript
Details
Bug 1685439 - clamp span length in blendTextureNearest. r?jrmuizel
48 bytes, text/x-phabricator-request
Details | Review

Found with m-c 20210106-855ec176a3c2. Test case will be attached once reduction is complete.

==578662==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb4df9dc000 (pc 0x7fb5c4e73ad1 bp 0x56514ff55fc0 sp 0x7fb504909988 T37)
==578662==The signal is caused by a WRITE memory access.
    #0 0x7fb5c4e73ad1  /build/glibc-ZN95T4/glibc-2.31/string/../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:151
    #1 0x56514fc2ffd9 in __asan::Allocator::QuarantineChunk(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_allocator.cpp:599:9
    #2 0x56514fca4211 in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:128:3
    #3 0x7fb5b6f5756b in DeleteTexture (/home/user/workspace/browsers/m-c-20210104172545-fuzzing-asan-opt/libxul.so+0x17a2c56b)
    #4 0x7fb5b5649566 in _$LT$swgl..swgl_fns..Context$u20$as$u20$gleam..gl..Gl$GT$::delete_textures::habff20f537065570 src/gfx/wr/swgl/src/swgl_fns.rs:793:17
    #5 0x7fb5b6723cfa in webrender_bindings::swgl_bindings::SwCompositor::deinit_tile::h98f2ed5c29a6852c src/gfx/webrender_bindings/src/swgl_bindings.rs:1003:9
    #6 0x7fb5b6718ffb in webrender_bindings::swgl_bindings::SwCompositor::deinit_surface::h510eb0ea3b548bc2 src/gfx/webrender_bindings/src/swgl_bindings.rs:1012:13
    #7 0x7fb5b6718ffb in _$LT$webrender_bindings..swgl_bindings..SwCompositor$u20$as$u20$webrender..composite..Compositor$GT$::destroy_surface::hdd5d8d70126449e7 src/gfx/webrender_bindings/src/swgl_bindings.rs:1303:13
    #8 0x7fb5b658d224 in webrender::renderer::Renderer::update_native_surfaces::h665b8f1880377a89 src/gfx/wr/webrender/src/renderer/mod.rs:4460:29
    #9 0x7fb5b65a57cd in webrender::renderer::Renderer::render_impl::h9518586ae0f2f449 src/gfx/wr/webrender/src/renderer/mod.rs:2112:13
    #10 0x7fb5b65c1e56 in webrender::renderer::Renderer::render::h85198be325f80a9a src/gfx/wr/webrender/src/renderer/mod.rs:1906:30
    #11 0x7fb5b6812ece in wr_renderer_render src/gfx/webrender_bindings/src/bindings.rs:639:11
    #12 0x7fb5a76ef1e4 in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) src/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #13 0x7fb5a76ed8a3 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) src/gfx/webrender_bindings/RenderThread.cpp:476:31
    #14 0x7fb5a76ec97f in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) src/gfx/webrender_bindings/RenderThread.cpp:336:3
    #15 0x7fb5a7704256 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #16 0x7fb5a7704256 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #17 0x7fb5a7704256 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #18 0x7fb5a577af9d in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) src/ipc/chromium/src/base/message_loop.cc:465:9
    #19 0x7fb5a577be3e in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) src/ipc/chromium/src/base/message_loop.cc:473:5
    #20 0x7fb5a577c6bb in MessageLoop::DoWork() src/ipc/chromium/src/base/message_loop.cc:548:13
    #21 0x7fb5a577dd36 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) src/ipc/chromium/src/base/message_pump_default.cc:35:31
    #22 0x7fb5a577ab61 in RunInternal src/ipc/chromium/src/base/message_loop.cc:334:10
    #23 0x7fb5a577ab61 in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
    #24 0x7fb5a577ab61 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
    #25 0x7fb5a579b958 in base::Thread::ThreadMain() src/ipc/chromium/src/base/thread.cc:191:16
    #26 0x7fb5a578d86c in ThreadFunc(void*) src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #27 0x7fb5c523e608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8
    #28 0x7fb5c4e07292 in clone /build/glibc-ZN95T4/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-ZN95T4/glibc-2.31/string/../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:151 
Thread T37 (Renderer) created by T0 here:
    #0 0x56514fc8ee7a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7fb5a578769c in CreateThread src/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7fb5a578769c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) src/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7fb5a579b17d in base::Thread::StartWithOptions(base::Thread::Options const&) src/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7fb5a76e8caf in mozilla::wr::RenderThread::Start() src/gfx/webrender_bindings/RenderThread.cpp:90:16
    #5 0x7fb5a743cb79 in gfxPlatform::InitLayersIPC() src/gfx/thebes/gfxPlatform.cpp:1336:7
    #6 0x7fb5a7438340 in gfxPlatform::Init() src/gfx/thebes/gfxPlatform.cpp:976:3
    #7 0x7fb5a7436cdb in gfxPlatform::GetPlatform() src/gfx/thebes/gfxPlatform.cpp:509:5
    #8 0x7fb5ac66376c in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) src/widget/GfxInfoBase.cpp:1789:25
    #9 0x7fb5a45c8201 in NS_InvokeByIndex src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #10 0x7fb5a66a3798 in Invoke src/js/xpconnect/src/XPCWrappedNative.cpp:1620:10
    #11 0x7fb5a66a3798 in Call src/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #12 0x7fb5a66a3798 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #13 0x7fb5a66a975b in GetAttribute src/js/xpconnect/src/xpcprivate.h:1468:12
    #14 0x7fb5a66a975b in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
    #15 0x7fb5b0647006 in CallJSNative src/js/src/vm/Interpreter.cpp:503:13
    #16 0x7fb5b0647006 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:594:12
    #17 0x7fb5b0648eae in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:647:10
    #18 0x7fb5b0649230 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:664:8
    #19 0x7fb5b064abb8 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:788:10
    #20 0x7fb5b0bbc3dc in CallGetter src/js/src/vm/NativeObject.cpp:2131:12
    #21 0x7fb5b0bbc3dc in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2161:12
    #22 0x7fb5b0bbc3dc in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2306:14
    #23 0x7fb5b0bbc3dc in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2343:10
    #24 0x7fb5b0633aa1 in GetProperty src/js/src/vm/ObjectOperations-inl.h:116:10
    #25 0x7fb5b0633aa1 in GetObjectElementOperation src/js/src/vm/Interpreter-inl.h:452:10
    #26 0x7fb5b0633aa1 in GetElementOperationWithStackIndex src/js/src/vm/Interpreter-inl.h:559:10
    #27 0x7fb5b0633aa1 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3116:14
    #28 0x7fb5b061232b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:473:13
    #29 0x7fb5b0646e09 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:619:13
    #30 0x7fb5b0648eae in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:647:10
    #31 0x7fb5b0649230 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:664:8
    #32 0x7fb5b0f68e20 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2798:10
    #33 0x7fb5a6695fe9 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:970:17
    #34 0x7fb5a45c9b50 in PrepareAndDispatch src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #35 0x7fb5a45c88ea in SharedStub (/home/user/workspace/browsers/m-c-20210104172545-fuzzing-asan-opt/libxul.so+0x509d8ea)
    #36 0x7fb5a45204cd in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) src/xpcom/components/nsCategoryManager.cpp:686:19
    #37 0x7fb5b03fa271 in nsXREDirProvider::DoStartup() src/toolkit/xre/nsXREDirProvider.cpp:982:11
    #38 0x7fb5b03d9157 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4913:16
    #39 0x7fb5b03dbcb5 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5330:8
    #40 0x7fb5b03dc903 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5389:21
    #41 0x56514fcd7675 in do_main src/browser/app/nsBrowserApp.cpp:219:22
    #42 0x56514fcd7675 in main src/browser/app/nsBrowserApp.cpp:337:16
    #43 0x7fb5c4d0c0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Attached file testcase.html
Attached file prefs.js
Flags: in-testsuite?
Keywords: bugmon, testcase

Another stack trace

==1737==ERROR: AddressSanitizer: SEGV on unknown address 0x34da743fa000 (pc 0x7ffd1d346b00 bp 0x0000ffcccccc sp 0x2c5214c46790 T57)
==1737==The signal is caused by a READ memory access.
    #0 0x7ffd1d346b00 in void blendTextureNearestRGBA8<glsl::sampler2D_impl*, NoColor>(glsl::sampler2D_impl*, glsl::ivec2_scalar const&, int, glsl::ivec2_scalar const&, glsl::ivec2_scalar const&, NoColor, unsigned int*, int) (src/objdir-ff-ubsan/dist/bin/libxul.so+0x2f613b00)
    #1 0x7ffd1d344f86 in brush_image_ALPHA_PASS_TEXTURE_2D_frag::swgl_drawSpanRGBA8() (src/objdir-ff-ubsan/dist/bin/libxul.so+0x2f611f86)
    #2 0x7ffd1d340861 in brush_image_ALPHA_PASS_TEXTURE_2D_frag::draw_span_RGBA8(brush_image_ALPHA_PASS_TEXTURE_2D_frag*) (src/objdir-ff-ubsan/dist/bin/libxul.so+0x2f60d861)
    #3 0x7ffd1d305125 in draw_quad(int, Texture&, int, Texture&) (src/objdir-ff-ubsan/dist/bin/libxul.so+0x2f5d2125)
    #4 0x7ffd1d301f01 in DrawElementsInstanced (src/objdir-ff-ubsan/dist/bin/libxul.so+0x2f5cef01)
    #5 0x7ffd1d2d56cf in _$LT$swgl..swgl_fns..Context$u20$as$u20$gleam..gl..Gl$GT$::draw_elements_instanced::h688f66c41885ba95 src/gfx/wr/swgl/src/swgl_fns.rs:1601:13
    #6 0x7ffd1c2f4e3e in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::h2741da498ab39280 src/gfx/wr/webrender/src/device/gl.rs:3423:9
    #7 0x7ffd1c76cf59 in webrender::renderer::Renderer::draw_instanced_batch::h60a198ae5b4bf4c8 src/gfx/wr/webrender/src/renderer/mod.rs:2724:13
    #8 0x7ffd1d036e96 in webrender::renderer::Renderer::draw_alpha_batch_container::h32002d76db15afa8 src/gfx/wr/webrender/src/renderer/mod.rs:3166:17
    #9 0x7ffd1d035b06 in webrender::renderer::Renderer::draw_picture_cache_target::h156ed9fe323cd954 src/gfx/wr/webrender/src/renderer/mod.rs:3000:9
    #10 0x7ffd1d0412ee in webrender::renderer::Renderer::draw_frame::h613028fb76d5fc11 src/gfx/wr/webrender/src/renderer/mod.rs:4632:21
    #11 0x7ffd1d02cfd9 in webrender::renderer::Renderer::render_impl::h8a89e302aa685305 src/gfx/wr/webrender/src/renderer/mod.rs:2151:17
    #12 0x7ffd1d02b29c in webrender::renderer::Renderer::render::h3dc5db7312b50d24 src/gfx/wr/webrender/src/renderer/mod.rs:1906:30
    #13 0x7ffd1c145664 in wr_renderer_render src/gfx/webrender_bindings/src/bindings.rs:639:11
    #14 0x7ffd0476c5b1 in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) src/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #15 0x7ffd0476a05a in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) src/gfx/webrender_bindings/RenderThread.cpp:476:31
    #16 0x7ffd047688de in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) src/gfx/webrender_bindings/RenderThread.cpp:336:3
    #17 0x7ffd047b5058 in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, bool>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool>, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> >&, std::integer_sequence<unsigned long, 0ul, 1ul>) src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1148:12
    #18 0x7ffd047b4cbf in decltype(applyImpl(fp, fp0, *(this).mArguments, std::integer_sequence<unsigned long, 0ul, 1ul>{})) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, bool>::apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)) src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1154:12
    #19 0x7ffd047b47b9 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1201:13
    #20 0x7ffd0096f2cc in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) src/ipc/chromium/src/base/message_loop.cc:465:9
    #21 0x7ffd009708e9 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) src/ipc/chromium/src/base/message_loop.cc:473:5
    #22 0x7ffd00970edc in MessageLoop::DoWork() src/ipc/chromium/src/base/message_loop.cc:548:13
    #23 0x7ffd00972e07 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) src/ipc/chromium/src/base/message_pump_default.cc:35:31
    #24 0x7ffd0096ed3f in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
    #25 0x7ffd0096ec94 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:327:3
    #26 0x7ffd0096ec01 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
    #27 0x7ffd009ce8ea in base::Thread::ThreadMain() src/ipc/chromium/src/base/thread.cc:191:16
    #28 0x7ffd00983008 in ThreadFunc(void*) src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #29 0x513f187f06da in start_thread /build/glibc-2ORdQG/glibc-2.27/nptl/pthread_create.c:463
    #30 0x55c8d563da3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (src/objdir-ff-ubsan/dist/bin/libxul.so+0x2f613b00) in void blendTextureNearestRGBA8<glsl::sampler2D_impl*, NoColor>(glsl::sampler2D_impl*, glsl::ivec2_scalar const&, int, glsl::ivec2_scalar const&, glsl::ivec2_scalar const&, NoColor, unsigned int*, int)
Thread T57 (Renderer) created by T0 here:
    #0 0x55c8d45f881a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7ffd0097c8f2 in (anonymous namespace)::CreateThread(unsigned long, bool, PlatformThread::Delegate*, unsigned long*) src/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7ffd0097c729 in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) src/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7ffd009cda59 in base::Thread::StartWithOptions(base::Thread::Options const&) src/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7ffd04763e81 in mozilla::wr::RenderThread::Start() src/gfx/webrender_bindings/RenderThread.cpp:90:16
    #5 0x7ffd0434cafb in gfxPlatform::InitLayersIPC() src/gfx/thebes/gfxPlatform.cpp:1336:7
    #6 0x7ffd0434969c in gfxPlatform::Init() src/gfx/thebes/gfxPlatform.cpp:976:3
    #7 0x7ffd04347e35 in gfxPlatform::GetPlatform() src/gfx/thebes/gfxPlatform.cpp:509:5
    #8 0x7ffd0d5ea9ce in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) src/widget/GfxInfoBase.cpp:1789:25
    #9 0x7ffcfe6e5a0d in NS_InvokeByIndex src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #10 0x7ffd02694ef9 in CallMethodHelper::Invoke() src/js/xpconnect/src/XPCWrappedNative.cpp:1620:10
    #11 0x7ffd02694ef9 in CallMethodHelper::Call() src/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #12 0x7ffd02694ef9 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #13 0x7ffd026d5c59 in XPCWrappedNative::GetAttribute(XPCCallContext&) src/js/xpconnect/src/xpcprivate.h:1468:12
    #14 0x7ffd0269b9e2 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
    #15 0x7ffd16ee80cb in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:503:13
    #16 0x7ffd16ee80cb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:594:12
    #17 0x7ffd16ee94f3 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:647:10
    #18 0x7ffd16ee97aa in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:664:8
    #19 0x7ffd16eec5c5 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:788:10
    #20 0x7ffd17b1e488 in CallGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<js::Shape*>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2131:12
    #21 0x7ffd17b03b40 in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) src/js/src/vm/NativeObject.cpp:2161:12
    #22 0x7ffd17b03b40 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) src/js/src/vm/NativeObject.cpp:2306:14
    #23 0x7ffd17b03b40 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2343:10
    #24 0x7ffd16f2cfbf in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/ObjectOperations-inl.h:116:10
    #25 0x7ffd16eb488f in js::GetObjectElementOperation(JSContext*, JSOp, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter-inl.h:452:10
    #26 0x7ffd16eb488f in js::GetElementOperationWithStackIndex(JSContext*, JS::Handle<JS::Value>, int, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter-inl.h:559:10
    #27 0x7ffd16eb488f in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3116:14
    #28 0x7ffd16e78800 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:473:13
    #29 0x7ffd16ee85b3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:619:13
    #30 0x7ffd16ee94f3 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:647:10
    #31 0x7ffd16ee97aa in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:664:8
    #32 0x7ffd18266782 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2798:10
    #33 0x7ffd026837fd in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:970:17
    #34 0x7ffcfe6e82b1 in PrepareAndDispatch src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #35 0x7ffcfe6e674a in SharedStub (src/objdir-ff-ubsan/dist/bin/libxul.so+0x109b374a)
    #36 0x7ffcfe58783d in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) src/xpcom/components/nsCategoryManager.cpp:686:19
    #37 0x7ffd169416f3 in nsXREDirProvider::DoStartup() src/toolkit/xre/nsXREDirProvider.cpp:982:11
    #38 0x7ffd16901ed2 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4913:16
    #39 0x7ffd16904bea in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5330:8
    #40 0x7ffd16905223 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5389:21
    #41 0x7ffd16930ce6 in mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/Bootstrap.cpp:45:12
    #42 0x55c8d4642758 in do_main(int, char**, char**) src/browser/app/nsBrowserApp.cpp:219:22
    #43 0x55c8d4641222 in main src/browser/app/nsBrowserApp.cpp:337:16

A Pernosco session is available here: https://pernos.co/debug/60U1SfLswSVNzyvII35MAg/index.html

(In reply to Tyson Smith [:tsmith] from comment #4)

A Pernosco session is available here: https://pernos.co/debug/60U1SfLswSVNzyvII35MAg/index.html

The pernosco session here isn't of much use because I can't get any symbols/context inside gl.cc, so there is no way to tell what's going on down there. It would help if there was more reasonable debugging info.

Flags: needinfo?(twsmith)

I have tried with opt builds, debug builds, and ASAN builds, and I can neither get this test case to crash, trigger an assert, or trigger any ASAN errors at all. It all seems to work fine and not reproduce for me.

(In reply to Lee Salzman [:lsalzman] from comment #6)

or trigger any ASAN errors at all.

I have opened bug 1685446 perhaps once that is fixed we can make progress.

I can't get any symbols/context inside gl.cc, so there is no way to tell what's going on down there. It would help if there was more reasonable debugging info.

Perhaps this should be addressed in bug 1685446 as well.

You can try to reproduce using Grizzly Relay. This issue is not consistently reproducible and may take multiple attempts. Be sure to also use the attached prefs.js file.

python3 -m grizzly.replay <firefox build> <testcase> -p <prefs.js> --repeat 1000 --relaunch 2 --xvfb -l . worked for me first attempt.

Flags: needinfo?(twsmith)

Might have gotten a repro with grizzly, let me see if it can get me anything actually useful in terms of stack traces or debugging.

(In reply to Lee Salzman [:lsalzman] from comment #9)

Might have gotten a repro with grizzly, let me see if it can get me anything actually useful in terms of stack traces or debugging.

Seems to only repro under grizzly, and only with the xvfb option.

Assignee: nobody → lsalzman
Status: NEW → ASSIGNED

This was regressed by bug 1669841 and only affects nightly since we have not deployed SW-WR beyond there.

Keywords: csectype-bounds

https://hg.mozilla.org/integration/autoland/rev/13489d156989ce0a14f52d26f94a39abc74923f9
https://hg.mozilla.org/mozilla-central/rev/13489d156989

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox86: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
Group: core-security-release

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211123033957-ba4d4963c38b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

:lsalzman, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(lsalzman)
Flags: needinfo?(lsalzman)

Sorry, bug in the bot.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: