Closed
Bug 1700223
Opened 5 years ago
Closed 1 year ago
crash at null [@ mozilla::layers::BasicLayerManager::PopGroupForLayer]
Categories
(Core :: Graphics: Layers, defect, P3)
Core
Graphics: Layers
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: tsmith, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Found while fuzzing m-c 20210318-0438c8585f5f (--enable-address-sanitizer --enable-fuzzing)
==21353==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2c86b94c11 bp 0x7fff096d3250 sp 0x7fff096d2ec0 T0)
==21353==The signal is caused by a READ memory access.
==21353==Hint: address points to the zero page.
#0 0x7f2c86b94c11 in mozilla::layers::BasicLayerManager::PopGroupForLayer(mozilla::layers::BasicLayerManager::PushedGroup&) src/gfx/layers/basic/BasicLayerManager.cpp:224:31
#1 0x7f2c86ba0436 in mozilla::layers::BasicPaintedLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicPaintedLayer.cpp:97:25
#2 0x7f2c86b9b3a2 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:705:13
#3 0x7f2c86b9a2ab in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicLayerManager.cpp
#4 0x7f2c86b9b1c2 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:728:7
#5 0x7f2c86b9a2ab in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicLayerManager.cpp
#6 0x7f2c86b9b1c2 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:728:7
#7 0x7f2c86b9a2ab in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicLayerManager.cpp
#8 0x7f2c86b9b1c2 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:728:7
#9 0x7f2c86b9990f in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicLayerManager.cpp:880:9
#10 0x7f2c86b9b1c2 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:728:7
#11 0x7f2c86b9a2ab in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicLayerManager.cpp
#12 0x7f2c86b96b26 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/basic/BasicLayerManager.cpp:614:5
#13 0x7f2c8c769589 in PaintInactiveLayer src/layout/painting/FrameLayerBuilder.cpp:4275:12
#14 0x7f2c8c769589 in mozilla::FrameLayerBuilder::PaintItems(std::vector<mozilla::AssignedDisplayItem, std::allocator<mozilla::AssignedDisplayItem> >&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float) src/layout/painting/FrameLayerBuilder.cpp:7091:7
#15 0x7f2c8c76b957 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) src/layout/painting/FrameLayerBuilder.cpp:7271:19
#16 0x7f2c86ba0392 in mozilla::layers::BasicPaintedLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicPaintedLayer.cpp:92:9
#17 0x7f2c86b9b3a2 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:705:13
#18 0x7f2c86b9a2ab in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicLayerManager.cpp
#19 0x7f2c86b9b1c2 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:728:7
#20 0x7f2c86b9a2ab in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicLayerManager.cpp
#21 0x7f2c86b96b26 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/basic/BasicLayerManager.cpp:614:5
#22 0x7f2c8c7dc748 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2540:19
#23 0x7f2c8c0fb9f8 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3471:13
#24 0x7f2c8c3f70d3 in nsPageSequenceFrame::PrintNextSheet() src/layout/generic/nsPageSequenceFrame.cpp:674:3
#25 0x7f2c8c87ce9e in nsPrintJob::PrintSheet(nsPrintObject*, bool&) src/layout/printing/nsPrintJob.cpp:2351:31
#26 0x7f2c8c87c7c1 in nsPagePrintTimer::Run() src/layout/printing/nsPagePrintTimer.cpp:74:43
#27 0x7f2c84138666 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:472:16
#28 0x7f2c84135233 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:760:26
#29 0x7f2c84133107 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:611:15
#30 0x7f2c8413355d in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:395:36
#31 0x7f2c8413f9c4 in operator() src/xpcom/threads/TaskController.cpp:136:37
#32 0x7f2c8413f9c4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() src/xpcom/threads/nsThreadUtils.h:534:5
#33 0x7f2c8415ace4 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1158:16
#34 0x7f2c8416543c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#35 0x7f2c8740139f in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_4>(nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_4&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:93:25
#36 0x7f2c873fd22f in nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5380:5
#37 0x7f2c873fb4c3 in nsGlobalWindowOuter::PrintOuter(mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5203:3
#38 0x7f2c889bfb6f in mozilla::dom::Window_Binding::print(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3116:24
#39 0x7f2c8915558c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3238:13
#40 0x7f2c8f7ff590 in CallJSNative src/js/src/vm/Interpreter.cpp:435:13
#41 0x7f2c8f7ff590 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:520:12
#42 0x7f2c8f8013c9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
#43 0x7f2c8f7ea612 in CallFromStack src/js/src/vm/Interpreter.cpp:584:10
#44 0x7f2c8f7ea612 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3244:16
#45 0x7f2c8f7ce323 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:405:13
#46 0x7f2c8f7ff6ca in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:552:13
#47 0x7f2c8f8013c9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
#48 0x7f2c8f80164b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:597:8
#49 0x7f2c900691e2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2856:10
#50 0x7f2c887c1590 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:874:8
#51 0x7f2c8748321f in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:782:12
#52 0x7f2c8761dd12 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:795:12
#53 0x7f2c8761dd12 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) src/dom/base/IdleRequest.cpp:61:13
#54 0x7f2c8738c377 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) src/dom/base/nsGlobalWindowInner.cpp:745:12
#55 0x7f2c8738b243 in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) src/dom/base/nsGlobalWindowInner.cpp:773:3
#56 0x7f2c8738b075 in IdleRequestExecutor::Run() src/dom/base/nsGlobalWindowInner.cpp:614:13
#57 0x7f2c84138666 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:472:16
#58 0x7f2c84135233 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:760:26
#59 0x7f2c8413329d in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:634:15
#60 0x7f2c8413355d in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:395:36
#61 0x7f2c8413f991 in operator() src/xpcom/threads/TaskController.cpp:133:37
#62 0x7f2c8413f991 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() src/xpcom/threads/nsThreadUtils.h:534:5
#63 0x7f2c8415ace4 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1158:16
#64 0x7f2c8416543c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#65 0x7f2c8538f0ff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#66 0x7f2c85298291 in RunInternal src/ipc/chromium/src/base/message_loop.cc:335:10
#67 0x7f2c85298291 in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#68 0x7f2c85298291 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#69 0x7f2c8bac9a77 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#70 0x7f2c8f39cde7 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:273:30
#71 0x7f2c8f5a1fdf in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:5352:22
#72 0x7f2c8f5a4506 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5543:8
#73 0x7f2c8f5a54c3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5606:21
#74 0x556f7ed725d2 in do_main src/browser/app/nsBrowserApp.cpp:220:22
#75 0x556f7ed725d2 in main src/browser/app/nsBrowserApp.cpp:347:16
Flags: in-testsuite?
|
Reporter | |
Comment 1•5 years ago
|
||
|
|
Reporter | |
Comment 2•5 years ago
|
||
This appears to rely on pref browser.tabs.remote.autostart=false.
|
|
Reporter | |
Comment 3•5 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/Blg5orNxD4oyCR8HSHKstA/index.html
|
||
Comment 4•5 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210322174641-7bff3dc37b07.
The bug appears to have been introduced in the following build range:
Start: 2e5d8bebf8c782ba5919b78fc30bb64f04e4c6c2 (20200605063805)
End: cb065e51467d1ecf864cfd44fcf59c44f7b624b4 (20200605082117)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2e5d8bebf8c782ba5919b78fc30bb64f04e4c6c2&tochange=cb065e51467d1ecf864cfd44fcf59c44f7b624b4
Whiteboard: [bugmon:bisected,confirmed]
|
||
Updated•5 years ago
|
Blocks: wr-stability
|
||
Comment 5•5 years ago
|
||
I suspect that dom.window_print.fuzzing.block_while_printing is also related, given that is what causes the SpinEventLoopUntil call which can introduce unforeseen ordering issues.
Severity: -- → S3
Priority: -- → P3
|
|
||
Comment 6•4 years ago
|
||
Bugmon Analysis
The bug appears to have been fixed in the following build range:
Start: 3d209ba46c38d6315966868c9a5e937f13125c2f (20210402121648)
End: bf2f3987e5c1e56e83b3e853c15062540fb49e9e (20210402153113)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3d209ba46c38d6315966868c9a5e937f13125c2f&tochange=bf2f3987e5c1e56e83b3e853c15062540fb49e9e
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
Reporter | |
Comment 8•1 year ago
|
||
Sure and the test case does not seem to trigger any other issues.
Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(twsmith)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•