Closed Bug 1704876 Opened 4 years ago Closed 3 years ago

crash near null in [@ mozilla::image::VectorImage::RequestRefresh]

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
97 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox95 --- wontfix
firefox96 --- wontfix
firefox97 --- fixed

People

(Reporter: tsmith, Assigned: aosmond)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(3 files)

testcase.html
879 bytes, text/html
Details
image.svg
1.00 KB, image/svg+xml
Details
Bug 1704876 - Fix a shutdown crash when we race to update an animated vector image.
48 bytes, text/x-phabricator-request
Details | Review

Found while fuzzing m-c 20210310-056c2a428e2d (--enable-address-sanitizer --enable-fuzzing)

==18062==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000007e0 (pc 0x1fd5665e5ed3 bp 0x7ffe3c2c7ca0 sp 0x7ffe3c2c7c90 T0)
==18062==The signal is caused by a READ memory access.
==18062==Hint: address points to the zero page.
    #0 0x1fd5665e5ed3 in RefPtr<mozilla::PendingAnimationTracker>::get() const src/objdir-ff-ubsan/dist/include/mozilla/RefPtr.h:286:27
    #1 0x1fd5665e5e84 in RefPtr<mozilla::PendingAnimationTracker>::operator mozilla::PendingAnimationTracker*() const & src/objdir-ff-ubsan/dist/include/mozilla/RefPtr.h:299:12
    #2 0x1fd56658bd5e in mozilla::dom::Document::GetPendingAnimationTracker() src/objdir-ff-ubsan/dist/include/mozilla/dom/Document.h:2715:12
    #3 0x1fd56658bba8 in mozilla::image::VectorImage::RequestRefresh(mozilla::TimeStamp const&) src/image/VectorImage.cpp:533:43
    #4 0x1fd56fcec512 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2306:27
    #5 0x1fd56fd07aa6 in mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:346:13
    #6 0x1fd56fd07628 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:324:7
    #7 0x1fd56fd071bc in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:340:5
    #8 0x1fd56fd06ad3 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:773:5
    #9 0x1fd56fd046b1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:702:16
    #10 0x1fd56fd0312f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:615:7
    #11 0x1fd56fd021a1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:536:9
    #12 0x1fd56e5265b7 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncChild.cpp:68:15
    #13 0x1fd563a31d03 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PVsyncChild.cpp:178:54
    #14 0x1fd56338ddb7 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PBackgroundChild.cpp:6008:32
    #15 0x1fd562891742 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2154:25
    #16 0x1fd56288b7c7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2078:9
    #17 0x1fd56288d8b4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1926:3
    #18 0x1fd56288eeb9 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1957:13
    #19 0x1fd5601ccfd9 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:470:16
    #20 0x1fd560161a6a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:754:26
    #21 0x1fd56015e1d0 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:609:15
    #22 0x1fd56015e5d9 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:393:36
    #23 0x1fd5601a997d in mozilla::TaskController::InitializeInternal()::$_1::operator()() const src/xpcom/threads/TaskController.cpp:136:37
    #24 0x1fd5601a98ed in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() src/xpcom/threads/nsThreadUtils.h:534:5
    #25 0x1fd560186761 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1159:16
    #26 0x1fd560191cd9 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
    #27 0x1fd56018354d in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsThread::Shutdown()::$_5>(nsThread::Shutdown()::$_5&&, nsIThread*) src/objdir-ff-ubsan/dist/include/mozilla/SpinEventLoopUntil.h:93:25
    #28 0x1fd5601832b5 in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:851:3
    #29 0x1fd56c8f2b65 in mozilla::RemoteDecoderManagerChild::Shutdown() src/dom/media/ipc/RemoteDecoderManagerChild.cpp:147:18
    #30 0x1fd56c8f25e7 in mozilla::ShutdownObserver::Observe(nsISupports*, char const*, char16_t const*) src/dom/media/ipc/RemoteDecoderManagerChild.cpp:68:3
    #31 0x1fd55fee5f1f in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) src/xpcom/ds/nsObserverList.cpp:70:19
    #32 0x1fd55ff16e9e in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) src/xpcom/ds/nsObserverService.cpp:288:19
    #33 0x1fd55fd171f6 in mozilla::AdvanceShutdownPhaseInternal(mozilla::ShutdownPhase, bool, char16_t const*, nsCOMPtr<nsISupports> const&) src/xpcom/base/AppShutdown.cpp:330:21
    #34 0x1fd55fd175c7 in mozilla::AppShutdown::AdvanceShutdownPhase(mozilla::ShutdownPhase, char16_t const*, nsCOMPtr<nsISupports> const&) src/xpcom/base/AppShutdown.cpp:349:3
    #35 0x1fd56029a4ee in mozilla::ShutdownXPCOM(nsIServiceManager*) src/xpcom/build/XPCOMInit.cpp:608:7
    #36 0x1fd560299f64 in NS_ShutdownXPCOM src/xpcom/build/XPCOMInit.cpp:565:10
    #37 0x1fd579455f37 in XRE_TermEmbedding() src/toolkit/xre/nsEmbedFunctions.cpp:214:3
    #38 0x1fd5628b90cb in mozilla::ipc::ScopedXREEmbed::Stop() src/ipc/glue/ScopedXREEmbed.cpp:90:5
    #39 0x1fd56e687a9e in mozilla::dom::ContentProcess::CleanUp() src/dom/ipc/ContentProcess.cpp:202:44
    #40 0x1fd57945771a in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:742:16
    #41 0x1fd579478606 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/Bootstrap.cpp:67:12
    #42 0x55e4f84a677e in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #43 0x55e4f84a700b in main src/browser/app/nsBrowserApp.cpp:309:18
    #44 0x2bc373332bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #45 0x55e4f83f9fa9 in _start (src/objdir-ff-ubsan/dist/bin/firefox+0x158fa9)

A Pernosco session is available here: https://pernos.co/debug/lOkTa964Vxj_BtcR8Y7NiA/index.html

Is there a testcase or just pernosco?

Flags: needinfo?(twsmith)

There is a test case but it is not very reliable and not fully reduced. Is it required?

Flags: needinfo?(twsmith) → needinfo?(tnikkel)

Knowing the kinds of things the testcase is doing helps me understand a bit quicker what is going on sometimes.

Flags: needinfo?(tnikkel)
Attached file testcase.html

It's not 100% reliable but it does work.

I have been using Grizzly to rerun the test case.

pip install grizzly-framework

To open the test case in the browser:

python3 -m grizzly.replay <browser_bin> testcase.html --repeat 10 --relaunch 1 --no-harness
Attached image image.svg
Keywords: bugmon, testcase

If we are shutting down, the document for a VectorImage may be cleared.
If a refresh tick raced with the shutdown, we might try to deref the
null document.

Assignee: nobody → aosmond
Severity: -- → S3
Assignee: nobody → aosmond
Status: NEW → ASSIGNED
Pushed by aosmond@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e1f23710c418 Fix a shutdown crash when we race to update an animated vector image. r=tnikkel

https://hg.mozilla.org/mozilla-central/rev/e1f23710c418

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox97: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch
Crash Signature: @ mozilla::image::VectorImage::RequestRefresh
status-firefox88: affectedwontfix
status-firefox89: affectedwontfix
status-firefox95: --- → wontfix
status-firefox96: --- → wontfix
status-firefox-esr91: --- → wontfix
Crash Signature: @ mozilla::image::VectorImage::RequestRefresh → [@ mozilla::image::VectorImage::RequestRefresh]

:aosmond, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(aosmond)

Sorry, bug in the bot.

Flags: needinfo?(aosmond)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: