Closed Bug 1705293 Opened 3 years ago Closed 3 years ago

AddressSanitizer: SEGV on renderer gfx/wr/swgl/src/vector_type.h:503:5 in load<unsigned int>

Categories

(Core :: Graphics: WebRender, task)

Product:
Core
Component:
Graphics: WebRender
Type:
task

Tracking

()

Status:
VERIFIED DUPLICATE of bug 1704319

People

(Reporter: sourc7, Unassigned)

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(3 files)

testcase.html
242 bytes, text/html
Details
asan.txt
15.99 KB, text/plain
Details
gdb.txt
28.78 KB, text/plain
Details
Attached file testcase.html

When Firefox fallback to WebRender (software) on some hardware because hw_compositing is unsupported/blocked/disabled. After visit the testcase, the entire browser is crashed with SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:503:5 in load<unsigned int>.

I confirmed that the crash occured after checking out to commit Bug 1703893 - More accurate uv_step for fast-paths.

Tested on:

  • Firefox Nightly 89.0a1 (2021-04-14) (64-bit) on Arch Linux
  • Firefox Nightly 89.0a1 (2021-04-14) (64-bit) on Windows 10

Steps to Reproduce:

  1. Set the gfx.webrender.software to true
  2. Visit attached testcase.html
  3. The entire browser is crashed

ASan:

=================================================================
==1977476==ERROR: AddressSanitizer: SEGV on unknown address 0x7f122f55a000 (pc 0x7f128eb3b424 bp 0x7f126fad9250 sp 0x7f126fad8fa0 T21)
==1977476==The signal is caused by a READ memory access.
    #0 0x7f128eb3b424 in load<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:503:5
    #1 0x7f128eb3b424 in unaligned_load<unsigned char __attribute__((ext_vector_type(16))), unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:532:10
    #2 0x7f128eb3b424 in blend_span /builds/worker/checkouts/gecko/gfx/wr/swgl/src/blend.h:732:28
    #3 0x7f128eb3b424 in commit_blend_span<true, unsigned int, unsigned short __attribute__((ext_vector_type(16)))> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/blend.h:792:22
    #4 0x7f128eb3b424 in unsigned int* blendTextureLinearFallback<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:177:5
    #5 0x7f128eb3af48 in unsigned int* blendTextureLinearDispatch<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*, LinearFilter) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:441:11
    #6 0x7f128eaf7cfb in int blendTextureLinearRepeat<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar const&, glsl::vec4_scalar const&, glsl::vec4_scalar const&, NoColor, unsigned int*) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:675:15
    #7 0x7f128ec61d5c in brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::swgl_drawSpanRGBA8() /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-51db388d6c37570b/out/brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D.h:969:2
    #8 0x7f128ec58489 in brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::draw_span_RGBA8(brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag*) /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-51db388d6c37570b/out/brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D.h:1012:42
    #9 0x7f128ef2fc0e in draw_span /builds/worker/checkouts/gecko/gfx/wr/swgl/src/program.h:149:12
    #10 0x7f128ef2fc0e in draw_depth_span<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:597:38
    #11 0x7f128ef2fc0e in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:999:13
    #12 0x7f128eaa4673 in draw_quad(int, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1592:5
    #13 0x7f128eaa0033 in void draw_elements<unsigned short>(int, int, unsigned long, VertexArray&, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1622:5
    #14 0x7f128ea9fcd9 in DrawElementsInstanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2699:7
    #15 0x7f128e1289cb in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::h9db85ebc5dd1be98 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:3534:9
    #16 0x7f128e1289cb in webrender::renderer::Renderer::draw_instanced_batch::he82cf5f9df3fb284 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2561:17
    #17 0x7f128e115ca4 in webrender::renderer::Renderer::draw_alpha_batch_container::h759cbbb5db45fa8c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:3045:17
    #18 0x7f128e0ecb22 in webrender::renderer::Renderer::draw_picture_cache_target::h134498a9cc4a253a /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2868:9
    #19 0x7f128e0ecb22 in webrender::renderer::Renderer::draw_frame::h20341baafbe8ca20 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4683:21
    #20 0x7f128e08e15b in webrender::renderer::Renderer::render_impl::h05e0a812274e4fa6 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2159:17
    #21 0x7f128e12a7ca in webrender::renderer::Renderer::render::h510b6ab158a5e145 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1894:30
    #22 0x7f128e2253bd in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:637:11
    #23 0x7f12819bdc8e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #24 0x7f12819bc3bf in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:486:31
    #25 0x7f12819bb5e1 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:341:3
    #26 0x7f12819d37f6 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #27 0x7f12819d37f6 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #28 0x7f12819d37f6 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #29 0x7f1280202487 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #30 0x7f12802031ee in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #31 0x7f1280203a8b in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #32 0x7f1280204d86 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #33 0x7f1280202031 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #34 0x7f1280202031 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #35 0x7f1280202031 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #36 0x7f128022023c in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:191:16
    #37 0x7f1280213cfc in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #38 0x7f129ba80298 in start_thread (/usr/lib/libpthread.so.0+0x9298)
    #39 0x7f129b659052 in clone (/usr/lib/libc.so.6+0xff052)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:503:5 in load<unsigned int>
Thread T21 (Renderer) created by T0 here:
    #0 0x55a42e25532a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7f128020e05c in CreateThread /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7f128020e05c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7f128021fa5d in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7f12819b8231 in mozilla::wr::RenderThread::Start() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:92:16
    #5 0x7f12817280a9 in gfxPlatform::InitLayersIPC() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1324:7
    #6 0x7f12817236cc in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:964:3
    #7 0x7f128172201b in gfxPlatform::GetPlatform() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:480:5
    #8 0x7f12861bfd19 in GetPlatform /builds/worker/workspace/obj-build/dist/include/gfxPlatformGtk.h:31:29
    #9 0x7f12861bfd19 in nsWindow::nsWindow() /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:480:19
    #10 0x7f12861f966a in nsIWidget::CreateTopLevelWindow() /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:8417:36
    #11 0x7f1288fc7f84 in mozilla::AppWindow::Initialize(nsIAppWindow*, nsIAppWindow*, int, int, bool, nsWidgetInitData&) /builds/worker/checkouts/gecko/xpfe/appshell/AppWindow.cpp:210:15
    #12 0x7f1288fe54ff in nsAppShellService::JustCreateTopWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, bool, mozilla::AppWindow**) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:710:15
    #13 0x7f1288fe66a7 in nsAppShellService::CreateTopLevelWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, nsIAppWindow**) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:173:8
    #14 0x7f128976bcd4 in nsAppStartup::CreateChromeWindow(nsIWebBrowserChrome*, unsigned int, nsIOpenWindowInfo*, bool*, nsIWebBrowserChrome**) /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:660:15
    #15 0x7f12898cab17 in nsWindowWatcher::CreateChromeWindow(nsIWebBrowserChrome*, unsigned int, nsIOpenWindowInfo*, nsIWebBrowserChrome**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:419:33
    #16 0x7f12898c66fd in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, bool, bool, bool, nsIArray*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:947:12
    #17 0x7f12898c3ede in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, nsISupports*, mozIDOMWindowProxy**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:293:3
    #18 0x7f127f204c11 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #19 0x7f1280be4a5a in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1623:10
    #20 0x7f1280be4a5a in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #21 0x7f1280be4a5a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #22 0x7f1280be9a6e in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:925:10
    #23 0x7f1289ba33a0 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:435:13
    #24 0x7f1289ba33a0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:520:12
    #25 0x7f1289ba51d9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
    #26 0x7f1289b8eb8b in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:584:10
    #27 0x7f1289b8eb8b in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3244:16
    #28 0x7f1289b73013 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:13
    #29 0x7f1289ba7293 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:772:13
    #30 0x7f1289c1591e in ExecuteInExtensibleLexicalEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<js::ExtensibleLexicalEnvironmentObject*>) /builds/worker/checkouts/gecko/js/src/builtin/Eval.cpp:400:10
    #31 0x7f1289c1638c in JS::ExecuteInJSMEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::StackGCVector<JSObject*, js::TempAllocPolicy> >) /builds/worker/checkouts/gecko/js/src/builtin/Eval.cpp:510:10
    #32 0x7f1289c16077 in JS::ExecuteInJSMEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>) /builds/worker/checkouts/gecko/js/src/builtin/Eval.cpp:463:10
    #33 0x7f1280ad77d8 in mozJSComponentLoader::ObjectForLocation(ComponentLoaderInfo&, nsIFile*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/xpconnect/loader/mozJSComponentLoader.cpp:867:19
    #34 0x7f1280ae15f8 in mozJSComponentLoader::Import(JSContext*, nsTSubstring<char> const&, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSObject*>, bool) /builds/worker/checkouts/gecko/js/xpconnect/loader/mozJSComponentLoader.cpp:1275:12
    #35 0x7f127f1465f5 in mozilla::xpcom::ConstructJSMComponent(nsTSubstring<char> const&, char const*, nsISupports**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:1847:3
    #36 0x7f127f12d0b7 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10330:7
    #37 0x7f127f17052b in CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:177:46
    #38 0x7f127f17052b in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276:17
    #39 0x7f127f172532 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1465:10
    #40 0x7f127f177eb2 in CallGetService /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:61:43
    #41 0x7f127f177eb2 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:253:21
    #42 0x7f127eff19ae in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:91:7
    #43 0x7f128997d130 in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:1065:5
    #44 0x7f128997d130 in nsAppStartupNotifier::NotifyObservers(char const*) /builds/worker/checkouts/gecko/toolkit/xre/nsAppStartupNotifier.cpp:46:23
    #45 0x7f128996f468 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5093:5
    #46 0x7f1289972706 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5539:8
    #47 0x7f12899734e3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5598:21
    #48 0x55a42e29da12 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:220:22
    #49 0x55a42e29da12 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:347:16
    #50 0x7f129b581b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

==1977476==ABORTING

GDB:

[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x7fff97155000    
$rbx   : 0x00007fffe1ab3020  →  0x00007fffe1a9b220  →  0x0000000000000006
$rcx   : 0x7fff97155000    
$rdx   : 0x7fff97155000    
$rsp   : 0x00007fffdb3c9180  →  0x0000000000000000
$rbp   : 0x00007fffdb3ec8b0  →  0x00007fffdb3ecaf0  →  0x00007fffdb4107b0  →  0x00007fffdb410de0  →  0x00007fffdb410eb0  →  0x00007fffdb574770  →  0x00007fffdb574b40  →  0x00007fffdb574c60
$rsi   : 0x7fff97155000    
$rdi   : 0x632eae28f270f100
$rip   : 0x00007ffff2ab481b  →  <unsigned+0> movups xmm0, XMMWORD PTR [rsi]
$r8    : 0x0
$r9    : 0x00007fff9e168000  →  0xffffffffffffffff
$r10   : 0x632eae28f270f100
$r11   : 0x00007fffdb3c9840  →  0x0000000000000000
$r12   : 0x00007fffe1ab30a8  →  0x0000000000000001
$r13   : 0x00007fffe1ab3020  →  0x00007fffe1a9b220  →  0x0000000000000006
$r14   : 0x1               
$r15   : 0x6               
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffdb3c9180│+0x0000: 0x0000000000000000   ← $rsp
0x00007fffdb3c9188│+0x0008: 0x0000000000000000
0x00007fffdb3c9190│+0x0010: 0x0000000000000000
0x00007fffdb3c9198│+0x0018: 0x0000000000000000
0x00007fffdb3c91a0│+0x0020: 0x0000000000000000
0x00007fffdb3c91a8│+0x0028: 0x0000000000000000
0x00007fffdb3c91b0│+0x0030: 0x0000000000000000
0x00007fffdb3c91b8│+0x0038: 0x0000000000000000
─────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x7ffff2ab4803 <unsigned+0>     mov    rsi, QWORD PTR [rsp+0x1ed0]
   0x7ffff2ab480b <unsigned+0>     mov    QWORD PTR [rsp+0x1ed8], rsi
   0x7ffff2ab4813 <unsigned+0>     mov    rsi, QWORD PTR [rsp+0x1ed8]
 → 0x7ffff2ab481b <unsigned+0>     movups xmm0, XMMWORD PTR [rsi]
   0x7ffff2ab481e <unsigned+0>     movaps XMMWORD PTR [rsp+0x16370], xmm0
   0x7ffff2ab4826 <unsigned+0>     movaps xmm0, XMMWORD PTR [rsp+0x16370]
   0x7ffff2ab482e <unsigned+0>     movaps xmm1, XMMWORD PTR [rsp+0x1ea0]
   0x7ffff2ab4836 <unsigned+0>     movaps xmm2, XMMWORD PTR [rsp+0x1eb0]
   0x7ffff2ab483e <unsigned+0>     movaps XMMWORD PTR [rsp+0x16350], xmm2
────────────────────────────────────────────────────────────────────────────────────────── source:src/vector_type.h+503 ────
    498  template <typename T>
    499  struct Unaligned {
    500    template <typename P>
    501    SI T load(const P* p) {
    502      T v;
             // p=0x00007fffdb3cb058  →  0x00007fff97155000, v=0x00007fffdb3df4f0  →  0x0000000000000000
 →  503      memcpy(&v, p, sizeof(v));
    504      return v;
    505    }
    506  
    507    template <typename P>
    508    SI void store(P* p, T v) {
─────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "firefox", stopped 0x7fffe8911874 in std::__atomic_base<unsigned long>::load (), reason: SIGSEGV
[#1] Id 3, Name: "gmain", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#2] Id 4, Name: "IPC I/O Parent", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#3] Id 5, Name: "Timer", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#4] Id 6, Name: "Netlink Monitor", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#5] Id 7, Name: "Socket Thread", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#6] Id 8, Name: "Permission", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#7] Id 9, Name: "BHMgr Monitor", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#8] Id 10, Name: "BHMgr Processor", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#9] Id 12, Name: "JS Watchdog", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#10] Id 13, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#11] Id 14, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#12] Id 15, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#13] Id 16, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#14] Id 17, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#15] Id 18, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#16] Id 19, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#17] Id 20, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#18] Id 22, Name: "Softwar~cThread", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#19] Id 23, Name: "Renderer", stopped 0x7ffff2ab481b in glsl::Unaligned<unsigned char __vector(16)>::load<unsigned int>(unsigned int const*) (), reason: SIGSEGV
[#20] Id 24, Name: "WRWorker#0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#21] Id 25, Name: "WRWorker#1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#22] Id 26, Name: "WRWorker#2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#23] Id 27, Name: "WRWorker#3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#24] Id 28, Name: "WRWorker#4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#25] Id 29, Name: "WRWorker#5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#26] Id 30, Name: "WRWorker#6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#27] Id 31, Name: "WRWorker#7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#28] Id 32, Name: "WRWorkerLP#0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#29] Id 33, Name: "WRWorkerLP#1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#30] Id 34, Name: "WRWorkerLP#2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#31] Id 35, Name: "WRWorkerLP#3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#32] Id 36, Name: "WRWorkerLP#4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#33] Id 37, Name: "WRWorkerLP#5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#34] Id 38, Name: "WRWorkerLP#6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#35] Id 39, Name: "WRWorkerLP#7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#36] Id 40, Name: "Compositor", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#37] Id 41, Name: "ImageIO", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#38] Id 45, Name: "IPDL Background", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#39] Id 46, Name: "firefox", stopped 0x7ffff7fb65ad in recvmsg (), reason: SIGSEGV
[#40] Id 47, Name: "IPC Launch", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#41] Id 48, Name: "TRR Background", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#42] Id 49, Name: "StreamTrans #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#43] Id 50, Name: "Cache2 I/O", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#44] Id 51, Name: "Cookie", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#45] Id 52, Name: "threaded-ml", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#46] Id 53, Name: "ImageBridgeChld", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#47] Id 54, Name: "SwComposite", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#48] Id 55, Name: "WRScene~ilder#1", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#49] Id 56, Name: "WRScene~derLP#1", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#50] Id 57, Name: "WRRende~ckend#1", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#51] Id 58, Name: "FS Broker 26874", stopped 0x7ffff7fb65ad in recvmsg (), reason: SIGSEGV
[#52] Id 59, Name: "DOM Worker", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#53] Id 60, Name: "StreamTrans #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#54] Id 62, Name: "BgIOThr~Pool #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#55] Id 63, Name: "Worker Launcher", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#56] Id 64, Name: "QuotaManager IO", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#57] Id 65, Name: "IndexedDB #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#58] Id 66, Name: "DOM Worker", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#59] Id 67, Name: "StyleThread#0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#60] Id 68, Name: "StyleThread#1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#61] Id 69, Name: "StyleThread#2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#62] Id 70, Name: "StyleThread#3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#63] Id 71, Name: "StyleThread#4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#64] Id 72, Name: "StyleThread#5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#65] Id 73, Name: "GMPThread", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#66] Id 76, Name: "StreamTrans #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#67] Id 77, Name: "AudioIPC Callba", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#68] Id 78, Name: "AudioIPC Server", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#69] Id 79, Name: "TaskCon~read #0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#70] Id 80, Name: "TaskCon~read #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#71] Id 81, Name: "TaskCon~read #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#72] Id 82, Name: "TaskCon~read #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#73] Id 83, Name: "TaskCon~read #4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#74] Id 84, Name: "TaskCon~read #5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#75] Id 85, Name: "TaskCon~read #6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#76] Id 86, Name: "TaskCon~read #7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#77] Id 87, Name: "Backgro~Pool #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#78] Id 88, Name: "dconf worker", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#79] Id 89, Name: "DNS Resolver #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#80] Id 90, Name: "gdbus", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#81] Id 91, Name: "Cache I/O", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#82] Id 92, Name: "DNS Resolver #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#83] Id 93, Name: "DNS Resolver #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#84] Id 94, Name: "IndexedDB #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#85] Id 95, Name: "IndexedDB #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#86] Id 96, Name: "HTML5 Parser", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#87] Id 97, Name: "mozStorage #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#88] Id 98, Name: "mozStorage #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#89] Id 99, Name: "SwComposite", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#90] Id 100, Name: "WRScene~ilder#2", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#91] Id 101, Name: "WRScene~derLP#2", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#92] Id 102, Name: "WRRende~ckend#2", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#93] Id 103, Name: "mozStorage #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#94] Id 104, Name: "DOM Worker", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#95] Id 105, Name: "IndexedDB #4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#96] Id 106, Name: "IndexedDB #5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#97] Id 107, Name: "SSL Cert #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#98] Id 108, Name: "URL Classifier", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#99] Id 109, Name: "IndexedDB #6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#100] Id 110, Name: "DOM Worker", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#101] Id 111, Name: "glean.dispatche", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#102] Id 114, Name: "StreamTrans #4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#103] Id 115, Name: "SaveScripts", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#104] Id 116, Name: "mozStorage #4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#105] Id 117, Name: "StreamTrans #5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff2ab481b → glsl::Unaligned<unsigned char __vector(16)>::load<unsigned int>(unsigned int const*)(p=0x7fff97155000)
[#1] 0x7ffff2ab481b → glsl::unaligned_load<unsigned char __vector(16), unsigned int>(unsigned int const*)(p=0x7fff97155000)
[#2] 0x7ffff2ab481b → blend_span(unsigned int*, unsigned short __vector(16))(buf=0x7fff97155000, r={0x0 <repeats 16 times>})
[#3] 0x7ffff2ab481b → commit_blend_span<true, unsigned int, unsigned short __vector(16)>(unsigned int*, unsigned short __vector(16))(buf=0x7fff97155000, r={0x0 <repeats 16 times>})
[#4] 0x7ffff2ab481b → blendTextureLinearFallback<true, glsl::sampler2D_impl*, NoColor, unsigned int>(sampler=0x7fff9eb8c9f8, uv={
  x = {-511.99234, -511.99231, -511.992279, -511.992249},
  y = {10.4877853, 10.4877853, 10.4877853, 10.4877853}
}, span=0x1c05000, uv_step={
  x = 0.000122070312,
  y = 0
}, min_uv={
  x = 0.5,
  y = 0.5
}, max_uv={
  x = 262016.5,
  y = 0.5
}, color={<No data fields>}, buf=0x7fff97155000)
[#5] 0x7ffff2ab4273 → blendTextureLinearDispatch<true, glsl::sampler2D_impl*, NoColor, unsigned int>(sampler=0x7fff9eb8c9f8, uv={
  x = {-511.99234, -511.99231, -511.992279, -511.992249},
  y = {10.4877853, 10.4877853, 10.4877853, 10.4877853}
}, span=0x400, uv_step={
  x = 0.000122070312,
  y = 0
}, min_uv={
  x = 0.5,
  y = 0.5
}, max_uv={
  x = 262016.5,
  y = 0.5
}, color={<No data fields>}, buf=0x7fff97155000, filter=LINEAR_FILTER_UPSCALE)
[#6] 0x7ffff28f3c17 → blendTextureLinearRepeat<true, glsl::sampler2D_impl*, NoColor, unsigned int>(sampler=0x7fff9eb8c9f8, uv={
  x = {0.00170937122, 0.00170937134, 0.00170937146, 0.00170937157},
  y = {0.578029573, 0.578029573, 0.578029573, 0.578029573}
}, span=0x400, tile_repeat=@0x7fff9eb8cb10, uv_repeat=@0x7fff9eb8cb18, uv_rect=@0x7fff9eb8cb28, color={<No data fields>}, buf=0x7fff9e168000)
[#7] 0x7ffff30d7c81 → brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::swgl_drawSpanRGBA8(this=0x7fff9eb8c810)
[#8] 0x7ffff30ccd35 → brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::draw_span_RGBA8(self=0x7fff9eb8c810)
[#9] 0x7ffff3710b2d → glsl::FragmentShaderImpl::draw_span(this=0x7fff9eb8c810, buf=0x7fff9e168000, len=0x400)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤  bt
#0  0x00007ffff2ab481b in glsl::Unaligned<unsigned char __vector(16)>::load<unsigned int>(unsigned int const*) (p=0x7fff97155000) at src/vector_type.h:503
#1  glsl::unaligned_load<unsigned char __vector(16), unsigned int>(unsigned int const*) (p=0x7fff97155000) at src/vector_type.h:532
#2  blend_span(unsigned int*, unsigned short __vector(16)) (buf=0x7fff97155000, r=...) at src/blend.h:732
#3  commit_blend_span<true, unsigned int, unsigned short __vector(16)>(unsigned int*, unsigned short __vector(16)) (buf=0x7fff97155000, r=...) at src/blend.h:776
#4  blendTextureLinearFallback<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*) (sampler=0x7fff9eb8c9f8, uv=..., span=0x1c05000, uv_step=..., min_uv=..., max_uv=..., color=..., buf=0x7fff97155000) at src/swgl_ext.h:177
#5  0x00007ffff2ab4273 in blendTextureLinearDispatch<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*, LinearFilter) (sampler=0x7fff9eb8c9f8, uv=..., span=0x400, uv_step=..., min_uv=..., max_uv=..., color=..., buf=0x7fff97155000, filter=LINEAR_FILTER_UPSCALE) at src/swgl_ext.h:441
#6  0x00007ffff28f3c17 in blendTextureLinearRepeat<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar const&, glsl::vec4_scalar const&, glsl::vec4_scalar const&, NoColor, unsigned int*) (sampler=0x7fff9eb8c9f8, uv=..., span=0x400, tile_repeat=..., uv_repeat=..., uv_rect=..., color=..., buf=0x7fff9e168000) at src/swgl_ext.h:673
#7  0x00007ffff30d7c81 in brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::swgl_drawSpanRGBA8() (this=0x7fff9eb8c810) at /home/sourc7/git/gecko-dev-desktop/obj-x86_64-pc-linux-gnu/x86_64-unknown-linux-gnu/release/build/swgl-c0a134755c64a46a/out/brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D.h:969
#8  0x00007ffff30ccd35 in brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::draw_span_RGBA8(brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag*) (self=0x7fff9eb8c810) at /home/sourc7/git/gecko-dev-desktop/obj-x86_64-pc-linux-gnu/x86_64-unknown-linux-gnu/release/build/swgl-c0a134755c64a46a/out/brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D.h:1012
#9  0x00007ffff3710b2d in glsl::FragmentShaderImpl::draw_span(unsigned int*, int) (this=0x7fff9eb8c810, buf=0x7fff9e168000, len=0x400) at src/program.h:149
#10 draw_depth_span<unsigned int>(unsigned int, unsigned int*, DepthCursor&) (z=0x7ffff0, buf=0x7fff9e168000, cursor=...) at src/rasterize.h:597
#11 draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) (nump=0x4, p=0x7fffdb574a50, z=0x7ffff0, interp_outs=0x7fffdb574a70, colortex=..., depthtex=..., clipRect=...) at src/rasterize.h:999
#12 0x00007ffff2815bde in draw_quad(int, Texture&, Texture&) (nump=0x4, colortex=..., depthtex=...) at src/rasterize.h:1592
#13 0x00007ffff2814be2 in draw_elements<unsigned short>(int, int, unsigned long, VertexArray&, Texture&, Texture&) (count=0x6, instancecount=0x1, offset=0x0, v=..., colortex=..., depthtex=...) at src/rasterize.h:1622
#14 0x00007ffff2814799 in DrawElementsInstanced(GLenum, GLsizei, GLenum, GLintptr, GLsizei) (mode=0x4, count=0x6, type=0x1403, offset=0x0, instancecount=0x1) at src/gl.cc:2699
#15 0x00007ffff2749d2f in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16 (self=0x7fffe1ab3020, index_count=0x97155000, instance_count=0x9e168000) at /home/sourc7/git/gecko-dev-desktop/gfx/wr/webrender/src/device/gl.rs:3522
#16 0x00007ffff276c40b in webrender::renderer::Renderer::draw_instanced_batch (self=0x7fffe1ab3000, data=..., vertex_array_kind=webrender::renderer::vertex::VertexArrayKind::Primitive, textures=<optimized out>, stats=0x7fffdb575580) at /home/sourc7/git/gecko-dev-desktop/gfx/wr/webrender/src/renderer/mod.rs:2557
#17 0x00007ffff276d785 in webrender::renderer::Renderer::draw_alpha_batch_container (self=<optimized out>, alpha_batch_container=<optimized out>, draw_target=..., framebuffer_kind=<optimized out>, projection=0x7fffdb575310, render_tasks=0x7fffdb5758c8, stats=0x7fffdb575580) at /home/sourc7/git/gecko-dev-desktop/gfx/wr/webrender/src/renderer/mod.rs:3041
#18 0x00007ffff2772b34 in webrender::renderer::Renderer::draw_picture_cache_target (self=0x7fffe1ab3000, target=<optimized out>, draw_target=..., projection=0x7fffdb575310, render_tasks=0x7fffdb5758c8, stats=0x7fffdb575580) at /home/sourc7/git/gecko-dev-desktop/gfx/wr/webrender/src/renderer/mod.rs:2864
#19 webrender::renderer::Renderer::draw_frame (self=<optimized out>, frame=<optimized out>, device_size=<error reading variable: access outside bounds of object referenced via synthetic pointer>, buffer_age=<optimized out>, results=<optimized out>) at /home/sourc7/git/gecko-dev-desktop/gfx/wr/webrender/src/renderer/mod.rs:4607
#20 0x00007ffff27662a2 in webrender::renderer::Renderer::render_impl (self=0x7fffe1ab3000, doc_id=..., active_doc=0x7fffdb575898, device_size=..., buffer_age=0x0) at /home/sourc7/git/gecko-dev-desktop/gfx/wr/webrender/src/renderer/mod.rs:2155
#21 0x00007ffff276562b in webrender::renderer::Renderer::render (self=0x7fffe1ab3000, device_size=..., buffer_age=0x0) at /home/sourc7/git/gecko-dev-desktop/gfx/wr/webrender/src/renderer/mod.rs:1890
#22 0x00007ffff2452541 in webrender_bindings::bindings::wr_renderer_render (renderer=0x7fff97155000, width=0x97155000, height=0x97155000, buffer_age=0x0, out_stats=0x7fffdb576528, out_dirty_rects=0x7fffdb5763b8) at /home/sourc7/git/gecko-dev-desktop/gfx/webrender_bindings/src/bindings.rs:637
#23 0x00007fffeab36263 in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) (this=0x7fffe1489460, aReadbackSize=..., aReadbackFormat=..., aReadbackBuffer=..., aNeedsYFlip=0x0, aOutStats=0x7fffdb576528) at /home/sourc7/git/gecko-dev-desktop/gfx/webrender_bindings/RendererOGL.cpp:186
#24 0x00007fffeab357d8 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) (this=0x7ffff7876bc0, aWindowId=..., aStartId=..., aStartTime=..., aRender=0x1, aReadbackSize=..., aReadbackFormat=..., aReadbackBuffer=..., aNeedsYFlip=0x0) at /home/sourc7/git/gecko-dev-desktop/gfx/webrender_bindings/RenderThread.cpp:486
#25 0x00007fffeab35171 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) (this=0x7ffff7876bc0, aWindowId=..., aRender=0x1) at /home/sourc7/git/gecko-dev-desktop/gfx/webrender_bindings/RenderThread.cpp:341
#26 0x00007fffeab5819e in mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, bool>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool>, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> >&, std::integer_sequence<unsigned long, 0ul, 1ul>) (o=0x7ffff7876bc0, m=(void (mozilla::wr::RenderThread::*)(mozilla::wr::RenderThread * const, mozilla::wr::WrWindowId, bool)) 0x7fffeab34e20 <mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool)>, args=...) at /home/sourc7/git/gecko-dev-desktop/obj-x86_64-pc-linux-gnu/dist/include/nsThreadUtils.h:1148
#27 0x00007fffeab580bd in mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, bool>::apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)) (this=0x7fffa0c876d8, o=0x7ffff7876bc0, m=(void (mozilla::wr::RenderThread::*)(mozilla::wr::RenderThread * const, mozilla::wr::WrWindowId, bool)) 0x7fffeab34e20 <mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool)>) at /home/sourc7/git/gecko-dev-desktop/obj-x86_64-pc-linux-gnu/dist/include/nsThreadUtils.h:1154
#28 0x00007fffeab57e80 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() (this=0x7fffa0c876a0) at /home/sourc7/git/gecko-dev-desktop/obj-x86_64-pc-linux-gnu/dist/include/nsThreadUtils.h:1201
#29 0x00007fffe967c94e in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) (this=0x7fffdb576c28, aTask=...) at /home/sourc7/git/gecko-dev-desktop/ipc/chromium/src/base/message_loop.cc:468
#30 0x00007fffe967cf49 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) (this=0x7fffdb576c28, pending_task=...) at /home/sourc7/git/gecko-dev-desktop/ipc/chromium/src/base/message_loop.cc:477
#31 0x00007fffe967d18b in MessageLoop::DoWork() (this=0x7fffdb576c28) at /home/sourc7/git/gecko-dev-desktop/ipc/chromium/src/base/message_loop.cc:552
#32 0x00007fffe967dd90 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) (this=0x7fffe231f280, delegate=0x7fffdb576c28) at /home/sourc7/git/gecko-dev-desktop/ipc/chromium/src/base/message_pump_default.cc:35
#33 0x00007fffe967c779 in MessageLoop::RunInternal() (this=0x7fffdb576c28) at /home/sourc7/git/gecko-dev-desktop/ipc/chromium/src/base/message_loop.cc:335
#34 0x00007fffe967c725 in MessageLoop::RunHandler() (this=0x7fffdb576c28) at /home/sourc7/git/gecko-dev-desktop/ipc/chromium/src/base/message_loop.cc:328
#35 0x00007fffe967c6dd in MessageLoop::Run() (this=0x7fffdb576c28) at /home/sourc7/git/gecko-dev-desktop/ipc/chromium/src/base/message_loop.cc:310
#36 0x00007fffe969b2e9 in base::Thread::ThreadMain() (this=0x7fffe283dbf0) at /home/sourc7/git/gecko-dev-desktop/ipc/chromium/src/base/thread.cc:191
#37 0x00007fffe9683de1 in ThreadFunc(void*) (closure=0x7fffe283dbf0) at /home/sourc7/git/gecko-dev-desktop/ipc/chromium/src/base/platform_thread_posix.cc:40
#38 0x00007ffff7fac299 in start_thread () at /usr/lib/libpthread.so.0
#39 0x00007ffff7b92053 in clone () at /usr/lib/libc.so.6
gef➤  p $_siginfo._sifields._sigfault.si_addr
$1 = (void *) 0x7fff97155000
Flags: sec-bounty?
Attached file asan.txt
Attached file gdb.txt
Group: firefox-core-security → gfx-core-security
Component: Security → Graphics: WebRender
Product: Firefox → Core

Just looking at the stack in comment 0, this might be a dupe of bug 1704319, which was marked as a regression from bug 1703893. (fixed in this commit: https://hg.mozilla.org/mozilla-central/rev/16765e5aef99 )

(In reply to Andrew McCreight [:mccr8] from comment #3)

Just looking at the stack in comment 0, this might be a dupe of bug 1704319, which was marked as a regression from bug 1703893. (fixed in this commit: https://hg.mozilla.org/mozilla-central/rev/16765e5aef99 )

Looks like a dup to me.

I can't reproduce this anymore on latest Firefox ASan 89.0a1 (2021-04-15) (64-bit), I also believe that commit https://hg.mozilla.org/mozilla-central/rev/16765e5aef99 fixed this.

Thanks for confirming.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Flags: sec-bounty? → sec-bounty-
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: