Closed Bug 1779776 Opened 2 years ago Closed 2 years ago

Crash [@ operator!=<mozilla::ipc::SharedMemory>]

Categories

(Core :: Graphics: Canvas2D, defect)

x86_64
Linux
defect

Tracking

()

RESOLVED DUPLICATE of bug 1779804
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox102 --- unaffected
firefox103 --- unaffected
firefox104 --- fixed

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Testcase found while fuzzing mozilla-central rev 59134b451eec (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 59134b451eec --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
[@ operator!=<mozilla::ipc::SharedMemory>]

    =================================================================
    ==2705080==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7fdf9ddbb961 bp 0x7ffe33b92610 sp 0x7ffe33b924c0 T0)
    ==2705080==The signal is caused by a READ memory access.
    ==2705080==Hint: address points to the zero page.
        #0 0x7fdf9ddbb961 in operator!=<mozilla::ipc::SharedMemory> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:537:21
        #1 0x7fdf9ddbb961 in IsWritable /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/Shmem.h:101:45
        #2 0x7fdf9ddbb961 in mozilla::gfx::DrawTargetWebgl::SharedContext::ReadInto(unsigned char*, int, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::TextureHandle*) /dom/canvas/DrawTargetWebgl.cpp:699:30
        #3 0x7fdf9ddbc27a in mozilla::gfx::DrawTargetWebgl::SharedContext::ReadSnapshot(mozilla::gfx::TextureHandle*) /dom/canvas/DrawTargetWebgl.cpp:734:30
        #4 0x7fdf9ddeb3e9 in mozilla::gfx::SourceSurfaceWebgl::OnUnlinkTexture(mozilla::gfx::DrawTargetWebgl::SharedContext*) /dom/canvas/SourceSurfaceWebgl.cpp:128:23
        #5 0x7fdf9ddb28e9 in mozilla::gfx::DrawTargetWebgl::SharedContext::UnlinkSurfaceTexture(RefPtr<mozilla::gfx::TextureHandle> const&) /dom/canvas/DrawTargetWebgl.cpp:253:50
        #6 0x7fdf9ddb2c4b in mozilla::gfx::DrawTargetWebgl::SharedContext::PruneTextureHandle(RefPtr<mozilla::gfx::TextureHandle> const&) /dom/canvas/DrawTargetWebgl.cpp:1787:3
        #7 0x7fdf9ddb1852 in ClearAllTextures /dom/canvas/DrawTargetWebgl.cpp:287:5
        #8 0x7fdf9ddb1852 in mozilla::gfx::DrawTargetWebgl::SharedContext::~SharedContext() /dom/canvas/DrawTargetWebgl.cpp:242:3
        #9 0x7fdf9ddb0e01 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefCounted.h:255:7
        #10 0x7fdf9ddb0e01 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
        #11 0x7fdf9ddb0e01 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
        #12 0x7fdf9ddb0e01 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
        #13 0x7fdf9ddb0e01 in mozilla::gfx::DrawTargetWebgl::~DrawTargetWebgl() /dom/canvas/DrawTargetWebgl.cpp:234:1
        #14 0x7fdf9ddb11c8 in mozilla::gfx::DrawTargetWebgl::~DrawTargetWebgl() /dom/canvas/DrawTargetWebgl.cpp:216:37
        #15 0x7fdf9ddf6d65 in mozilla::dom::CanvasRenderingContext2D::OnShutdown() /dom/canvas/CanvasRenderingContext2D.cpp:1168:15
        #16 0x7fdf9ddf0bc2 in mozilla::dom::CanvasShutdownObserver::Observe(nsISupports*, char const*, char16_t const*) /dom/canvas/CanvasRenderingContext2D.cpp:898:14
        #17 0x7fdf989c313e in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /xpcom/ds/nsObserverList.cpp:70:19
        #18 0x7fdf989cc721 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /xpcom/ds/nsObserverService.cpp:291:19
        #19 0x7fdf988cfb0d in mozilla::AppShutdown::AdvanceShutdownPhaseInternal(mozilla::ShutdownPhase, bool, char16_t const*, nsCOMPtr<nsISupports> const&) /xpcom/base/AppShutdown.cpp:372:21
        #20 0x7fdf98b98699 in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:592:5
        #21 0x7fdfa62c2094 in XRE_TermEmbedding() /toolkit/xre/nsEmbedFunctions.cpp:224:3
        #22 0x7fdf9a2d4a75 in mozilla::ipc::ScopedXREEmbed::Stop() /ipc/glue/ScopedXREEmbed.cpp:90:5
        #23 0x7fdfa62c2a2d in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:738:16
        #24 0x56501ed26775 in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #25 0x56501ed26b26 in main /browser/app/nsBrowserApp.cpp:338:18
        #26 0x7fdfc0590082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #27 0x56501ec66bb9 in _start (/home/jkratzer/builds/mc-asan/firefox+0x78bb9) (BuildId: 5d6a11aff11971313d23f5a38d51b8f544c536f5)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:537:21 in operator!=<mozilla::ipc::SharedMemory>
    ==2705080==ABORTING
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220715095545-59134b451eec.
The bug appears to have been introduced in the following build range:

Start: 26d422c0f19648d56e3310bb1aedb8ed1bbe6c09 (20220712074830)
End: 43b78654c3afde1e601c8b0ba1794b85954249fe (20220712094112)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=26d422c0f19648d56e3310bb1aedb8ed1bbe6c09&tochange=43b78654c3afde1e601c8b0ba1794b85954249fe

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Regressed by: 1777872

Set release status flags based on info from the regressing bug 1777872

:lsalzman, since you are the author of the regressor, bug 1777872, could you take a look?
For more information, please visit auto_nag documentation.

Flags: needinfo?(lsalzman)
Flags: needinfo?(lsalzman)
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: