Crash [@ operator!=<mozilla::ipc::SharedMemory>]
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox-esr102 | --- | unaffected |
firefox102 | --- | unaffected |
firefox103 | --- | unaffected |
firefox104 | --- | fixed |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
724 bytes,
text/plain
|
Details |
Testcase found while fuzzing mozilla-central rev 59134b451eec (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 59134b451eec --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
[@ operator!=<mozilla::ipc::SharedMemory>]
=================================================================
==2705080==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7fdf9ddbb961 bp 0x7ffe33b92610 sp 0x7ffe33b924c0 T0)
==2705080==The signal is caused by a READ memory access.
==2705080==Hint: address points to the zero page.
#0 0x7fdf9ddbb961 in operator!=<mozilla::ipc::SharedMemory> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:537:21
#1 0x7fdf9ddbb961 in IsWritable /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/Shmem.h:101:45
#2 0x7fdf9ddbb961 in mozilla::gfx::DrawTargetWebgl::SharedContext::ReadInto(unsigned char*, int, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::TextureHandle*) /dom/canvas/DrawTargetWebgl.cpp:699:30
#3 0x7fdf9ddbc27a in mozilla::gfx::DrawTargetWebgl::SharedContext::ReadSnapshot(mozilla::gfx::TextureHandle*) /dom/canvas/DrawTargetWebgl.cpp:734:30
#4 0x7fdf9ddeb3e9 in mozilla::gfx::SourceSurfaceWebgl::OnUnlinkTexture(mozilla::gfx::DrawTargetWebgl::SharedContext*) /dom/canvas/SourceSurfaceWebgl.cpp:128:23
#5 0x7fdf9ddb28e9 in mozilla::gfx::DrawTargetWebgl::SharedContext::UnlinkSurfaceTexture(RefPtr<mozilla::gfx::TextureHandle> const&) /dom/canvas/DrawTargetWebgl.cpp:253:50
#6 0x7fdf9ddb2c4b in mozilla::gfx::DrawTargetWebgl::SharedContext::PruneTextureHandle(RefPtr<mozilla::gfx::TextureHandle> const&) /dom/canvas/DrawTargetWebgl.cpp:1787:3
#7 0x7fdf9ddb1852 in ClearAllTextures /dom/canvas/DrawTargetWebgl.cpp:287:5
#8 0x7fdf9ddb1852 in mozilla::gfx::DrawTargetWebgl::SharedContext::~SharedContext() /dom/canvas/DrawTargetWebgl.cpp:242:3
#9 0x7fdf9ddb0e01 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefCounted.h:255:7
#10 0x7fdf9ddb0e01 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#11 0x7fdf9ddb0e01 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#12 0x7fdf9ddb0e01 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#13 0x7fdf9ddb0e01 in mozilla::gfx::DrawTargetWebgl::~DrawTargetWebgl() /dom/canvas/DrawTargetWebgl.cpp:234:1
#14 0x7fdf9ddb11c8 in mozilla::gfx::DrawTargetWebgl::~DrawTargetWebgl() /dom/canvas/DrawTargetWebgl.cpp:216:37
#15 0x7fdf9ddf6d65 in mozilla::dom::CanvasRenderingContext2D::OnShutdown() /dom/canvas/CanvasRenderingContext2D.cpp:1168:15
#16 0x7fdf9ddf0bc2 in mozilla::dom::CanvasShutdownObserver::Observe(nsISupports*, char const*, char16_t const*) /dom/canvas/CanvasRenderingContext2D.cpp:898:14
#17 0x7fdf989c313e in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /xpcom/ds/nsObserverList.cpp:70:19
#18 0x7fdf989cc721 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /xpcom/ds/nsObserverService.cpp:291:19
#19 0x7fdf988cfb0d in mozilla::AppShutdown::AdvanceShutdownPhaseInternal(mozilla::ShutdownPhase, bool, char16_t const*, nsCOMPtr<nsISupports> const&) /xpcom/base/AppShutdown.cpp:372:21
#20 0x7fdf98b98699 in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:592:5
#21 0x7fdfa62c2094 in XRE_TermEmbedding() /toolkit/xre/nsEmbedFunctions.cpp:224:3
#22 0x7fdf9a2d4a75 in mozilla::ipc::ScopedXREEmbed::Stop() /ipc/glue/ScopedXREEmbed.cpp:90:5
#23 0x7fdfa62c2a2d in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:738:16
#24 0x56501ed26775 in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#25 0x56501ed26b26 in main /browser/app/nsBrowserApp.cpp:338:18
#26 0x7fdfc0590082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#27 0x56501ec66bb9 in _start (/home/jkratzer/builds/mc-asan/firefox+0x78bb9) (BuildId: 5d6a11aff11971313d23f5a38d51b8f544c536f5)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:537:21 in operator!=<mozilla::ipc::SharedMemory>
==2705080==ABORTING
Reporter | ||
Comment 1•2 years ago
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220715095545-59134b451eec.
The bug appears to have been introduced in the following build range:
Start: 26d422c0f19648d56e3310bb1aedb8ed1bbe6c09 (20220712074830)
End: 43b78654c3afde1e601c8b0ba1794b85954249fe (20220712094112)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=26d422c0f19648d56e3310bb1aedb8ed1bbe6c09&tochange=43b78654c3afde1e601c8b0ba1794b85954249fe
Comment 3•2 years ago
|
||
Set release status flags based on info from the regressing bug 1777872
Comment 4•2 years ago
|
||
:lsalzman, since you are the author of the regressor, bug 1777872, could you take a look?
For more information, please visit auto_nag documentation.
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 6•2 years ago
|
||
No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•