Closed
Bug 1782242
Opened 8 months ago
Closed 8 months ago
Assertion failure: cm, at /dom/canvas/ClientWebGLContext.cpp:750
Categories
(Core :: Graphics: Canvas2D, defect, P5)
Tracking
()
VERIFIED
FIXED
105 Branch
| Tracking | Status | |
|---|---|---|
| firefox105 | --- | verified |
People
(Reporter: jkratzer, Assigned: aosmond)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev e0beaa7b6605 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build e0beaa7b6605 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --repeat 10 --relaunch 1
Assertion failure: cm, at /dom/canvas/ClientWebGLContext.cpp:750
==1063179==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9d4d431cd3 bp 0x7f9d40f70a50 sp 0x7f9d40f70960 T1063313)
==1063179==The signal is caused by a WRITE memory access.
==1063179==Hint: address points to the zero page.
#0 0x7f9d4d431cd3 in operator() /dom/canvas/ClientWebGLContext.cpp:750:5
#1 0x7f9d4d431cd3 in mozilla::ClientWebGLContext::CreateHostContext(mozilla::avec2<unsigned int> const&) /dom/canvas/ClientWebGLContext.cpp:708:14
#2 0x7f9d4d4358e6 in mozilla::ClientWebGLContext::SetDimensions(int, int) /dom/canvas/ClientWebGLContext.cpp:680:8
#3 0x7f9d4d42d034 in mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContextHelper.cpp:267:24
#4 0x7f9d4d42cb50 in mozilla::dom::CanvasRenderingContextHelper::GetOrCreateContext(JSContext*, mozilla::dom::CanvasContextType, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContextHelper.cpp:219:19
#5 0x7f9d4d49c7e6 in mozilla::dom::OffscreenCanvas::GetContext(JSContext*, mozilla::dom::OffscreenRenderingContextId const&, JS::Handle<JS::Value>, mozilla::dom::Nullable<mozilla::dom::OwningOffscreenCanvasRenderingContext2DOrImageBitmapRenderingContextOrWebGLRenderingContextOrWebGL2RenderingContextOrGPUCanvasContext>&, mozilla::ErrorResult&) /dom/canvas/OffscreenCanvas.cpp:139:62
#6 0x7f9d4c514612 in mozilla::dom::OffscreenCanvas_Binding::getContext(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasBinding.cpp:917:24
#7 0x7f9d4d334b2c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3287:13
#8 0x7f9d52839720 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:417:13
#9 0x7f9d52838f7a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:505:12
#10 0x7f9d52830437 in CallFromStack /js/src/vm/Interpreter.cpp:577:10
#11 0x7f9d52830437 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3325:16
#12 0x7f9d528278c2 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
#13 0x7f9d52838e76 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:537:13
#14 0x7f9d5283a448 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:604:8
#15 0x7f9d514fa031 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#16 0x7f9d4d04d2f3 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:299:37
#17 0x7f9d4d8cae29 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
#18 0x7f9d4d8ca003 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /dom/events/JSEventHandler.cpp:201:12
#19 0x7f9d4d8ab23e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1316:22
#20 0x7f9d4d8abea7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1506:17
#21 0x7f9d4d8a0de4 in HandleEvent /dom/events/EventListenerManager.h:395:5
#22 0x7f9d4d8a0de4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
#23 0x7f9d4d8a0332 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
#24 0x7f9d4d8a2bd1 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1119:11
#25 0x7f9d4d8a5646 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
#26 0x7f9d4d87d26b in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/events/DOMEventTargetHelper.cpp:180:17
#27 0x7f9d4d8b2872 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /dom/events/EventTarget.cpp:180:13
#28 0x7f9d4ebeae41 in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /dom/workers/MessageEventRunnable.cpp:104:12
#29 0x7f9d4ec2c1f3 in mozilla::dom::WorkerRunnable::Run() /dom/workers/WorkerRunnable.cpp:377:12
#30 0x7f9d4a3529c7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
#31 0x7f9d4a358f0d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#32 0x7f9d4ec1af94 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3205:7
#33 0x7f9d4ec048cb in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2038:42
#34 0x7f9d4a3529c7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
#35 0x7f9d4a358f0d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#36 0x7f9d4af2b1db in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
#37 0x7f9d4ae4f237 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
#38 0x7f9d4ae4f142 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#39 0x7f9d4ae4f142 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#40 0x7f9d4a34dcf6 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
#41 0x7f9d60266557 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#42 0x7f9d60fd8608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#43 0x7f9d60b9f132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/canvas/ClientWebGLContext.cpp:750:5 in operator()
==1063179==ABORTING
|
Reporter | |
Comment 1•8 months ago
|
||
|
||
Comment 2•8 months ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220729151635-62ef66035be0.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: d7b25de9e7393bba933d6c0cf77fc60c771c1abe (20210730033817)
End: e0beaa7b6605aebd3e6fdf7f9826d26fc959ed4e (20220729093410)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
Assignee | |
Comment 3•8 months ago
|
||
If I understand the test case properly, the random reload causes us to shutdown and restart the worker constantly. The CanvasManagerChild instance is tied to the worker's lifetime, and we may have gotten signaled to shutdown whilst executing the JS code. The log probably shows warnings failing to reinitialize the CanvasManagerChild due to the shutdown as well.
We can just remove the assert to fix this. In a non-debug build, it should fail gracefully.
Severity: -- → S4
Priority: -- → P5
|
|
Assignee | |
Updated•8 months ago
|
Assignee: nobody → aosmond
|
|
Assignee | |
Comment 4•8 months ago
|
||
Pushed by aosmond@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/97e91d0ee7c6 Remove assert for CanvasManagerChild::Get that we handle gracefully anyways. r=gfx-reviewers,bradwerth
|
||
Comment 6•8 months ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 8 months ago
status-firefox105:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
|
|
||
Comment 7•8 months ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220730092553-656a6bc2f82d.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•