Closed
Bug 1789658
Opened 7 months ago
Closed 7 months ago
AddressSanitizer: heap-use-after-free [@ load<unsigned int>] with READ of size 16
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
VERIFIED
FIXED
106 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox-esr102 | --- | unaffected |
| firefox104 | --- | unaffected |
| firefox105 | --- | unaffected |
| firefox106 | --- | fixed |
People
(Reporter: jkratzer, Assigned: sotaro)
References
(Blocks 1 open bug, Regression)
Details
(5 keywords, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 663615ef7a19 (built with: --enable-address-sanitizer --enable-fuzzing).
This is a recent regression. Due to the simple testcase, this issue has been seen hundreds of times in the past few hours. Marking as a fuzzblocker. Please prioritize accordingly.
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 663615ef7a19 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
AddressSanitizer: heap-use-after-free [@ load<unsigned int>] with READ of size 16
=================================================================
==36465==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fe57ee7a800 at pc 0x7fe5e1c5de6a bp 0x7fe59bc1a550 sp 0x7fe59bc1a548
READ of size 16 at 0x7fe57ee7a800 thread T73 (SwComposite)
#0 0x7fe5e1c5de69 in load<unsigned int> /gfx/wr/swgl/src/vector_type.h:503:5
#1 0x7fe5e1c5de69 in unaligned_load<unsigned char __attribute__((ext_vector_type(16))), unsigned int> /gfx/wr/swgl/src/vector_type.h:532:10
#2 0x7fe5e1c5de69 in void copy_row<true, unsigned int>(unsigned int*, unsigned int const*, int) /gfx/wr/swgl/src/composite.h:85:30
#3 0x7fe5e16c97fb in void scale_blit<true>(Texture&, IntRect const&, Texture&, IntRect const&, bool, IntRect const&) /gfx/wr/swgl/src/composite.h:265:15
#4 0x7fe5e16c7563 in Composite /gfx/wr/swgl/src/composite.h:586:7
#5 0x7fe5e0aa64fc in webrender::compositor::sw_compositor::SwCompositeJob::process::h3b1f8248387fe610 /gfx/wr/webrender/src/compositor/sw_compositor.rs:231:17
#6 0x7fe5e0aa64fc in webrender::compositor::sw_compositor::SwCompositeGraphNode::process_job::h07f68a8d82ba2621 /gfx/wr/webrender/src/compositor/sw_compositor.rs:408:13
#7 0x7fe5e0aa64fc in webrender::compositor::sw_compositor::SwCompositeThread::process_job::h5aa22ed5e17d60bd /gfx/wr/webrender/src/compositor/sw_compositor.rs:517:9
#8 0x7fe5e04d974a in webrender::compositor::sw_compositor::SwCompositeThread::new::_$u7b$$u7b$closure$u7d$$u7d$::hc0535107a98c6810 /gfx/wr/webrender/src/compositor/sw_compositor.rs:497:21
#9 0x7fe5e04d974a in std::sys_common::backtrace::__rust_begin_short_backtrace::habe7778631fb9beb /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:122:18
#10 0x7fe5e054f4bb in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hb67221ce840f74b1 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:505:17
#11 0x7fe5e054f4bb in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hbc3d44eb6dce0d75 /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:271:9
#12 0x7fe5e054f4bb in std::panicking::try::do_call::h531e56ebdfc308fe /builds/worker/fetches/rust/library/std/src/panicking.rs:492:40
#13 0x7fe5e054f4bb in std::panicking::try::hb49f18820e9a09e1 /builds/worker/fetches/rust/library/std/src/panicking.rs:456:19
#14 0x7fe5e054f4bb in std::panic::catch_unwind::h29e39dc6ba93900b /builds/worker/fetches/rust/library/std/src/panic.rs:137:14
#15 0x7fe5e054f4bb in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::he041c4e3cb3ccc18 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:504:30
#16 0x7fe5e054f4bb in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h271a5c7525c77f4c /builds/worker/fetches/rust/library/core/src/ops/function.rs:248:5
#17 0x7fe5e584d6d2 in std::sys::unix::thread::Thread::new::thread_start::h756fd4eb0235e719 std.b8e27468-cgu.4
#18 0x7fe5f6999b42 in start_thread nptl/./nptl/pthread_create.c:442:8
#19 0x7fe5f6a2b9ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
0x7fe57ee7a800 is located 0 bytes inside of 180000-byte region [0x7fe57ee7a800,0x7fe57eea6720)
freed by thread T40 here:
#0 0x555e3df4ab62 in __interceptor_free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x7fe5d0bdf5e6 in operator delete[] /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:60:10
#2 0x7fe5d0bdf5e6 in mozilla::layers::MemoryTextureData::Deallocate(mozilla::layers::LayersIPCChannel*) /gfx/layers/BufferTexture.cpp:455:3
#3 0x7fe5d0bfe4c4 in ~MemoryTextureData /gfx/layers/BufferTexture.cpp:63:7
#4 0x7fe5d0bfe4c4 in mozilla::layers::MemoryTextureData::~MemoryTextureData() /gfx/layers/BufferTexture.cpp:61:41
#5 0x7fe5d0c59833 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:459:5
#6 0x7fe5d0c59833 in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:301:7
#7 0x7fe5d0c59833 in ~UniquePtr /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:249:18
#8 0x7fe5d0c59833 in mozilla::layers::RemoteTextureMap::TextureDataHolder::~TextureDataHolder() /builds/worker/workspace/obj-build/dist/include/mozilla/layers/RemoteTextureMap.h:129:10
#9 0x7fe5d0c5d94d in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:459:5
#10 0x7fe5d0c5d94d in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:301:7
#11 0x7fe5d0c5d94d in ~UniquePtr /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:249:18
#12 0x7fe5d0c5d94d in _Destroy<mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureDataHolder, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureDataHolder> > > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_construct.h:98:19
#13 0x7fe5d0c5d94d in void std::_Destroy_aux<false>::__destroy<mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureDataHolder, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureDataHolder> >*>(mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureDataHolder, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureDataHolder> >*, mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureDataHolder, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureDataHolder> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_construct.h:108:6
#14 0x7fe5d0c5d30f in std::deque<mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureDataHolder, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureDataHolder> >, std::allocator<mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureDataHolder, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureDataHolder> > > >::_M_destroy_data(std::_Deque_iterator<mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureDataHolder, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureDataHolder> >, mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureDataHolder, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureDataHolder> >&, mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureDataHolder, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureDataHolder> >*>, std::_Deque_iterator<mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureDataHolder, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureDataHolder> >, mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureDataHolder, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureDataHolder> >&, mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureDataHolder, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureDataHolder> >*>, std::allocator<mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureDataHolder, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureDataHolder> > > const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_deque.h:2072:4
#15 0x7fe5d0c5cea2 in ~deque /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_deque.h:1045:9
#16 0x7fe5d0c5cea2 in ~queue /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_queue.h:96:11
#17 0x7fe5d0c5cea2 in mozilla::layers::RemoteTextureMap::TextureOwner::~TextureOwner() /builds/worker/workspace/obj-build/dist/include/mozilla/layers/RemoteTextureMap.h:147:10
#18 0x7fe5d0c5e14d in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:459:5
#19 0x7fe5d0c5e14d in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:301:7
#20 0x7fe5d0c5e14d in ~UniquePtr /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:249:18
#21 0x7fe5d0c5e14d in _Destroy<mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureOwner, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureOwner> > > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_construct.h:98:19
#22 0x7fe5d0c5e14d in void std::_Destroy_aux<false>::__destroy<mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureOwner, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureOwner> >*>(mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureOwner, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureOwner> >*, mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureOwner, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureOwner> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_construct.h:108:6
#23 0x7fe5d0c309d6 in _Destroy<mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureOwner, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureOwner> > *> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_construct.h:136:7
#24 0x7fe5d0c309d6 in _Destroy<mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureOwner, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureOwner> > *, mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureOwner, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureOwner> > > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_construct.h:206:7
#25 0x7fe5d0c309d6 in ~vector /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:434:9
#26 0x7fe5d0c309d6 in mozilla::layers::RemoteTextureMap::UnregisterTextureOwners(std::unordered_set<mozilla::layers::RemoteTextureOwnerId, mozilla::layers::RemoteTextureOwnerId::HashFn, std::equal_to<mozilla::layers::RemoteTextureOwnerId>, std::allocator<mozilla::layers::RemoteTextureOwnerId> > const&, int) /gfx/layers/RemoteTextureMap.cpp:221:1
#27 0x7fe5d0c306e8 in mozilla::layers::RemoteTextureOwnerClient::UnregisterAllTextureOwners() /gfx/layers/RemoteTextureMap.cpp:55:30
#28 0x7fe5d3e4a1f4 in mozilla::WebGLContext::DestroyResourcesAndContext() /dom/canvas/WebGLContext.cpp:169:26
#29 0x7fe5d3e7735f in mozilla::WebGLContext::~WebGLContext() /dom/canvas/WebGLContext.cpp:164:33
#30 0x7fe5d3e77a48 in mozilla::WebGL2Context::~WebGL2Context() /dom/canvas/WebGL2Context.h:24:7
#31 0x7fe5d3d4b1d1 in mozilla::HostWebGLContext::~HostWebGLContext() /dom/canvas/HostWebGLContext.cpp:74:1
#32 0x7fe5d3ef6c5f in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:459:5
#33 0x7fe5d3ef6c5f in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:301:7
#34 0x7fe5d3ef6c5f in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:271:5
#35 0x7fe5d3ef6c5f in mozilla::dom::WebGLParent::Recv__delete__() /dom/canvas/WebGLParent.cpp:95:9
#36 0x7fe5d40423f9 in mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp:191:79
#37 0x7fe5d135a4ac in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214:32
#38 0x7fe5d00a1429 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1755:25
#39 0x7fe5d009e497 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1680:9
#40 0x7fe5d009f0e4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1480:3
#41 0x7fe5d00a0372 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1578:14
#42 0x7fe5ce90fe3e in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
#43 0x7fe5ce919a94 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#44 0x7fe5d00aa4e1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
#45 0x7fe5cff27da1 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
#46 0x7fe5cff27da1 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#47 0x7fe5cff27da1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#48 0x7fe5ce906f88 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
#49 0x7fe5f61d8b7e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#50 0x7fe5f6999b42 in start_thread nptl/./nptl/pthread_create.c:442:8
previously allocated by thread T40 here:
#0 0x555e3df4ae0e in __interceptor_malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x7fe5d0bd7c0d in operator new[] /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:47:10
#2 0x7fe5d0bd7c0d in mozilla::layers::MemoryTextureData::Create(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::SurfaceFormat, mozilla::gfx::BackendType, mozilla::layers::LayersBackend, mozilla::layers::TextureFlags, mozilla::layers::TextureAllocationFlags, mozilla::ipc::IShmemAllocator*) /gfx/layers/BufferTexture.cpp:436:18
#3 0x7fe5d0bd7a4f in mozilla::layers::BufferTextureData::Create(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::SurfaceFormat, mozilla::gfx::BackendType, mozilla::layers::LayersBackend, mozilla::layers::TextureFlags, mozilla::layers::TextureAllocationFlags, mozilla::ipc::IShmemAllocator*, bool) /gfx/layers/BufferTexture.cpp:116:12
#4 0x7fe5d0c31458 in Create<std::nullptr_t> /builds/worker/workspace/obj-build/dist/include/mozilla/layers/BufferTexture.h:122:10
#5 0x7fe5d0c31458 in mozilla::layers::RemoteTextureOwnerClient::CreateOrRecycleBufferTextureData(mozilla::layers::RemoteTextureOwnerId, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::SurfaceFormat) /gfx/layers/RemoteTextureMap.cpp:80:16
#6 0x7fe5d3e54805 in mozilla::WebGLContext::PushRemoteTexture(mozilla::WebGLFramebuffer*, mozilla::gl::SwapChain&, std::shared_ptr<mozilla::gl::SharedSurface>, mozilla::webgl::SwapChainOptions const&) /dom/canvas/WebGLContext.cpp:1144:38
#7 0x7fe5d3e561bc in mozilla::WebGLContext::CopyToSwapChain(mozilla::WebGLFramebuffer*, mozilla::layers::TextureType, mozilla::webgl::SwapChainOptions const&) /dom/canvas/WebGLContext.cpp:1063:5
#8 0x7fe5d3dbd704 in mozilla::HostWebGLContext::CopyToSwapChain(unsigned long, mozilla::layers::TextureType, mozilla::webgl::SwapChainOptions const&) const /dom/canvas/HostWebGLContext.h:177:28
#9 0x7fe5d3f5cbd3 in auto bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 106ul, void (mozilla::HostWebGLContext::*)(unsigned long, mozilla::layers::TextureType, mozilla::webgl::SwapChainOptions const&) const, &(mozilla::HostWebGLContext::CopyToSwapChain(unsigned long, mozilla::layers::TextureType, mozilla::webgl::SwapChainOptions const&) const)>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...)::operator()<unsigned long, mozilla::layers::TextureType, mozilla::webgl::SwapChainOptions>(auto&...) const /dom/canvas/WebGLCommandQueue.h:246:13
#10 0x7fe5d3ef4e9e in __invoke_impl<bool, (lambda at /dom/canvas/WebGLCommandQueue.h:238:11), unsigned long &, mozilla::layers::TextureType &, mozilla::webgl::SwapChainOptions &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/invoke.h:60:14
#11 0x7fe5d3ef4e9e in __invoke<(lambda at /dom/canvas/WebGLCommandQueue.h:238:11), unsigned long &, mozilla::layers::TextureType &, mozilla::webgl::SwapChainOptions &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/invoke.h:95:14
#12 0x7fe5d3ef4e9e in __apply_impl<(lambda at /dom/canvas/WebGLCommandQueue.h:238:11), std::tuple<unsigned long, mozilla::layers::TextureType, mozilla::webgl::SwapChainOptions> &, 0UL, 1UL, 2UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/tuple:1662:14
#13 0x7fe5d3ef4e9e in apply<(lambda at /dom/canvas/WebGLCommandQueue.h:238:11), std::tuple<unsigned long, mozilla::layers::TextureType, mozilla::webgl::SwapChainOptions> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/tuple:1671:14
#14 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:237:14
#15 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#16 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#17 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#18 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#19 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#20 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#21 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#22 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#23 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#24 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#25 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#26 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#27 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#28 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#29 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#30 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#31 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#32 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#33 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#34 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#35 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#36 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#37 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#38 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#39 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#40 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#41 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#42 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#43 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#44 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#45 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#46 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#47 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#48 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#49 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#50 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#51 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#52 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#53 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#54 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#55 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#56 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#57 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#58 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#59 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#60 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#61 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#62 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#63 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#64 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#65 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#66 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#67 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#68 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#69 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#70 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#71 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#72 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#73 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#74 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#75 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#76 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#77 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#78 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#79 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#80 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#81 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#82 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#83 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#84 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#85 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#86 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#87 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#88 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#89 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#90 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#91 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#92 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#93 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#94 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#95 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#96 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#97 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#98 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#99 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#100 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#101 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#102 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#103 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#104 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#105 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#106 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#107 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#108 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#109 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#110 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#111 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#112 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#113 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#114 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#115 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#116 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#117 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#118 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#119 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#120 0x7fe5d3ef4e9e in DispatchCommand<mozilla::HostWebGLContext> /dom/canvas/WebGLCommandQueue.h:251:12
#121 0x7fe5d3ef4e9e in mozilla::dom::WebGLParent::RecvDispatchCommands(mozilla::ipc::Shmem&&, unsigned long) /dom/canvas/WebGLParent.cpp:64:21
#122 0x7fe5d404260f in mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp:243:79
#123 0x7fe5d135a4ac in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214:32
#124 0x7fe5d00a1429 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1755:25
#125 0x7fe5d009e497 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1680:9
#126 0x7fe5d009f0e4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1480:3
#127 0x7fe5d00a0372 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1578:14
#128 0x7fe5ce90fe3e in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
#129 0x7fe5ce919a94 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#130 0x7fe5d00aa4e1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
#131 0x7fe5cff27da1 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
#132 0x7fe5cff27da1 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#133 0x7fe5cff27da1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#134 0x7fe5ce906f88 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
#135 0x7fe5f61d8b7e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#136 0x7fe5f6999b42 in start_thread nptl/./nptl/pthread_create.c:442:8
Thread T73 (SwComposite) created by T41 here:
#0 0x555e3df3436c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
#1 0x7fe5e584d541 in std::sys::unix::thread::Thread::new::h586fddc512552f6b (/home/jkratzer/builds/mc-asan/libxul.so+0x2187c541) (BuildId: 87a8b4a93a4d5ab45ce1749eba5e8cee71469e2a)
#2 0x7fe5e02bf52a in wr_window_new /gfx/webrender_bindings/src/bindings.rs:1594:34
#3 0x7fe5d14ac6f1 in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /gfx/webrender_bindings/WebRenderAPI.cpp:133:10
#4 0x7fe5d14746dd in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) /gfx/webrender_bindings/RenderThread.cpp:488:11
#5 0x7fe5d14904ae in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > >, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > >&, std::integer_sequence<unsigned long, 0ul, 1ul>) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#6 0x7fe5d149022b in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#7 0x7fe5d149022b in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#8 0x7fe5ce90fe3e in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
#9 0x7fe5ce919a94 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#10 0x7fe5d00aa4e1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
#11 0x7fe5cff27da1 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
#12 0x7fe5cff27da1 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#13 0x7fe5cff27da1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#14 0x7fe5ce906f88 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
#15 0x7fe5f61d8b7e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#16 0x7fe5f6999b42 in start_thread nptl/./nptl/pthread_create.c:442:8
Thread T41 created by T0 here:
#0 0x555e3df3436c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
#1 0x7fe5f61c8c2c in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7fe5f61b9fce in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7fe5ce909f05 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:618:18
#4 0x7fe5ce917338 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /xpcom/threads/nsThreadManager.cpp:534:12
#5 0x7fe5ce923799 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadUtils.cpp:161:57
#6 0x7fe5d146e211 in NS_NewNamedThread<9UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
#7 0x7fe5d146e211 in mozilla::wr::RenderThread::Start(unsigned int) /gfx/webrender_bindings/RenderThread.cpp:96:17
#8 0x7fe5d11883fc in gfxPlatform::InitLayersIPC() /gfx/thebes/gfxPlatform.cpp:1316:7
#9 0x7fe5d1184942 in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:974:3
#10 0x7fe5d1187f8e in GetPlatform /gfx/thebes/gfxPlatform.cpp:460:5
#11 0x7fe5d1187f8e in gfxPlatform::InitializeCMS() /gfx/thebes/gfxPlatform.cpp:2111:9
#12 0x7fe5d723718c in EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:966:7
#13 0x7fe5d723718c in gfxPlatform::GetCMSMode() /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:528:5
#14 0x7fe5d723672e in nsXPLookAndFeel::GetUncachedColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:963:9
#15 0x7fe5d72362c5 in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /widget/nsXPLookAndFeel.cpp:943:17
#16 0x7fe5d723a5f6 in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1362:47
#17 0x7fe5d719dd51 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:444:12
#18 0x7fe5d719dd51 in GetAccentColor /widget/ThemeColors.cpp:91:7
#19 0x7fe5d719dd51 in mozilla::widget::ThemeColors::RecomputeAccentColors() /widget/ThemeColors.cpp:195:20
#20 0x7fe5d719d98d in mozilla::widget::Theme::LookAndFeelChanged() /widget/Theme.cpp:180:3
#21 0x7fe5d723456e in nsXPLookAndFeel::GetInstance() /widget/nsXPLookAndFeel.cpp:385:3
#22 0x7fe5d723b0c5 in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /widget/nsXPLookAndFeel.cpp:1475:3
#23 0x7fe5ce767dca in nsSystemInfo::Init() /xpcom/base/nsSystemInfo.cpp:1047:5
#24 0x7fe5ce8832b0 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9485:7
#25 0x7fe5ce8bc32e in CreateInstance /xpcom/components/nsComponentManager.cpp:184:46
#26 0x7fe5ce8bc32e in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor> >&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:975:17
#27 0x7fe5ce8bcdf8 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1065:10
#28 0x7fe5ce8a2ccd in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12865:50
#29 0x7fe5ce71e231 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:109:7
#30 0x7fe5d03b6791 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
#31 0x7fe5d03b6791 in xpc::GetServiceImpl(JSContext*, mozilla::xpcom::JSServiceEntry const&, JS::MutableHandle<JSObject*>, mozilla::ErrorResult&) /js/xpconnect/src/JSServices.cpp:83:32
#32 0x7fe5d03b6218 in xpc::GetService(JSContext*, mozilla::xpcom::JSServiceEntry const&, mozilla::ErrorResult&) /js/xpconnect/src/JSServices.cpp:130:8
#33 0x7fe5d03b5141 in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /js/xpconnect/src/JSServices.cpp:153:25
#34 0x7fe5dc979ef8 in CallResolveOp /js/src/vm/NativeObject-inl.h:639:8
#35 0x7fe5dc979ef8 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /js/src/vm/NativeObject-inl.h:751:14
#36 0x7fe5dc979ef8 in NativeGetPropertyInline<js::CanGC> /js/src/vm/NativeObject.cpp:2169:10
#37 0x7fe5dc979ef8 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2217:10
#38 0x7fe5dc5edd94 in GetProperty /js/src/vm/ObjectOperations-inl.h:118:10
#39 0x7fe5dc5edd94 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:125:10
#40 0x7fe5de0faf13 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4719:10
#41 0x7fe5de0ccffc in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3029:12
#42 0x7fe5de0c7b0e in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:430:13
#43 0x7fe5de0f3ca5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:578:13
#44 0x7fe5de0f574e in InternalCall /js/src/vm/Interpreter.cpp:613:10
#45 0x7fe5de0f574e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:645:8
#46 0x7fe5dc763de4 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:53:10
#47 0x7fe5d03fc255 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:981:17
#48 0x7fe5ce968012 in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#49 0x7fe5ce966d62 in SharedStub xptcstubs_x86_64_linux.cpp
#50 0x7fe5ce8b5bbd in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:682:19
#51 0x7fe5dc2ac529 in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:958:11
#52 0x7fe5dc283380 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5468:18
#53 0x7fe5dc285c4e in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5919:8
#54 0x7fe5dc2869cb in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5975:21
#55 0x555e3df89736 in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:229:22
#56 0x555e3df889d7 in main /browser/app/nsBrowserApp.cpp:433:16
#57 0x7fe5f692ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Thread T40 created by T0 here:
#0 0x555e3df3436c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
#1 0x7fe5f61c8c2c in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7fe5f61b9fce in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7fe5ce909f05 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:618:18
#4 0x7fe5ce917338 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /xpcom/threads/nsThreadManager.cpp:534:12
#5 0x7fe5ce923799 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadUtils.cpp:161:57
#6 0x7fe5d1326f6a in NS_NewNamedThread<15UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
#7 0x7fe5d1326f6a in mozilla::gfx::CanvasRenderThread::Start() /gfx/ipc/CanvasRenderThread.cpp:41:17
#8 0x7fe5d11883e8 in gfxPlatform::InitLayersIPC() /gfx/thebes/gfxPlatform.cpp:1314:9
#9 0x7fe5d1184942 in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:974:3
#10 0x7fe5d1187f8e in GetPlatform /gfx/thebes/gfxPlatform.cpp:460:5
#11 0x7fe5d1187f8e in gfxPlatform::InitializeCMS() /gfx/thebes/gfxPlatform.cpp:2111:9
#12 0x7fe5d723718c in EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:966:7
#13 0x7fe5d723718c in gfxPlatform::GetCMSMode() /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:528:5
#14 0x7fe5d723672e in nsXPLookAndFeel::GetUncachedColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:963:9
#15 0x7fe5d72362c5 in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /widget/nsXPLookAndFeel.cpp:943:17
#16 0x7fe5d723a5f6 in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1362:47
#17 0x7fe5d719dd51 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:444:12
#18 0x7fe5d719dd51 in GetAccentColor /widget/ThemeColors.cpp:91:7
#19 0x7fe5d719dd51 in mozilla::widget::ThemeColors::RecomputeAccentColors() /widget/ThemeColors.cpp:195:20
#20 0x7fe5d719d98d in mozilla::widget::Theme::LookAndFeelChanged() /widget/Theme.cpp:180:3
#21 0x7fe5d723456e in nsXPLookAndFeel::GetInstance() /widget/nsXPLookAndFeel.cpp:385:3
#22 0x7fe5d723b0c5 in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /widget/nsXPLookAndFeel.cpp:1475:3
#23 0x7fe5ce767dca in nsSystemInfo::Init() /xpcom/base/nsSystemInfo.cpp:1047:5
#24 0x7fe5ce8832b0 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9485:7
#25 0x7fe5ce8bc32e in CreateInstance /xpcom/components/nsComponentManager.cpp:184:46
#26 0x7fe5ce8bc32e in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor> >&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:975:17
#27 0x7fe5ce8bcdf8 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1065:10
#28 0x7fe5ce8a2ccd in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12865:50
#29 0x7fe5ce71e231 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:109:7
#30 0x7fe5d03b6791 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
#31 0x7fe5d03b6791 in xpc::GetServiceImpl(JSContext*, mozilla::xpcom::JSServiceEntry const&, JS::MutableHandle<JSObject*>, mozilla::ErrorResult&) /js/xpconnect/src/JSServices.cpp:83:32
#32 0x7fe5d03b6218 in xpc::GetService(JSContext*, mozilla::xpcom::JSServiceEntry const&, mozilla::ErrorResult&) /js/xpconnect/src/JSServices.cpp:130:8
#33 0x7fe5d03b5141 in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /js/xpconnect/src/JSServices.cpp:153:25
#34 0x7fe5dc979ef8 in CallResolveOp /js/src/vm/NativeObject-inl.h:639:8
#35 0x7fe5dc979ef8 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /js/src/vm/NativeObject-inl.h:751:14
#36 0x7fe5dc979ef8 in NativeGetPropertyInline<js::CanGC> /js/src/vm/NativeObject.cpp:2169:10
#37 0x7fe5dc979ef8 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2217:10
#38 0x7fe5dc5edd94 in GetProperty /js/src/vm/ObjectOperations-inl.h:118:10
#39 0x7fe5dc5edd94 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:125:10
#40 0x7fe5de0faf13 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4719:10
#41 0x7fe5de0ccffc in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3029:12
#42 0x7fe5de0c7b0e in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:430:13
#43 0x7fe5de0f3ca5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:578:13
#44 0x7fe5de0f574e in InternalCall /js/src/vm/Interpreter.cpp:613:10
#45 0x7fe5de0f574e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:645:8
#46 0x7fe5dc763de4 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:53:10
#47 0x7fe5d03fc255 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:981:17
#48 0x7fe5ce968012 in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#49 0x7fe5ce966d62 in SharedStub xptcstubs_x86_64_linux.cpp
#50 0x7fe5ce8b5bbd in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:682:19
#51 0x7fe5dc2ac529 in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:958:11
#52 0x7fe5dc283380 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5468:18
#53 0x7fe5dc285c4e in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5919:8
#54 0x7fe5dc2869cb in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5975:21
#55 0x555e3df89736 in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:229:22
#56 0x555e3df889d7 in main /browser/app/nsBrowserApp.cpp:433:16
#57 0x7fe5f692ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-use-after-free /gfx/wr/swgl/src/vector_type.h:503:5 in load<unsigned int>
Shadow bytes around the buggy address:
0x0ffd2fdc74b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffd2fdc74c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffd2fdc74d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffd2fdc74e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffd2fdc74f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ffd2fdc7500:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ffd2fdc7510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ffd2fdc7520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ffd2fdc7530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ffd2fdc7540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ffd2fdc7550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==36465==ABORTING
|
Reporter | |
Comment 1•7 months ago
|
||
|
||
Updated•7 months ago
|
Group: core-security → gfx-core-security
Keywords: csectype-uaf,
sec-high
|
|
||
Comment 2•7 months ago
|
||
Some of the stacks look similar to bug 1789569 but I don't know if it is the same issue or not.
|
||
Comment 3•7 months ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220907093209-663615ef7a19.
The bug appears to have been introduced in the following build range:
Start: 3028c8c7847cc1be81d4bec6cad0481735610428 (20220906221951)
End: a827c7146c5f6a340d91a1f8763d7f6e0da68269 (20220907010100)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3028c8c7847cc1be81d4bec6cad0481735610428&tochange=a827c7146c5f6a340d91a1f8763d7f6e0da68269
Keywords: regression
Whiteboard: [bugmon:confirm][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker]
|
|
||
Comment 4•7 months ago
|
||
Maybe a regression from bug 1781740? That looks the most related.
Flags: needinfo?(sotaro.ikeda.g)
|
|
||
Updated•7 months ago
|
status-firefox106:
--- → affected
|
||
Comment 5•7 months ago
|
||
A Pernosco session is available here: https://pernos.co/debug/J2seIFqfkcIyOZ2cMM8cKA/index.html
|
Assignee | |
Updated•7 months ago
|
Assignee: nobody → sotaro.ikeda.g
Flags: needinfo?(sotaro.ikeda.g)
|
|
Assignee | |
Comment 6•7 months ago
|
||
|
|
Assignee | |
Comment 7•7 months ago
|
||
Comment on attachment 9293625 [details]
Bug 1789658 - Keep gl::SharedSurface/TextureData alive if remote texture's TextureHost is still in use by WebRender
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Relatively easily, but the actual risk of the exploit is relatively low. And it affects only to nightly of Linux and Macos. GPU-accelerated Canvas2D is enabled only on nightly of linux and macos.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: Only to 106 Branch(nightly)
- If not all supported branches, which bug introduced the flaw?: Bug 1781740
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: It affects only to 106 Branch(nightly)
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely. The patch just extends lifetime of gl::SharedSurface/TextureData.
- Is Android affected?: No
Attachment #9293625 -
Flags: sec-approval?
|
||
Comment 8•7 months ago
|
||
Based on comment #3, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.
:sotaro, if possible, could you fill the Regressed by field and investigate this regression?
For more information, please visit auto_nag documentation.
Flags: needinfo?(sotaro.ikeda.g)
|
|
||
Comment 9•7 months ago
|
||
Comment on attachment 9293625 [details]
Bug 1789658 - Keep gl::SharedSurface/TextureData alive if remote texture's TextureHost is still in use by WebRender
If this is Nightly-only, it doesn't need sec-approval.
Attachment #9293625 -
Flags: sec-approval?
|
|
||
Updated•7 months ago
|
status-firefox104:
--- → unaffected
status-firefox105:
--- → unaffected
status-firefox-esr102:
--- → unaffected
|
|
||
Comment 10•7 months ago
|
||
Set release status flags based on info from the regressing bug 1781740
status-firefox-esr91:
--- → unaffected
|
||
Comment 11•7 months ago
|
||
Keep gl::SharedSurface/TextureData alive if remote texture's TextureHost is still in use by WebRender r=lsalzman
https://hg.mozilla.org/integration/autoland/rev/fd6f36e1cbe42163a01970de687466ff3a2fb073
https://hg.mozilla.org/mozilla-central/rev/fd6f36e1cbe4
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
|
|
||
Comment 12•7 months ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220908213354-5caa044a10b8.
Status: RESOLVED → VERIFIED
|
||
Updated•3 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•