Closed
Bug 1818508
Opened 2 years ago
Closed 1 year ago
Crash [@ _mesa_readpixels_needs_slow_path]
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: testcase, Whiteboard: [bugmon:confirm])
Crash Data
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 5bb3e281dc9e (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5bb3e281dc9e --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
[@ _mesa_readpixels_needs_slow_path]
=================================================================
==668510==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000026 (pc 0x7ffa790fdfa7 bp 0x7ffa2e1a0800 sp 0x7ffa5c78adf0 T40)
==668510==The signal is caused by a READ memory access.
==668510==Hint: address points to the zero page.
#0 0x7ffa790fdfa7 in _mesa_readpixels_needs_slow_path build/../src/mesa/main/readpix.c:184:52
#1 0x7ffa790fe162 in readpixels_can_use_memcpy build/../src/mesa/main/readpix.c:206:8
#2 0x7ffa790fe162 in readpixels_memcpy build/../src/mesa/main/readpix.c:239:9
#3 0x7ffa790fe162 in _mesa_readpixels build/../src/mesa/main/readpix.c:885:11
#4 0x7ffa7913d21a in st_ReadPixels build/../src/mesa/state_tracker/st_cb_readpixels.c:566:4
#5 0x7ffa790ff493 in read_pixels build/../src/mesa/main/readpix.c:1178:4
#6 0x7ffa790ff493 in _mesa_ReadnPixelsARB_no_error build/../src/mesa/main/readpix.c:1187:4
#7 0x7ffa790ffcc5 in _mesa_ReadPixels_no_error build/../src/mesa/main/readpix.c:1202:4
#8 0x7ffa8f47d3c4 in mozilla::gl::GLContext::raw_fReadPixels(int, int, int, int, unsigned int, unsigned int, void*) /builds/worker/workspace/obj-build/dist/include/GLContext.h:1556:5
#9 0x7ffa9296e5a2 in mozilla::WebGLContext::DoReadPixelsAndConvert(mozilla::webgl::FormatInfo const*, mozilla::webgl::ReadPixelsDesc const&, unsigned long, unsigned long, unsigned int) /dom/canvas/WebGLContextGL.cpp
#10 0x7ffa92970435 in mozilla::WebGLContext::ReadPixelsImpl(mozilla::webgl::ReadPixelsDesc const&, unsigned long, unsigned long) /dom/canvas/WebGLContextGL.cpp:1158:5
#11 0x7ffa9296eaaf in mozilla::WebGLContext::ReadPixelsInto(mozilla::webgl::ReadPixelsDesc const&, mozilla::Range<unsigned char> const&) /dom/canvas/WebGLContextGL.cpp:920:10
#12 0x7ffa927ee76e in mozilla::HostWebGLContext::ReadPixelsInto(mozilla::webgl::ReadPixelsDesc const&, mozilla::Range<unsigned char> const&) const /dom/canvas/HostWebGLContext.h:657:22
#13 0x7ffa929c1bf6 in mozilla::dom::WebGLParent::RecvReadPixels(mozilla::webgl::ReadPixelsDesc const&, mozilla::dom::ReadPixelsBuffer&&, mozilla::webgl::ReadPixelsResultIpc*) /dom/canvas/WebGLParent.cpp:184:29
#14 0x7ffa92b134f8 in mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp:650:79
#15 0x7ffa8fd6c3c3 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:389:32
#16 0x7ffa8e9cdccf in mozilla::ipc::MessageChannel::DispatchSyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>&) /ipc/glue/MessageChannel.cpp:1767:25
#17 0x7ffa8e9cb4c5 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1723:9
#18 0x7ffa8e9cc0be in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
#19 0x7ffa8e9cd2ee in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
#20 0x7ffa8d1c6554 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1219:16
#21 0x7ffa8d1d0204 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
#22 0x7ffa8e9d797a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
#23 0x7ffa8e855047 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
#24 0x7ffa8e855047 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#25 0x7ffa8e855047 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#26 0x7ffa8d1bdea5 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
#27 0x7ffab00eb628 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#28 0x7ffaafe94b42 in start_thread nptl/pthread_create.c:442:8
#29 0x7ffaaff269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV build/../src/mesa/main/readpix.c:184:52 in _mesa_readpixels_needs_slow_path
Thread T40 created by T0 here:
#0 0x559437c5db6c in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
#1 0x7ffab00db6f9 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7ffab00ccb6e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7ffa8d1c134b in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:619:18
#4 0x7ffa8d1cdf50 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /xpcom/threads/nsThreadManager.cpp:548:12
#5 0x7ffa8d1da89c in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /xpcom/threads/nsThreadUtils.cpp:173:57
#6 0x7ffa8fd3516d in NS_NewNamedThread<15UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
#7 0x7ffa8fd3516d in mozilla::gfx::CanvasRenderThread::Start() /gfx/ipc/CanvasRenderThread.cpp:55:17
#8 0x7ffa8fb40d03 in gfxPlatform::InitLayersIPC() /gfx/thebes/gfxPlatform.cpp:1314:9
#9 0x7ffa8fb3c567 in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:973:3
#10 0x7ffa8fb407ec in GetPlatform /gfx/thebes/gfxPlatform.cpp:463:5
#11 0x7ffa8fb407ec in gfxPlatform::InitializeCMS() /gfx/thebes/gfxPlatform.cpp:2111:9
#12 0x7ffa96076bbe in EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:964:7
#13 0x7ffa96076bbe in gfxPlatform::GetCMSMode() /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:519:5
#14 0x7ffa96076445 in nsXPLookAndFeel::GetUncachedColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1007:9
#15 0x7ffa96075e23 in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /widget/nsXPLookAndFeel.cpp:987:17
#16 0x7ffa9607a9d6 in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1430:47
#17 0x7ffa95fe093d in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:452:12
#18 0x7ffa95fe093d in GetAccentColor /widget/ThemeColors.cpp:91:7
#19 0x7ffa95fe093d in mozilla::widget::ThemeColors::RecomputeAccentColors() /widget/ThemeColors.cpp:195:20
#20 0x7ffa95fe057d in mozilla::widget::Theme::LookAndFeelChanged() /widget/Theme.cpp:182:3
#21 0x7ffa96073bc2 in nsXPLookAndFeel::GetInstance() /widget/nsXPLookAndFeel.cpp:407:3
#22 0x7ffa9607b455 in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /widget/nsXPLookAndFeel.cpp:1543:3
#23 0x7ffa8d01a1ac in nsSystemInfo::Init() /xpcom/base/nsSystemInfo.cpp:1081:5
#24 0x7ffa8d133af2 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11019:7
#25 0x7ffa8d169e5b in CreateInstance /xpcom/components/nsComponentManager.cpp:184:46
#26 0x7ffa8d169e5b in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor>>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:971:17
#27 0x7ffa8d16a98a in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1061:10
#28 0x7ffa8d151b8e in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:13076:50
#29 0x7ffa8cfd3c71 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:109:7
#30 0x7ffa8ed1e3eb in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
#31 0x7ffa8ed1e3eb in GetServiceImpl /js/xpconnect/src/JSServices.cpp:83:32
#32 0x7ffa8ed1e3eb in GetService /js/xpconnect/src/JSServices.cpp:130:8
#33 0x7ffa8ed1e3eb in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /js/xpconnect/src/JSServices.cpp:153:25
#34 0x7ffa9b753b42 in CallResolveOp /js/src/vm/NativeObject-inl.h:626:8
#35 0x7ffa9b753b42 in NativeLookupOwnPropertyInline<(js::AllowGC)1, (js::LookupResolveMode)1> /js/src/vm/NativeObject-inl.h:738:14
#36 0x7ffa9b753b42 in NativeGetPropertyInline<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2176:10
#37 0x7ffa9b753b42 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2224:10
#38 0x7ffa9b3c1091 in GetProperty /js/src/vm/ObjectOperations-inl.h:118:10
#39 0x7ffa9b3c1091 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:125:10
#40 0x7ffa9b47fe63 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4720:10
#41 0x7ffa9b452010 in GetPropertyOperation /js/src/vm/Interpreter.cpp:245:10
#42 0x7ffa9b452010 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3017:12
#43 0x7ffa9b44b48c in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
#44 0x7ffa9b4784a0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
#45 0x7ffa9b47a15f in InternalCall /js/src/vm/Interpreter.cpp:614:10
#46 0x7ffa9b47a15f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
#47 0x7ffa9b47b726 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:768:10
#48 0x7ffa9b754428 in CallGetter /js/src/vm/NativeObject.cpp:2017:12
#49 0x7ffa9b754428 in GetExistingProperty<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2045:12
#50 0x7ffa9b754428 in NativeGetPropertyInline<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2193:14
#51 0x7ffa9b754428 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2224:10
#52 0x7ffa9b3c1091 in GetProperty /js/src/vm/ObjectOperations-inl.h:118:10
#53 0x7ffa9b3c1091 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:125:10
#54 0x7ffa9b47fe63 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4720:10
#55 0x7ffa9b452010 in GetPropertyOperation /js/src/vm/Interpreter.cpp:245:10
#56 0x7ffa9b452010 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3017:12
#57 0x7ffa9b44b48c in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
#58 0x7ffa9b4784a0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
#59 0x7ffa9b47a15f in InternalCall /js/src/vm/Interpreter.cpp:614:10
#60 0x7ffa9b47a15f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
#61 0x7ffa9b581ee2 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:53:10
#62 0x7ffa8ed60b34 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
#63 0x7ffa8d215ddc in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#64 0x7ffa8d214bda in SharedStub xptcstubs_x86_64_linux.cpp
#65 0x7ffa8d1632e0 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:682:19
#66 0x7ffa9b073710 in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:820:11
#67 0x7ffa9b04f97d in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5388:18
#68 0x7ffa9b051ee9 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5843:8
#69 0x7ffa9b052c7b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5899:21
#70 0x559437cb231d in do_main /browser/app/nsBrowserApp.cpp:226:22
#71 0x559437cb231d in main /browser/app/nsBrowserApp.cpp:423:16
#72 0x7ffaafe29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
==668510==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Comment 3•2 years ago
|
||
Unable to reproduce bug 1818508 using build mozilla-central 20230222214030-5bb3e281dc9e. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
Reporter | |
Comment 4•2 years ago
|
||
I'm not sure why bugmom is unable to reproduce this as I can reproduce it reliably locally. I'll work on getting a pernosco session for this bug.
|
||
Comment 6•2 years ago
|
||
The severity field is not set for this bug.
:jgilbert, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(jgilbert)
|
||
Comment 7•2 years ago
|
||
This test case is a little surprising - it creates a WebGPU adapter but never uses it. The crash stack is in Mesa code called from WebGL, apparently in response to a canvas2d call. Is the WebGPU adapter really needed to reproduce the bug?
|
||
Updated•1 year ago
|
Severity: -- → S3
|
||
Comment 8•1 year ago
|
||
Does this still reproduce for you? If so, does it crash if the const adapter = line is commented out? The Pernosco session from comment 5 doesn't show Mesa sources, so it's hard to know what part of _mesa_readpixels_needs_slow_path is crashing. The session shows that ctx is non-NULL, but that's about all I can discern from it.
Flags: needinfo?(jgilbert) → needinfo?(jkratzer)
|
|
Reporter | |
Comment 9•1 year ago
|
||
Neither :twsmith or myself can reproduce this anymore on either the original revision or tip. Our best guess is that this was fixed upstream in mesa? I think we can safely close this for now and if it appears again, I'll file a new issue.
Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(jkratzer)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•