SEGV on unknown address 0x000000000000 in mozilla::dom::ImageUtils::Impl::GetFormat() in ASAN build
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
People
(Reporter: wh0tlif3, Unassigned, NeedInfo)
References
Details
(Keywords: crash, reporter-external, testcase, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
|
767.17 KB,
text/html
|
Details |
tested on nightly
=================================================================
==2798316==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe1129e2f28 bp 0x7ffee67a3070 sp 0x7ffee67a3030 T0)
==2798316==The signal is caused by a READ memory access.
==2798316==Hint: address points to the zero page.
#0 0x7fe1129e2f28 in Surface /builds/worker/checkouts/gecko/dom/canvas/ImageUtils.cpp:126:27
#1 0x7fe1129e2f28 in mozilla::dom::ImageUtils::Impl::GetFormat() const /builds/worker/checkouts/gecko/dom/canvas/ImageUtils.cpp:108:50
#2 0x7fe11503237d in mozilla::dom::VideoFrame::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::HTMLVideoElement&, mozilla::dom::VideoFrameInit const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/media/webcodecs/VideoFrame.cpp:1362:54
#3 0x7fe111a10fb2 in mozilla::dom::VideoFrame_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/./VideoFrameBinding.cpp:2052:64
#4 0x7fe11cff9f51 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#5 0x7fe11cff9f51 in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:495:8
#6 0x7fe11cff9f51 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:720:10
#7 0x7fe11d01bc05 in ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:748:10
#8 0x7fe11d01bc05 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3045:16
#9 0x7fe11cff5b17 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:393:10
#10 0x7fe11cff5b17 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#11 0x7fe11cff6efe in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#12 0x7fe11cff8e86 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
#13 0x7fe11cff8e86 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#14 0x7fe11d16f32b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#15 0x7fe11222b4e2 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#16 0x7fe11368ff02 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#17 0x7fe11368d955 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#18 0x7fe113638b29 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1348:22
#19 0x7fe11363b73a in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1663:12
#20 0x7fe11363a176 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1560:35
#21 0x7fe11361d542 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#22 0x7fe11361aa48 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:611:18
#23 0x7fe11362250a in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1232:11
#24 0x7fe117fd4d06 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1077:7
#25 0x7fe11b99dc1e in nsDocShell::EndPageLoad(nsIWebProgress, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6329:13
#26 0x7fe11b99c9b7 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5721:7
#27 0x7fe11b99f476 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#28 0x7fe10e50d467 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1372:3
#29 0x7fe10e50bd36 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14
#30 0x7fe10e50728a in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:795:9
#31 0x7fe10e50a4c5 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:678:5
#32 0x7fe11b9f30ba in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13838:23
#33 0x7fe10c63c40b in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#34 0x7fe10c63f974 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#35 0x7fe1101dc5c5 in DoUnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:11672:18
#36 0x7fe1101dc5c5 in mozilla::dom::nsUnblockOnloadEvent::Run() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11634:11
#37 0x7fe10c1e331a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549:16
#38 0x7fe10c1ca44e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876:26
#39 0x7fe10c1c7038 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:699:15
#40 0x7fe10c1c7739 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485:36
#41 0x7fe10c1eb3e4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:214:37
#42 0x7fe10c1eb3e4 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#43 0x7fe10c212ba4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#44 0x7fe10c22082a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#45 0x7fe10c210fc2 in SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:917:22)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
#46 0x7fe10c210fc2 in nsThread::Shutdown() /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:916:3
#47 0x7fe1143b55ea in mozilla::(anonymous namespace)::MediaTrackGraphShutDownRunnable::Run() /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:1810:50
#48 0x7fe10c1e331a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549:16
#49 0x7fe10c1ca44e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876:26
#50 0x7fe10c1c7038 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:699:15
#51 0x7fe10c1c7739 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485:36
#52 0x7fe10c1eb3b1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211:37
#53 0x7fe10c1eb3b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#54 0x7fe10c212ba4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#55 0x7fe10c22082a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#56 0x7fe10dea319e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#57 0x7fe10dccb57a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#58 0x7fe10dccb57a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#59 0x7fe10dccb57a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#60 0x7fe117552289 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#61 0x7fe117756b42 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#62 0x7fe11cba3cbe in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#63 0x7fe10dccb57a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#64 0x7fe10dccb57a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#65 0x7fe10dccb57a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#66 0x7fe11cba3263 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#67 0x563620cf6afc in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#68 0x563620cf6afc in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#69 0x7fe134229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#70 0x7fe134229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#71 0x563620c1ae08 in _start (/home/uuu/dev/FF/browsers/firefox/firefox+0xdbe08) (BuildId: de8b9cbfaeb2b7f91afe1ab81f91a905fa293823)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/dom/canvas/ImageUtils.cpp:126:27 in Surface
==2798316==ABORTING
|
||
Comment 1•1 year ago
|
||
This looks like a null deref on this line:
mSurface = surface->GetDataSurface();
so it probably isn't a security issue but I'll let a video person take a look.
|
||
Comment 2•1 year ago
|
||
I am not able to reproduce the issue. I tested with m-c 20231215-d3a29d02b3dd on Ubuntu 22.04.
|
||
Updated•1 year ago
|
|
||
Comment 3•10 months ago
|
||
wh0tlif3: are you still able to reproduce this?
|
|
||
Updated•8 months ago
|
|
||
Updated•8 months ago
|
|
||
Updated•8 months ago
|
Description
•