Open Bug 1881300 Opened 3 months ago Updated 1 month ago

Crash [@ DoBindFB]

Categories

(Core :: Graphics: CanvasWebGL, defect, P2)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox123 --- wontfix
firefox124 --- wontfix
firefox125 --- wontfix

People

(Reporter: jkratzer, Unassigned, NeedInfo)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Testcase
521 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev 552269a748b3 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 552269a748b3 --asan --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

[@ DoBindFB]

    =================================================================
    ==139190==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x7f03394c4e69 bp 0x7f028953c550 sp 0x7f028953bc60 T57)
    ==139190==The signal is caused by a READ memory access.
    ==139190==Hint: address points to the zero page.
        #0 0x7f03394c4e69 in DoBindFB /dom/canvas/WebGLContext.cpp
        #1 0x7f03394c4e69 in operator() /dom/canvas/WebGLContext.cpp:1405:5
        #2 0x7f03394c4e69 in ~ScopeExit /builds/worker/workspace/obj-build/dist/include/mozilla/ScopeExit.h:106:7
        #3 0x7f03394c4e69 in mozilla::WebGLContext::SnapshotInto(unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Range<unsigned char> const&, mozilla::Maybe<unsigned long>) /dom/canvas/WebGLContext.cpp:1449:1
        #4 0x7f03394c2d7f in mozilla::WebGLContext::FrontBufferSnapshotInto(std::shared_ptr<mozilla::gl::SharedSurface> const&, mozilla::Maybe<mozilla::Range<unsigned char>>, mozilla::Maybe<unsigned long>) /dom/canvas/WebGLContext.cpp:1368:10
        #5 0x7f03394c663f in mozilla::WebGLContext::FrontBufferSnapshotInto(mozilla::Maybe<mozilla::Range<unsigned char>>, mozilla::Maybe<unsigned long>) /dom/canvas/WebGLContext.cpp:1347:10
        #6 0x7f0339591c02 in FrontBufferSnapshotInto /dom/canvas/HostWebGLContext.h:191:22
        #7 0x7f0339591c02 in operator() /dom/canvas/WebGLParent.cpp:157:19
        #8 0x7f0339591c02 in mozilla::dom::WebGLParent::GetFrontBufferSnapshot(mozilla::webgl::FrontBufferSnapshotIpc*, mozilla::ipc::IProtocol*) /dom/canvas/WebGLParent.cpp:143:19
        #9 0x7f0339713138 in mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp:647:79
        #10 0x7f0335eb7e25 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:506:32
        #11 0x7f033462b883 in mozilla::ipc::MessageChannel::DispatchSyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>&) /ipc/glue/MessageChannel.cpp:1780:25
        #12 0x7f0334627ded in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1730:9
        #13 0x7f0334629179 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
        #14 0x7f033462a6f3 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
        #15 0x7f033296fbc6 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1193:16
        #16 0x7f033297d51a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #17 0x7f03346373e3 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #18 0x7f03344549aa in RunInternal /ipc/chromium/src/base/message_loop.cc:370:10
        #19 0x7f03344549aa in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #20 0x7f03344549aa in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #21 0x7f03329663e0 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:370:10
        #22 0x7f035abeb11f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #23 0x562d8d2fdb4a in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:225:31
        #24 0x7f035b3c2ac2 in start_thread nptl/pthread_create.c:442:8
        #25 0x7f035b45484f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /dom/canvas/WebGLContext.cpp in DoBindFB
    Thread T57 created by T0 here:
        #0 0x562d8d2e72ed in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:237:3
        #1 0x7f035abd9844 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7f035abc743e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7f033296a029 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:620:20
        #4 0x7f033297b0ce in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /xpcom/threads/nsThreadManager.cpp:598:22
        #5 0x7f0332988cb4 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /xpcom/threads/nsThreadUtils.cpp:176:57
        #6 0x7f0335e68436 in NS_NewNamedThread<15UL> /xpcom/threads/nsThreadUtils.h:76:10
        #7 0x7f0335e68436 in mozilla::gfx::CanvasRenderThread::Start() /gfx/ipc/CanvasRenderThread.cpp:110:17
        #8 0x7f0335bf4fe9 in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:978:3
        #9 0x7f0335bfd0f6 in GetPlatform /gfx/thebes/gfxPlatform.cpp:462:5
        #10 0x7f0335bfd0f6 in gfxPlatform::InitializeCMS() /gfx/thebes/gfxPlatform.cpp:2116:9
        #11 0x7f033dea7b3a in EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:977:7
        #12 0x7f033dea7b3a in GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:519:5
        #13 0x7f033dea7b3a in nsXPLookAndFeel::GetUncachedColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1018:9
        #14 0x7f033dea6fee in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /widget/nsXPLookAndFeel.cpp:998:17
        #15 0x7f033dead486 in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1392:47
        #16 0x7f033ddcfe0e in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:415:12
        #17 0x7f033ddcfe0e in GetAccentColor /widget/ThemeColors.cpp:91:7
        #18 0x7f033ddcfe0e in mozilla::widget::ThemeColors::RecomputeAccentColors() /widget/ThemeColors.cpp:203:20
        #19 0x7f033ddcf8ed in mozilla::widget::Theme::LookAndFeelChanged() /widget/Theme.cpp:183:3
        #20 0x7f033dea4a5f in nsXPLookAndFeel::GetInstance() /widget/nsXPLookAndFeel.cpp:399:3
        #21 0x7f033deadfc5 in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /widget/nsXPLookAndFeel.cpp:1510:3
        #22 0x7f033276ea29 in nsSystemInfo::Init() /xpcom/base/nsSystemInfo.cpp:1096:5
        #23 0x7f03328c3102 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11005:7
        #24 0x7f03328f7d99 in CreateInstance /xpcom/components/nsComponentManager.cpp:189:46
        #25 0x7f03328f7d99 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor>>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:987:17
        #26 0x7f03328f92f3 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1077:10
        #27 0x7f03328dfc5d in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:13086:50
        #28 0x7f03349ef5aa in assign_from_helper /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:901:7
        #29 0x7f03349ef5aa in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:537:5
        #30 0x7f03349ef5aa in GetServiceImpl /js/xpconnect/src/JSServices.cpp:83:32
        #31 0x7f03349ef5aa in GetService /js/xpconnect/src/JSServices.cpp:130:8
        #32 0x7f03349ef5aa in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /js/xpconnect/src/JSServices.cpp:153:25
        #33 0x7f03436cc8a5 in CallResolveOp /js/src/vm/NativeObject-inl.h:681:8
        #34 0x7f03436cc8a5 in NativeLookupOwnPropertyInline<(js::AllowGC)1, (js::LookupResolveMode)1> /js/src/vm/NativeObject-inl.h:793:14
        #35 0x7f03436cc8a5 in NativeGetPropertyInline<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2290:10
        #36 0x7f03436cc8a5 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2338:10
        #37 0x7f03432d663f in GetProperty /js/src/vm/ObjectOperations-inl.h:117:10
        #38 0x7f03432d663f in GetProperty /js/src/vm/ObjectOperations-inl.h:124:10
        #39 0x7f03432d663f in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4511:10
        #40 0x7f034329a8c1 in GetPropertyOperation /js/src/vm/Interpreter.cpp:246:10
        #41 0x7f034329a8c1 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2716:12
        #42 0x7f034328ceb7 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:394:10
        #43 0x7f034328ceb7 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:452:13
        #44 0x7f034328e29e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:606:13
        #45 0x7f0343290226 in InternalCall /js/src/vm/Interpreter.cpp:641:10
        #46 0x7f0343290226 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:673:8
        #47 0x7f0343291fb6 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:795:10
        #48 0x7f03436cd33f in CallGetter /js/src/vm/NativeObject.cpp:2131:12
        #49 0x7f03436cd33f in GetExistingProperty<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2159:12
        #50 0x7f03436cd33f in NativeGetPropertyInline<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2307:14
        #51 0x7f03436cd33f in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2338:10
        #52 0x7f03432d663f in GetProperty /js/src/vm/ObjectOperations-inl.h:117:10
        #53 0x7f03432d663f in GetProperty /js/src/vm/ObjectOperations-inl.h:124:10
        #54 0x7f03432d663f in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4511:10
        #55 0x7f034329a8c1 in GetPropertyOperation /js/src/vm/Interpreter.cpp:246:10
        #56 0x7f034329a8c1 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2716:12
        #57 0x7f034328ceb7 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:394:10
        #58 0x7f034328ceb7 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:452:13
        #59 0x7f034328e29e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:606:13
        #60 0x7f0343290226 in InternalCall /js/src/vm/Interpreter.cpp:641:10
        #61 0x7f0343290226 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:673:8
        #62 0x7f034344c732 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:55:10
        #63 0x7f0334a33eaf in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
        #64 0x7f03329ca38a in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
        #65 0x7f03329c912a in SharedStub xptcstubs_x86_64_linux.cpp
        #66 0x7f03328f089f in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:680:19
        #67 0x7f0342e55947 in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:830:11
        #68 0x7f0342e311a5 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5474:18
        #69 0x7f0342e33e7d in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5940:8
        #70 0x7f0342e35121 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5997:21
        #71 0x562d8d341182 in do_main /browser/app/nsBrowserApp.cpp:227:22
        #72 0x562d8d341182 in main /browser/app/nsBrowserApp.cpp:445:16
        #73 0x7f035b357d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    ==139190==ABORTING
Attached file Testcase 

    
    

    
  
Verified bug as reproducible on mozilla-central 20240221213323-f8dd4015fa59.

The bug appears to have been introduced in the following build range:




Start: ec054fe362b6c5391b791840686832dea90688ba (20230723212527)

End: 7e5acc812edd3bcb93cfaf76eaab2c3fd6c4d274 (20230724001900)

Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ec054fe362b6c5391b791840686832dea90688ba&tochange=7e5acc812edd3bcb93cfaf76eaab2c3fd6c4d274




Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
Bug 1837070 is the only relevant bug in that regression range.


Regressed by: 1837070

    
    

    
  
Set release status flags based on info from the regressing bug 1837070


:aosmond, since you are the author of the regressor, bug 1837070, could you take a look? Also, could you set the severity field?


For more information, please visit BugBot documentation.



          status-firefox123:
          --- → affected

          status-firefox124:
          --- → affected

          status-firefox125:
          --- → affected

          status-firefox-esr115:
          --- → affected
Flags: needinfo?(aosmond)

    
    

    
  
Lee, can you please add Priority/Severity values here?


Flags: needinfo?(lsalzman)
Component: Graphics: Canvas2D → Graphics: CanvasWebGL
Flags: needinfo?(lsalzman) → needinfo?(jgilbert)
Severity: -- → S3
Flags: needinfo?(jgilbert)
Priority: -- → P2

    
    

    
  
Testcase crashes using the initial build (mozilla-central 20240221090755-552269a748b3) but not with tip (mozilla-central 20240419213148-291d187ba249.)


The bug appears to have been fixed in the following build range:




Start: b453de1f5c2cd5d120f328a7583b5581d98ff545 (20240417115940)

End: 57f6925a520cf97f4af35e42db00435e817475dc (20240417135703)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b453de1f5c2cd5d120f328a7583b5581d98ff545&tochange=57f6925a520cf97f4af35e42db00435e817475dc




jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Flags: needinfo?(jkratzer)
Keywords: bugmon

    
    

    
  
:aosmond, was this fixed via bug 1888634?


Flags: needinfo?(jkratzer) → needinfo?(aosmond)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: