Closed Bug 1402434 Opened 7 years ago Closed 2 years ago

crash near null in [@ mozilla::FrameLayerBuilder::DrawPaintedLayer]

Categories

(Core :: Web Painting, defect, P2)

Product:
Core
Component:
Web Painting
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- affected
firefox58 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Crash Data

Attachments

(3 files, 1 obsolete file)

test_case.html
(deleted), text/html
Details
prefs.js
(deleted), application/x-javascript
Details
test_case_2.html
(deleted), text/html
Details
Attached file test_case.html (deleted) —
==2286==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f98f3edf420 bp 0x7ffdb0ec4340 sp 0x7ffdb0ec3d60 T0) ==2286==The signal is caused by a READ memory access. ==2286==Hint: address points to the zero page. #0 0x7f98f3edf41f in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) / src/layout/painting/FrameLayerBuilder.cpp:6146:15 #1 0x7f98eeb39c1c in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) / src/gfx/layers/client/ClientPaintedLayer.cpp:166:5 #2 0x7f98eeb3b0d9 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) / src/gfx/layers/client/ClientPaintedLayer.cpp:297:3 #3 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29 #4 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29 #5 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29 #6 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29 #7 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29 #8 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29 #9 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29 #10 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29 #11 0x7f98eeb719cf in mozilla::layers::ClientContainerLayer::RenderLayer() / src/gfx/layers/client/ClientContainerLayer.h:57:29 #12 0x7f98eeb33eca in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) / src/gfx/layers/client/ClientLayerManager.cpp:380:13 #13 0x7f98eeb34817 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) / src/gfx/layers/client/ClientLayerManager.cpp:438:3 #14 0x7f98f3f56388 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) / src/layout/painting/nsDisplayList.cpp:2347:17 #15 0x7f98f374d012 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) / src/layout/base/nsLayoutUtils.cpp:3772:12 #16 0x7f98f36428ba in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) / src/layout/base/PresShell.cpp:6454:5 #17 0x7f98f2e3e839 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) / src/view/nsViewManager.cpp:480:19 #18 0x7f98f2e3d59b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) / src/view/nsViewManager.cpp:412:33 #19 0x7f98f2e40f15 in nsViewManager::ProcessPendingUpdates() / src/view/nsViewManager.cpp:1102:5 #20 0x7f98f35a44fd in nsRefreshDriver::Tick(long, mozilla::TimeStamp) / src/layout/base/nsRefreshDriver.cpp:2082:11 #21 0x7f98f35b01eb in TickDriver / src/layout/base/nsRefreshDriver.cpp:337:13 #22 0x7f98f35b01eb in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) / src/layout/base/nsRefreshDriver.cpp:307 #23 0x7f98f35afee6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) / src/layout/base/nsRefreshDriver.cpp:329:5 #24 0x7f98f35b243b in RunRefreshDrivers / src/layout/base/nsRefreshDriver.cpp:770:5 #25 0x7f98f35b243b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) / src/layout/base/nsRefreshDriver.cpp:683 #26 0x7f98f35adb57 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() / src/layout/base/nsRefreshDriver.cpp:529:20 #27 0x7f98eca0033c in nsThread::ProcessNextEvent(bool, bool*) / src/xpcom/threads/nsThread.cpp:1039:14 #28 0x7f98eca0615c in NS_ProcessNextEvent(nsIThread*, bool) / src/xpcom/threads/nsThreadUtils.cpp:521:10 #29 0x7f98ed7ab061 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) / src/ipc/glue/MessagePump.cpp:97:21 #30 0x7f98ed70cf2b in RunInternal / src/ipc/chromium/src/base/message_loop.cc:326:10 #31 0x7f98ed70cf2b in RunHandler / src/ipc/chromium/src/base/message_loop.cc:319 #32 0x7f98ed70cf2b in MessageLoop::Run() / src/ipc/chromium/src/base/message_loop.cc:299 #33 0x7f98f2ebd4df in nsBaseAppShell::Run() / src/widget/nsBaseAppShell.cpp:158:27 #34 0x7f98f701d3c1 in nsAppStartup::Run() / src/toolkit/components/startup/nsAppStartup.cpp:288:30 #35 0x7f98f71fdf0b in XREMain::XRE_mainRun() / src/toolkit/xre/nsAppRunner.cpp:4701:22 #36 0x7f98f71ffb08 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) / src/toolkit/xre/nsAppRunner.cpp:4865:8 #37 0x7f98f7200f3b in XRE_main(int, char**, mozilla::BootstrapConfig const&) / src/toolkit/xre/nsAppRunner.cpp:4960:21 #38 0x4ebea3 in do_main / src/browser/app/nsBrowserApp.cpp:236:22 #39 0x4ebea3 in main / src/browser/app/nsBrowserApp.cpp:309 #40 0x7f990a3dc82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #41 0x41d9f8 in _start (firefox+0x41d9f8)
Flags: in-testsuite?
Trying to bisect this has been a complete exercise in futility. It doesn't crash reliably enough in older builds to get a solid sense of whether a build is good or not. On debug builds, I did notice that it also hits the below assertions: ASSERTION: Layer shouldn't be the child of some other container: 'layer->GetParent() == mContainerLayer', file /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp, line 5346 ASSERTION: aChild not our child: 'Error', file /builds/worker/workspace/build/src/gfx/layers/Layers.cpp, line 982 ASSERTION: aAfter is not our child: 'Error', file /builds/worker/workspace/build/src/gfx/layers/Layers.cpp, line 871 ASSERTION: We shouldn't be drawing into a layer with no items!: 'entry', file /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp, line 6145
Has Regression Range: --- → yes
status-firefox55: --- → wontfix
status-firefox56: --- → wontfix
status-firefox-esr52: --- → wontfix
Keywords: assertion
Priority: -- → P2
Crash Signature: [@ mozilla::FrameLayerBuilder::DrawPaintedLayer]
Attached file test_case_2.html (obsolete) (deleted) —
This testcase requires the fuzzpriv extension.
Attached file prefs.js (deleted) —
Attached file test_case_2.html (deleted) —
Fix a typo
Attachment #8925727 - Attachment is obsolete: true
QA Whiteboard: qa-not-actionable

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: critical → S3

This code is gone. If these testcases still crash they must have a new signature, please update accordingly if that is the case.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: