Closed
Bug 1419609
Opened 7 years ago
Closed 7 years ago
UBSan: load of value which is not a valid value for type 'bool' [@ nsDisplayListBuilder::WrapAGRForFrame]
Categories
(Core :: Web Painting, defect, P2)
Core
Web Painting
Tracking
()
RESOLVED
FIXED
mozilla59
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | fixed |
People
(Reporter: tsmith, Assigned: mattwoodrow)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-undefined, csectype-uninitialized, testcase)
Attachments
(2 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
jwatt
:
review+
|
Details | Diff | Splinter Review |
This was found with a Firefox build built with -fsanitize=bool
/layout/painting/nsDisplayList.cpp:1064:50: runtime error: load of value 208, which is not a valid value for type 'bool'
#0 0x7fe41183880b in nsDisplayListBuilder::WrapAGRForFrame(nsIFrame*, bool, AnimatedGeometryRoot*) /layout/painting/nsDisplayList.cpp:1064:50
#1 0x7fe4117e9651 in nsDisplayListBuilder::FindAnimatedGeometryRootFor(nsIFrame*) /layout/painting/nsDisplayList.cpp:1100:12
#2 0x7fe41117c6af in nsDisplayListBuilder::AutoBuildingDisplayList::AutoBuildingDisplayList(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsRect const&, bool) /layout/painting/nsDisplayList.h:1039:43
#3 0x7fe41122ac2e in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /layout/generic/nsFrame.cpp:3612:5
#4 0x7fe4116262f3 in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsBoxFrame.cpp:1389:5
#5 0x7fe411625d69 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsBoxFrame.cpp:1349:3
#6 0x7fe41122b588 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /layout/generic/nsFrame.cpp:3734:14
#7 0x7fe41162a813 in nsDeckFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsDeckFrame.cpp:199:3
#8 0x7fe411625d69 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsBoxFrame.cpp:1349:3
#9 0x7fe41122b588 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /layout/generic/nsFrame.cpp:3734:14
#10 0x7fe4116262f3 in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsBoxFrame.cpp:1389:5
#11 0x7fe411625d69 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsBoxFrame.cpp:1349:3
#12 0x7fe41122b588 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /layout/generic/nsFrame.cpp:3734:14
#13 0x7fe4116262f3 in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsBoxFrame.cpp:1389:5
#14 0x7fe41166c5ed in nsRootBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/xul/nsRootBoxFrame.cpp:190:3
#15 0x7fe41122b588 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /layout/generic/nsFrame.cpp:3734:14
#16 0x7fe41122a06b in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /layout/generic/ViewportFrame.cpp:66:5
#17 0x7fe4112b175b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) /layout/generic/nsFrame.cpp:2965:5
#18 0x7fe411138ed6 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /layout/base/nsLayoutUtils.cpp:3880:17
#19 0x7fe41105dbe2 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /layout/base/PresShell.cpp:6512:5
#20 0x7fe41093b65b in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /view/nsViewManager.cpp:480:19
#21 0x7fe41093ad3d in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /view/nsViewManager.cpp:412:33
#22 0x7fe41093cfcb in nsViewManager::ProcessPendingUpdates() /view/nsViewManager.cpp:1102:5
#23 0x7fe410fdb3ed in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:2027:11
#24 0x7fe410fe5fc7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:306:7
#25 0x7fe410fe5cdc in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:328:5
#26 0x7fe410fea37a in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:769:5
#27 0x7fe410fe8dd0 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:682:35
#28 0x7fe410fe4148 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /layout/base/nsRefreshDriver.cpp:528:20
#29 0x7fe40997fa60 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1037:14
#30 0x7fe4099b91fa in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:513:10
#31 0x7fe40ab02f91 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:97:21
#32 0x7fe40a983990 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299:3
#33 0x7fe4109caa05 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:159:27
#34 0x7fe415379a57 in nsAppStartup::Run() /toolkit/components/startup/nsAppStartup.cpp:288:30
#35 0x7fe415545f7a in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:4685:22
#36 0x7fe415547a37 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4847:8
#37 0x7fe415548781 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4942:21
#38 0x518198 in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:231:22
#39 0x517a1a in main /browser/app/nsBrowserApp.cpp:304:16
#40 0x7fe43edff1c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
#41 0x4204e9 in _start (firefox+0x4204e9)
Flags: in-testsuite?
|
Reporter | |
Updated•7 years ago
|
Summary: UBSan: load of value which is not a valid value for type 'bool' → UBSan: load of value which is not a valid value for type 'bool' [@ nsDisplayListBuilder::WrapAGRForFrame]
|
||
Updated•7 years ago
|
Component: Layout → Layout: Web Painting
|
||
Comment 1•7 years ago
|
||
This doesn't seem to repro on mac FWIW.
|
|
Reporter | |
Comment 2•7 years ago
|
||
(In reply to Jonathan Watt [:jwatt] (needinfo? me) from comment #1)
> This doesn't seem to repro on mac FWIW.
I have seen instances of this type of error where the underlying issue was actually uninitialized memory. That may also make this inconsistently reproducible.
|
|
Reporter | |
Comment 3•7 years ago
|
||
FWIW: I can still repro on m-c changeset 395820:5f52c2488a83
|
Assignee | |
Comment 4•7 years ago
|
||
Pretty sure this is the issue, we call FindAnimatedGeometryRootFor to initialize isAsync, but it's possible for us to leave it uninitialized.
Assignee: nobody → matt.woodrow
Attachment #8935989 -
Flags: review?(jwatt)
|
|
Reporter | |
Comment 5•7 years ago
|
||
Verified the issue is no longer reproducible with the patch applied.
Keywords: csectype-uninitialized
|
|
||
Updated•7 years ago
|
Attachment #8935989 -
Flags: review?(jwatt) → review+
Pushed by mwoodrow@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/969f4ef3c4b2
Always mark the root agr as async. r=jwatt
|
||
Comment 7•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
|
|
||
Comment 8•7 years ago
|
||
| bugherder | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•