INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction. The attached session.txt contains a trace of IPC messages which were sent and received during a session of visiting https://html5test.com *** Possible reproduction scenario: pip install git+https://github.com/mozillasecurity/fuzzfetch fuzzfetch -a --fuzzing -n firefox -o /tmp export FAULTY_PROBABILITY=50000 export FAULTY_LARGE_VALUES=1 export FAULTY_PARENT=1 export FAULTY_ENABLE_LOGGING=1 export FAULTY_PICKLE=1 export MOZ_IPC_MESSAGE_LOG=1 Assertion failure: aApzc, at /builds/worker/workspace/build/src/gfx/layers/apz/src/APZCTreeManager.cpp:3011 ==31403==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5333ad2346 bp 0x7f52d3ae2420 sp 0x7f52d3ae1cc0 T35) ==31403==The signal is caused by a WRITE memory access. ==31403==Hint: address points to the zero page. #0 0x7f5333ad2345 in Matrix4x4Typed /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/gfx/Matrix.h:573:7 #1 0x7f5333ad2345 in FromUnknownMatrix /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/gfx/Matrix.h:1763 #2 0x7f5333ad2345 in ViewAs<mozilla::gfx::Matrix4x4Typed<mozilla::ParentLayerPixel, mozilla::ParentLayerPixel> > /builds/worker/workspace/build/src/layout/base/UnitTransforms.h:168 #3 0x7f5333ad2345 in mozilla::layers::APZCTreeManager::ComputeTransformForScrollThumb(mozilla::gfx::Matrix4x4Typed<mozilla::LayerPixel, mozilla::ParentLayerPixel> const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::layers::AsyncPanZoomController*, mozilla::layers::FrameMetrics const&, mozilla::layers::ScrollThumbData const&, bool, mozilla::gfx::Matrix4x4Typed<mozilla::ParentLayerPixel, mozilla::ParentLayerPixel>*) /builds/worker/workspace/build/src/gfx/layers/apz/src/APZCTreeManager.cpp:3136 #4 0x7f5333ad63e4 in mozilla::layers::APZSampler::ComputeTransformForScrollThumb(mozilla::gfx::Matrix4x4Typed<mozilla::LayerPixel, mozilla::ParentLayerPixel> const&, mozilla::layers::LayerMetricsWrapper const&, mozilla::layers::ScrollThumbData const&, bool, mozilla::gfx::Matrix4x4Typed<mozilla::ParentLayerPixel, mozilla::ParentLayerPixel>*) /builds/worker/workspace/build/src/gfx/layers/apz/src/APZSampler.cpp:160:10 #5 0x7f5333c2e8c7 in ApplyAsyncTransformToScrollbarForContent /builds/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:1092:17 #6 0x7f5333c2e8c7 in mozilla::layers::AsyncCompositionManager::ApplyAsyncTransformToScrollbar(mozilla::layers::Layer*) /builds/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:1168 #7 0x7f5333c6bf5c in mozilla::layers::AsyncCompositionManager::ApplyAsyncContentTransformToTree(mozilla::layers::Layer*, bool*)::$_4::operator()(mozilla::layers::Layer*) const /builds/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:1062:11 #8 0x7f5333c2ddd3 in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_23AsyncCompositionManager32ApplyAsyncContentTransformToTreeES4_PbE3$_3ZNS5_32ApplyAsyncContentTransformToTreeES4_S6_E3$_4EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:145:3 #9 0x7f5333c2ddab in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_23AsyncCompositionManager32ApplyAsyncContentTransformToTreeES4_PbE3$_3ZNS5_32ApplyAsyncContentTransformToTreeES4_S6_E3$_4EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5 #10 0x7f5333c2ddab in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_23AsyncCompositionManager32ApplyAsyncContentTransformToTreeES4_PbE3$_3ZNS5_32ApplyAsyncContentTransformToTreeES4_S6_E3$_4EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5 #11 0x7f5333c2dd57 in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_23AsyncCompositionManager32ApplyAsyncContentTransformToTreeES4_PbE3$_3ZNS5_32ApplyAsyncContentTransformToTreeES4_S6_E3$_4EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5 #12 0x7f5333c2ddab in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_23AsyncCompositionManager32ApplyAsyncContentTransformToTreeES4_PbE3$_3ZNS5_32ApplyAsyncContentTransformToTreeES4_S6_E3$_4EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5 #13 0x7f5333c2d3a3 in mozilla::layers::AsyncCompositionManager::ApplyAsyncContentTransformToTree(mozilla::layers::Layer*, bool*) /builds/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:817:3 #14 0x7f5333c2f5f6 in mozilla::layers::AsyncCompositionManager::TransformShadowTree(mozilla::TimeStamp, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>, mozilla::layers::AsyncCompositionManager::TransformsToSkip) /builds/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:1255:9 #15 0x7f5333cc9bd5 in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:990:48 #16 0x7f5333cec435 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:243:27 #17 0x7f5333d3bd20 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1149:12 #18 0x7f5333d3bd20 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1155 #19 0x7f5333d3bd20 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::TimeStamp>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1200 #20 0x7f53323a50e3 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9 #21 0x7f53323a50e3 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460 #22 0x7f53323a50e3 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535 #23 0x7f53323a7058 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31 #24 0x7f53323a26f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #25 0x7f53323a26f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #26 0x7f53323a26f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #27 0x7f53323c1a1f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16 #28 0x7f53323b34dc in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13 #29 0x7f5351d786b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #30 0x7f5350e0141c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/gfx/Matrix.h:573:7 in Matrix4x4Typed Thread T35 (Compositor) created by T0 here: #0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 #1 0x7f53323b0e3f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14 #2 0x7f53323b0e3f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146 #3 0x7f53323c13bf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8 #4 0x7f5333cdccaa in CreateCompositorThread /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:102:26 #5 0x7f5333cdccaa in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:52 #6 0x7f5333cdcec3 in mozilla::layers::CompositorThreadHolder::Start() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:124:33 #7 0x7f5333dcda32 in gfxPlatform::InitLayersIPC() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:1035:5 #8 0x7f5333dc97ce in gfxPlatform::Init() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:779:5 #9 0x7f5333dc6e2b in gfxPlatform::GetPlatform() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:538:9 #10 0x7f53390ec339 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/widget/GfxInfoBase.cpp:1518:25 #11 0x7f53315a95e1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106 #12 0x7f5332eaa020 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1951:12 #13 0x7f5332eaa020 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1267 #14 0x7f5332eaa020 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1234 #15 0x7f5332eb15c9 in GetAttribute /builds/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1636:17 #16 0x7f5332eb15c9 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:949 #17 0x7f533d94ed1e in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15 #18 0x7f533d94ed1e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467 #19 0x7f533d950a72 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:516:12 #20 0x7f533d950a72 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535 #21 0x7f533d950a72 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:650 #22 0x7f533eaf12ee in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2155:16 #23 0x7f533eaf12ee in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2208 #24 0x7f533eaf12ee in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2410 #25 0x7f533eaf12ee in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2446 #26 0x7f533d936355 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1629:12 #27 0x7f533d936355 in GetObjectElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:520 #28 0x7f533d936355 in GetElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:626 #29 0x7f533d936355 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2923 #30 0x7f533d919904 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #31 0x7f533d94eb17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #32 0x7f533d9376f0 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #33 0x7f533d9376f0 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085 #34 0x7f533d919904 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #35 0x7f533d94eb17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #36 0x7f533d9376f0 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #37 0x7f533d9376f0 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085 #38 0x7f533d919904 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #39 0x7f533d94eb17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #40 0x7f533d9376f0 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #41 0x7f533d9376f0 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085 #42 0x7f533d919904 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #43 0x7f533d94eb17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #44 0x7f533d94f883 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10 #45 0x7f533e5aa745 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2970:12 #46 0x7f5332e90f36 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1257:23 #47 0x7f53315aabbf in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28 #48 0x7f53315a9b6a in SharedStub (/home/ubuntu/firefox/libxul.so+0x21dbb6a) #49 0x7f5331523bfd in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/components/nsCategoryManager.cpp:810:19 #50 0x7f533d65523c in nsXREDirProvider::DoStartup() /builds/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1021:11 #51 0x7f533d631ab8 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4561:16 #52 0x7f533d6350e8 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4869:8 #53 0x7f533d6367c4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4961:21 #54 0x4f6d45 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22 #55 0x4f6d45 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304 #56 0x7f5350d1a82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 ==31403==ABORTING

Maybe you could take a look, kats? Thanks.

Yup. Might be a regression from bug 1443792.

Both this bug 1446021 seem to be because the LayerMetricsWrapper passed to the APZSampler returns null for GetApzc(). In bug 1443792 I asserted an equivalence between GetApzc() returning non-null and the metrics being scrollable, and presumably that equivalence doesn't hold under all conditions. At least one case I found while looking just now is if there is no GeckoContentController registered for the layers tree, i.e. because of [1]. I suppose we might encounter this case while fuzzing because who knows what kind of junk we're sending over to the parent process. [1] https://searchfox.org/mozilla-central/rev/8976abf9cab8eb4661665cc86bd355cd08238011/gfx/layers/apz/src/APZCTreeManager.cpp#819

(In reply to Christoph Diehl [:posidron] from comment #0) > pip install git+https://github.com/mozillasecurity/fuzzfetch > fuzzfetch -a --fuzzing -n firefox -o /tmp > This seems to download a fuzzing-asan-opt build and run on that. Is there anyway I can run it on a local build?

(In reply to Kartikaya Gupta (email:kats@mozilla.com) from comment #4) > This seems to download a fuzzing-asan-opt build and run on that. Is there > anyway I can run it on a local build? Yes, there are build configurations here which enable a --enable-fuzzing build. You need to source either the debug or release build config. https://github.com/MozillaSecurity/mozilla-build-configs Then: export FAULTY_PROBABILITY=50000 # You can adjust this value to a smaller number. export FAULTY_LARGE_VALUES=1 export FAULTY_PARENT=1 export FAULTY_ENABLE_LOGGING=1 export FAULTY_PICKLE=1 export MOZ_IPC_MESSAGE_LOG=1 and point Firefox to a arbitrary site. Though, this is right now all about probability, it does not mean you will hit exactly this crash during your run and most likely a different one. We are working on providing rr traces to the developers till end of this quarter.

I tried the mozconfig but I might not have the right clang version or something because the build failed during configuration. In the end I guess it doesn't really matter, since I can only think of one real fix, which is to roll back some of the changes I made in bug 1443792 and go back to using GetApzc() checks in some places. I'll do that on Monday.

(4 or 5 should both work, I am personally using 5) https://github.com/MozillaSecurity/mozilla-build-configs/blob/master/mozconfig.fuzzing.common#L2

Comment on attachment 8960273 [details] Bug 1446022 - Guard against dereferencing a null APZC pointer in degenerate cases. https://reviewboard.mozilla.org/r/229040/#review234888 Please add additional verbiage to the comment above Layer::SetAsyncPanZoomController() (the part that starts with "The reverse is also true (that if GetFrameMetrics(aIndex).IsScrollable() is true, then the layer will have an APZC), ..."), as appropriate.

Done, updated patch coming.

Pushed by kgupta@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/abbc5dc0409e Guard against dereferencing a null APZC pointer in degenerate cases. r=botond