Closed Bug 1483619 Opened 6 years ago Closed 5 years ago

crash near null in [@ FinishPaintState]

Categories

(Core :: Graphics, defect, P3)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox63 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

testcase.html
(deleted), text/html
Details
prefs.js
(deleted), application/x-javascript
Details
Attached file testcase.html (deleted) — 
==101965==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f0c2a7e9c85 bp 0x7ffcd408eb50 sp 0x7ffcd408e8c0 T0)
==101965==The signal is caused by a READ memory access.
==101965==Hint: address points to the zero page.
    #0 0x7f0c2a7e9c84 in FinishPaintState src/gfx/layers/client/ClientPaintedLayer.cpp:96:58
    #1 0x7f0c2a7e9c84 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) src/gfx/layers/client/ClientPaintedLayer.cpp:172
    #2 0x7f0c2a8514bc in mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29
    #3 0x7f0c2a8514bc in mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29
    #4 0x7f0c2a8514bc in mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29
    #5 0x7f0c2a7e0e5d in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:340:13
    #6 0x7f0c2a7e1fb6 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:398:3
    #7 0x7f0c32501a2c in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2759:19
    #8 0x7f0c31a461bb in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3842:12
    #9 0x7f0c318edaa7 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6349:5
    #10 0x7f0c3108e747 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19
    #11 0x7f0c3108d57c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33
    #12 0x7f0c310931a6 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5
    #13 0x7f0c318415ae in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2042:11
    #14 0x7f0c31851452 in TickDriver src/layout/base/nsRefreshDriver.cpp:324:13
    #15 0x7f0c31851452 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:299
    #16 0x7f0c31850f81 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:317:5
    #17 0x7f0c31854561 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:755:5
    #18 0x7f0c31854561 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:671
    #19 0x7f0c3185403b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:571:9
    #20 0x7f0c32310716 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:78:16
    #21 0x7f0c2915e40d in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #22 0x7f0c28f1e480 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2214:28
    #23 0x7f0c28766cae in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2239:25
    #24 0x7f0c287625de in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2166:17
    #25 0x7f0c28764a3d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2012:5
    #26 0x7f0c28765797 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2045:15
    #27 0x7f0c2758e6f0 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1235:14
    #28 0x7f0c27597455 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #29 0x7f0c28770d64 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5
    #30 0x7f0c28672dcc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #31 0x7f0c28672dcc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #32 0x7f0c28672dcc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #33 0x7f0c311775e6 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #34 0x7f0c354eb1fe in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:937:22
    #35 0x7f0c28672dcc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #36 0x7f0c28672dcc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #37 0x7f0c28672dcc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #38 0x7f0c354ea2b2 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:763:34
    #39 0x4f5b11 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #40 0x4f5b11 in main src/browser/app/nsBrowserApp.cpp:287
    #41 0x7f0c4d04482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #42 0x424ee8 in _start (firefox+0x424ee8)
Flags: in-testsuite?
Attached file prefs.js (deleted) — 
Required for repro
Component: Layout: Web Painting → Graphics
I was unable to reproduce with the prefs file given (I also had to change it to fix the proxy settings). It looks like either either the this pointer or aState.mAsyncTask->mCapture are null in ClientPaintedLayer::FinishPaintState.
Priority: -- → P3

The fuzzers have not reported this since August 2018.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: