Closed
Bug 1741459
Opened 3 years ago
Closed 2 years ago
AddressSanitizer: stack-overflow [@ webrender::clip::ClipStore::build_clip_chain_instance]
Categories
(Core :: Graphics: WebRender, defect, P3)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: hang, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 3890e2f0b025 (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 3890e2f0b025 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
AddressSanitizer: stack-overflow [@ webrender::clip::ClipStore::build_clip_chain_instance]
=================================================================
==273199==ERROR: AddressSanitizer: stack-overflow on address 0x7fdb8c42cf40 (pc 0x7fdbd5ca0ef6 bp 0x7fdb8c42ddd0 sp 0x7fdb8c42cf40 T107)
#0 0x7fdbd5ca0ef6 in webrender::clip::ClipStore::build_clip_chain_instance::h6fd821195776b8c7 /gfx/wr/webrender/src/clip.rs:1293
#1 0x7fdbd60965f2 in webrender::visibility::update_primitive_visibility::h1bfad3f02bfa3ac2 /gfx/wr/webrender/src/visibility.rs:396:34
#2 0x7fdbd6095d0f in webrender::visibility::update_primitive_visibility::h1bfad3f02bfa3ac2 /gfx/wr/webrender/src/visibility.rs:299:44
#3 0x7fdbd6095c01 in webrender::visibility::update_primitive_visibility::h1bfad3f02bfa3ac2 /gfx/wr/webrender/src/visibility.rs:299:44
#4 0x7fdbd6095d0f in webrender::visibility::update_primitive_visibility::h1bfad3f02bfa3ac2 /gfx/wr/webrender/src/visibility.rs:299:44
#5 0x7fdbd6095d0f in webrender::visibility::update_primitive_visibility::h1bfad3f02bfa3ac2 /gfx/wr/webrender/src/visibility.rs:299:44
...truncated...
SUMMARY: AddressSanitizer: stack-overflow /gfx/wr/webrender/src/clip.rs:1293 in webrender::clip::ClipStore::build_clip_chain_instance::h6fd821195776b8c7
Thread T107 (WRRende~ckend#1) created by T60 (Renderer) here:
#0 0x55b1a47e5a8c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
#1 0x7fdbd8adb384 in std::sys::unix::thread::Thread::new::h6fcfdf86716b7232 (/home/jkratzer/builds/mc-asan/libxul.so+0x183f9384)
#2 0x7fdbd5981d7c in wr_window_new /gfx/webrender_bindings/src/bindings.rs:1680:36
#3 0x7fdbc912b939 in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /gfx/webrender_bindings/WebRenderAPI.cpp:157:10
#4 0x7fdbc90f866d in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) /gfx/webrender_bindings/RenderThread.cpp:437:11
#5 0x7fdbc9111846 in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > >, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > >&, std::integer_sequence<unsigned long, 0ul, 1ul>) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#6 0x7fdbc911158b in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#7 0x7fdbc911158b in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#8 0x7fdbc6019e0b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1169:16
#9 0x7fdbc60246fc in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
#10 0x7fdbc7505061 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
#11 0x7fdbc7383111 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
#12 0x7fdbc7383111 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#13 0x7fdbc7383111 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#14 0x7fdbc601239f in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
#15 0x7fdbe2c7f09e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#16 0x7fdbe4595608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
Thread T60 (Renderer) created by T0 (GeckoMain) here:
#0 0x55b1a47e5a8c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
#1 0x7fdbe2c6f124 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7fdbe2c603ce in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7fdbc6015665 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:607:18
#4 0x7fdbc60228af in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /xpcom/threads/nsThreadManager.cpp:581:12
#5 0x7fdbc602d9e1 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadUtils.cpp:163:57
#6 0x7fdbc90f2771 in NS_NewNamedThread<9UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
#7 0x7fdbc90f2771 in mozilla::wr::RenderThread::Start() /gfx/webrender_bindings/RenderThread.cpp:91:17
#8 0x7fdbc8e9370e in InitLayersIPC /gfx/thebes/gfxPlatform.cpp:1291:7
#9 0x7fdbc8e9370e in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:957:3
#10 0x7fdbc8e96780 in GetPlatform /gfx/thebes/gfxPlatform.cpp:466:5
#11 0x7fdbc8e96780 in gfxPlatform::InitializeCMS() /gfx/thebes/gfxPlatform.cpp:2084:9
#12 0x7fdbcdf7e139 in GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:521:5
#13 0x7fdbcdf7e139 in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /widget/nsXPLookAndFeel.cpp:847:9
#14 0x7fdbcdf81c5e in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1171:47
#15 0x7fdbcdef8738 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:449:12
#16 0x7fdbcdef8738 in ThemedAccentColor /widget/ThemeColors.cpp:89:37
#17 0x7fdbcdef8738 in mozilla::widget::ThemeColors::RecomputeAccentColors() /widget/ThemeColors.cpp:170:20
#18 0x7fdbcdf3b5da in nsNativeBasicTheme::LookAndFeelChanged() /widget/nsNativeBasicTheme.cpp:123:3
#19 0x7fdbcdf7c5e2 in nsXPLookAndFeel::GetInstance() /widget/nsXPLookAndFeel.cpp:358:3
#20 0x7fdbcdf8265d in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /widget/nsXPLookAndFeel.cpp:1288:3
#21 0x7fdbc5e71f77 in nsSystemInfo::Init() /xpcom/base/nsSystemInfo.cpp:1003:5
#22 0x7fdbc5f8223e in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11955:7
#23 0x7fdbc5fc7497 in CreateInstance /xpcom/components/nsComponentManager.cpp:177:46
#24 0x7fdbc5fc7497 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1276:17
#25 0x7fdbc5fc7f48 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1366:10
#26 0x7fdbc5f9c26d in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12253:50
#27 0x7fdbc5e2ecc1 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:109:7
#28 0x7fdbc837bb6c in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
#29 0x7fdbc837bb6c in GetServiceImpl /js/xpconnect/src/JSServices.cpp:84:32
#30 0x7fdbc837bb6c in GetService /js/xpconnect/src/JSServices.cpp:131:8
#31 0x7fdbc837bb6c in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /js/xpconnect/src/JSServices.cpp:154:25
#32 0x7fdbd31b8427 in CallResolveOp /js/src/vm/NativeObject-inl.h:634:8
#33 0x7fdbd31b8427 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /js/src/vm/NativeObject-inl.h:751:14
#34 0x7fdbd31b8427 in NativeGetPropertyInline<js::CanGC> /js/src/vm/NativeObject.cpp:2099:10
#35 0x7fdbd31b8427 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2147:10
#36 0x7fdbd2c9dde9 in GetProperty /js/src/vm/ObjectOperations-inl.h:115:10
#37 0x7fdbd2c9dde9 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:122:10
#38 0x7fdbd2c9d444 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4550:10
#39 0x7fdbd2c6e4a0 in GetPropertyOperation /js/src/vm/Interpreter.cpp:203:10
#40 0x7fdbd2c6e4a0 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2906:12
#41 0x7fdbd2c65de1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:356:13
#42 0x7fdbd2c9486c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:506:13
#43 0x7fdbd2c969bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:551:8
#44 0x7fdbd2f08bcc in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:53:10
#45 0x7fdbc83c2a38 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:973:17
#46 0x7fdbc606c3e2 in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#47 0x7fdbc606b16a in SharedStub xptcstubs_x86_64_linux.cpp
#48 0x7fdbc5fbd882 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:687:19
#49 0x7fdbd29cd289 in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:976:11
#50 0x7fdbd29a84f3 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5028:18
#51 0x7fdbd29ab7f9 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5478:8
#52 0x7fdbd29ac533 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5537:21
#53 0x55b1a48306d9 in do_main /browser/app/nsBrowserApp.cpp:225:22
#54 0x55b1a48306d9 in main /browser/app/nsBrowserApp.cpp:395:16
#55 0x7fdbe40620b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
==273199==ABORTING
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
||
Updated•3 years ago
|
Attachment #9250965 -
Attachment mime type: text/plain → text/html
|
|
||
Updated•3 years ago
|
|
||
Comment 3•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211116212601-0799fad6d9ec.
Failed to bisect testcase (Testcase reproduces on start build!):
Start: 42e7e98c701d3e8c8c66a5acca0f0aeeb5076661 (20201118041908)
End: 3890e2f0b0250c7d13367b969f483996ac1c2e81 (20211116093425)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Updated•3 years ago
|
Severity: -- → S3
Priority: -- → P3
|
|
||
Comment 4•3 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20211116093425-3890e2f0b025) but not with tip (mozilla-central 20211210215852-9eb74149f75b.)
The bug appears to have been fixed in the following build range:
Start: da76ee7195832a71ca2c79fd2474bdae87511316 (20211122010535)
End: ace2f4af2c29de1886e1e627d0fdb583e7573b59 (20211122053815)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=da76ee7195832a71ca2c79fd2474bdae87511316&tochange=ace2f4af2c29de1886e1e627d0fdb583e7573b59
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
||
Updated•3 years ago
|
Blocks: asan-maintenance
|
||
Comment 5•2 years ago
|
||
No longer reproduces with updated backdrop-filter implementation.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•