Found while fuzzing m-c 20211229-153a98aa1de7 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

==1172568==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x7f29c33ca8af bp 0x7ffc528df4d0 sp 0x7ffc528df4b0 T0)
==1172568==The signal is caused by a READ memory access.
==1172568==Hint: address points to the zero page.
    #0 0x7f29c33ca8af in std::deque<mozilla::wr::WrSpatialId, std::allocator<mozilla::wr::WrSpatialId> >::pop_back() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_deque.h
    #1 0x7f29c33725db in pop /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_stack.h:261:4
    #2 0x7f29c33725db in mozilla::layers::ClipManager::PopOverrideForASR(mozilla::ActiveScrolledRoot const*) src/gfx/layers/wr/ClipManager.cpp:116:14
    #3 0x7f29c33723d5 in mozilla::layers::ClipManager::EndList(mozilla::layers::StackingContextHelper const&) src/gfx/layers/wr/ClipManager.cpp:81:7
    #4 0x7f29c33ff0f7 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1923:18
    #5 0x7f29c95532a2 in mozilla::nsDisplayTransform::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:6690:30
    #6 0x7f29c340035c in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1655:41
    #7 0x7f29c33fe349 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1815:7
    #8 0x7f29c9540805 in mozilla::nsDisplayWrapList::CreateWebRenderCommandsNewClipListOption(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*, bool) src/layout/painting/nsDisplayList.cpp:4631:30
    #9 0x7f29c956278c in mozilla::nsDisplayMasksAndClipPaths::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:8154:3
    #10 0x7f29c340035c in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1655:41
    #11 0x7f29c33fe349 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1815:7
    #12 0x7f29c9540805 in mozilla::nsDisplayWrapList::CreateWebRenderCommandsNewClipListOption(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*, bool) src/layout/painting/nsDisplayList.cpp:4631:30
    #13 0x7f29c9546451 in CreateWebRenderCommands src/layout/painting/nsDisplayList.h:4861:12
    #14 0x7f29c9546451 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:5260:22
    #15 0x7f29c340035c in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1655:41
    #16 0x7f29c33fe349 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1815:7
    #17 0x7f29c33fca1d in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1576:5
    #18 0x7f29c341ac26 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) src/gfx/layers/wr/WebRenderLayerManager.cpp:362:30
    #19 0x7f29c952161d in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) src/layout/painting/nsDisplayList.cpp:2230:18
    #20 0x7f29c8e39f18 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3431:9
    #21 0x7f29c8d59826 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) src/layout/base/PresShell.cpp:6445:5
    #22 0x7f29c86ac19d in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:440:18
    #23 0x7f29c86ab91f in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:375:22
    #24 0x7f29c86ad8db in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:948:5
    #25 0x7f29c8cd27d4 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2533:11
    #26 0x7f29c8cdd817 in TickDriver src/layout/base/nsRefreshDriver.cpp:348:13
    #27 0x7f29c8cdd817 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:326:7
    #28 0x7f29c8cdd57d in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:342:5
    #29 0x7f29c8cdd305 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:780:5
    #30 0x7f29c8cdc9e5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:703:16
    #31 0x7f29c8cdbcf1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:620:7
    #32 0x7f29c8cdb7b1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:541:9
    #33 0x7f29c7e67bfe in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncMainChild.cpp:68:15
    #34 0x7f29c2434fac in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:208:54
    #35 0x7f29c1ff183b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6187:32
    #36 0x7f29c19e8799 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2043:25
    #37 0x7f29c19e5698 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:1968:9
    #38 0x7f29c19e6eb2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1827:3
    #39 0x7f29c19e78c7 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1855:14
    #40 0x7f29c04ecb32 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:468:16
    #41 0x7f29c04b1d7d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:771:26
    #42 0x7f29c04af2d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:607:15
    #43 0x7f29c04af9e9 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:391:36
    #44 0x7f29c04f64c1 in operator() src/xpcom/threads/TaskController.cpp:124:37
    #45 0x7f29c04f64c1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() src/xpcom/threads/nsThreadUtils.h:531:5
    #46 0x7f29c04d22a7 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1183:16
    #47 0x7f29c04dd90c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
    #48 0x7f29c19f112f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
    #49 0x7f29c1870621 in RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10
    #50 0x7f29c1870621 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
    #51 0x7f29c1870621 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #52 0x7f29c8781b27 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #53 0x7f29cd3f24ff in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:864:20
    #54 0x7f29c1870621 in RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10
    #55 0x7f29c1870621 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
    #56 0x7f29c1870621 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #57 0x7f29cd3f1732 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:701:34
    #58 0x55ae5327e08d in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #59 0x55ae5327e4b8 in main src/browser/app/nsBrowserApp.cpp:327:18
    #60 0x7f29e488f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #61 0x55ae531cd159 in _start (/home/user/workspace/browsers/m-c-20211229092739-fuzzing-asan-opt/firefox+0x5d159)

A Pernosco session is available here: https://pernos.co/debug/uYuiv5thSK7ub7CvQqIvmA/index.html

got a crash from the testcase : https://crash-stats.mozilla.org/report/index/a42fc762-a5b3-45b5-a041-59fa50220101

Probably similar to other existing open clip fuzz bugs.

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211231213203-d0a94b1f309b.
The bug appears to have been introduced in the following build range:

Start: a1a26ba25fbc5ffcfe850e7ead9eada89cfdfa7e (20210809065042)
End: a1a26ba25fbc5ffcfe850e7ead9eada89cfdfa7e (20210809093320)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=a1a26ba25fbc5ffcfe850e7ead9eada89cfdfa7e&tochange=a1a26ba25fbc5ffcfe850e7ead9eada89cfdfa7e

Empty pushlog, some thing wrong with the bisection?

(In reply to Timothy Nikkel (:tnikkel) from comment #5)

Empty pushlog, some thing wrong with the bisection?

Jason have you seen this before?

Hrmm, looks like we don't properly handle bisection ranges where the start and end commit are the same. :tnikkel, could https://hg.mozilla.org/mozilla-central/rev/a1a26ba25fbc5ffcfe850e7ead9eada89cfdfa7e be responsible for this issue?

If the start and end commits are the same that means the same commit was found to be both good and bad, which is not consistent. Having an empty range for that case seems like the right thing to do.

Unless you were hitting the crash that commit fixed, that commit does not seem like it's related to this problem.

So I looked into this a bit more and it appears that the testcase varies in reliability based on the build used. I increased the number of times each build is tested and came up with the following bisection range:

https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=89883f516fc901c6fbf4d785815edd783b910ede&tochange=e9573a9c111ad71ed338f278a20dfc50cb6129d5

Could this be a regression from bug 1732829?

(In reply to Jason Kratzer [:jkratzer] from comment #9)

So I looked into this a bit more and it appears that the testcase varies in reliability based on the build used. I increased the number of times each build is tested and came up with the following bisection range:

https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=89883f516fc901c6fbf4d785815edd783b910ede&tochange=e9573a9c111ad71ed338f278a20dfc50cb6129d5

Could this be a regression from bug 1732829?

Hmm, I wouldn't think the code touched by bug 1732829 would get called in this testcase. Nothing else in the range looks likely either.

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.