Closed Bug 1754543 Opened 3 years ago Closed 3 years ago

use-after-poison in [@ mozilla::layout::FindScrollAnchoringBoundingRect]

Categories

(Core :: Layout: Scrolling and Overflow, defect)

Product:
Core
Component:
Layout: Scrolling and Overflow
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1733232
Tracking Flags:
Tracking Status
firefox99 --- wontfix
firefox100 --- fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.html
(deleted), text/html
Details
Attached file testcase.html (deleted) —

Found while fuzzing m-c 20220208-bad861b89142 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==418850==ERROR: AddressSanitizer: use-after-poison on address 0x625000289088 at pc 0x7ff9146814ea bp 0x7fffd0f256f0 sp 0x7fffd0f256e8
READ of size 8 at 0x625000289088 thread T0 (Isolated Web Co)
    #0 0x7ff9146814e9 in get /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:851:48
    #1 0x7ff9146814e9 in operator nsIContent * /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:859:33
    #2 0x7ff9146814e9 in GetContent /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:764:43
    #3 0x7ff9146814e9 in mozilla::layout::FindScrollAnchoringBoundingRect(nsIFrame const*, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/ScrollAnchorContainer.cpp:129:42
    #4 0x7ff91467f372 in mozilla::layout::FindScrollAnchoringBoundingOffset(mozilla::ScrollFrameHelper const*, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/ScrollAnchorContainer.cpp:203:7
    #5 0x7ff914680153 in mozilla::layout::ScrollAnchorContainer::ApplyAdjustments() /builds/worker/checkouts/gecko/layout/generic/ScrollAnchorContainer.cpp:447:7
    #6 0x7ff9144e324b in mozilla::PresShell::FlushPendingScrollAnchorAdjustments() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:2671:23
    #7 0x7ff9144ef744 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9821:9
    #8 0x7ff9144edbab in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4299:11
    #9 0x7ff914477e2a in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1448:5
    #10 0x7ff914477e2a in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2426:20
    #11 0x7ff914484c47 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:348:13
    #12 0x7ff914484c47 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:326:7
    #13 0x7ff9144849ad in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:342:5
    #14 0x7ff914484735 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:780:5
    #15 0x7ff914483e15 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:703:16
    #16 0x7ff914483121 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:620:7
    #17 0x7ff914482be1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:541:9
    #18 0x7ff913610dee in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
    #19 0x7ff90daf02be in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:208:54
    #20 0x7ff90d693aca in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6167:32
    #21 0x7ff90d0792d9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1658:25
    #22 0x7ff90d076ed9 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1583:9
    #23 0x7ff90d078417 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1480:14
    #24 0x7ff90bb77952 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467:16
    #25 0x7ff90bb3d02d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770:26
    #26 0x7ff90bb3a588 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606:15
    #27 0x7ff90bb3ac99 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390:36
    #28 0x7ff90bb7fcd1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
    #29 0x7ff90bb7fcd1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531:5
    #30 0x7ff90bb5d547 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1195:16
    #31 0x7ff90bb6872c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #32 0x7ff90d08054f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #33 0x7ff90cf060a1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #34 0x7ff90cf060a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #35 0x7ff90cf060a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #36 0x7ff913f4d757 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #37 0x7ff918c7ba6f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:878:20
    #38 0x7ff90cf060a1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #39 0x7ff90cf060a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #40 0x7ff90cf060a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #41 0x7ff918c7aca3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:715:34
    #42 0x55855612b67d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #43 0x55855612bab0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
    #44 0x7ff9304be0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #45 0x55855607a749 in _start (/home/user/workspace/browsers/m-c-20220208215108-fuzzing-asan-opt/firefox+0x5d749)

0x625000289088 is located 6024 bytes inside of 8192-byte region [0x625000287900,0x625000289900)
allocated by thread T0 (Isolated Web Co) here:
    #0 0x5585560f6d1d in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
    #1 0x7ff90bb14ba0 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
    #2 0x7ff91462ee0d in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
    #3 0x7ff91462ee0d in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
    #4 0x7ff91462ee0d in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
    #5 0x7ff914940255 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:280:32
    #6 0x7ff914940255 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:272:12
    #7 0x7ff914940255 in operator new /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:4725:1
    #8 0x7ff914940255 in NS_NewTextFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:4722:10
    #9 0x7ff91457da06 in nsCSSFrameConstructor::ConstructTextFrame(nsCSSFrameConstructor::FrameConstructionData const*, nsFrameConstructorState&, nsIContent*, nsContainerFrame*, mozilla::ComputedStyle*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3250:7
    #10 0x7ff914586108 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5595:5
    #11 0x7ff914570255 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9468:5
    #12 0x7ff9145815dc in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10915:3
    #13 0x7ff91457ed7b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3643:16
    #14 0x7ff914585ed8 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5608:3
    #15 0x7ff914570255 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9468:5
    #16 0x7ff914570e46 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9628:3
    #17 0x7ff914576be5 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10517:3
    #18 0x7ff91457d6a0 in nsCSSFrameConstructor::ConstructScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&, nsBlockFrame* (*)(mozilla::PresShell*, mozilla::ComputedStyle*)) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4527:3
    #19 0x7ff914581b77 in nsCSSFrameConstructor::ConstructScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4500:10
    #20 0x7ff91457ed7b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3643:16
    #21 0x7ff914585ed8 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5608:3
    #22 0x7ff914570255 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9468:5
    #23 0x7ff914570e46 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9628:3
    #24 0x7ff91457f372 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3783:9
    #25 0x7ff914585ed8 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5608:3
    #26 0x7ff914570255 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9468:5
    #27 0x7ff914570e46 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9628:3
    #28 0x7ff91457f372 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3783:9
    #29 0x7ff914585ed8 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5608:3
    #30 0x7ff914570255 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9468:5
    #31 0x7ff914570e46 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9628:3
    #32 0x7ff91457f372 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3783:9
    #33 0x7ff914585ed8 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5608:3
    #34 0x7ff914570255 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9468:5
Flags: in-testsuite?

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220209161007-4937cd54a336.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 5cbcb80f72bd7606c8572aa89247235ddcbd7762 (20210211050245)
End: bad861b891423d17bc93922efdbc5f55588f5e5b (20220208215108)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:bisected,confirmed]

The attached testcase triggered the following assertion when run via rr and during reduction.

Assertion failure: !mScrollFrame->mScrolledFrame->IsInScrollAnchorChain() (Our scrolled frame can't serve as or contain an anchor for an ancestor if it can maintain its own anchor), at src/layout/generic/ScrollAnchorContainer.cpp:261

#0 0x7f8d9eb6eab7 in mozilla::layout::ScrollAnchorContainer::SelectAnchor() src/layout/generic/ScrollAnchorContainer.cpp:258:5
#1 0x7f8d9ea84a95 in mozilla::PresShell::FlushPendingScrollAnchorSelections() src/layout/base/PresShell.cpp:2659:23
#2 0x7f8d9eab21d0 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3053:31
#3 0x7f8d9ea8a8fd in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3177:3
#4 0x7f8d9ea8a8fd in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4258:39
#5 0x7f8d9ea51210 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2393:22
#6 0x7f8d9ea59870 in TickDriver src/layout/base/nsRefreshDriver.cpp:348:13
#7 0x7f8d9ea59870 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:326:7
#8 0x7f8d9ea59773 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:342:5
#9 0x7f8d9ea59640 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:780:5
#10 0x7f8d9ea58e6a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:703:16
#11 0x7f8d9ea586c3 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:620:7
#12 0x7f8d9ea58299 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:541:9
#13 0x7f8d9e1fa36a in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncMainChild.cpp:68:15
#14 0x7f8d9aae4135 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:208:54
#15 0x7f8d9a87bedc in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6167:32
#16 0x7f8d9a4f2e61 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:1658:25
#17 0x7f8d9a4f02a2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:1583:9
#18 0x7f8d9a4f0ded in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1452:3
#19 0x7f8d9a4f18cd in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1480:14
#20 0x7f8d99a5face in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:467:16
#21 0x7f8d99a39846 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:770:26
#22 0x7f8d99a38508 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:606:15
#23 0x7f8d99a38783 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:390:36
#24 0x7f8d99a62b79 in operator() src/xpcom/threads/TaskController.cpp:127:37
#25 0x7f8d99a62b79 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#26 0x7f8d99a4e223 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1195:16
#27 0x7f8d99a5530a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
#28 0x7f8d9a4f8124 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:107:5
#29 0x7f8d9a41ce97 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#30 0x7f8d9a41cda2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#31 0x7f8d9a41cda2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#32 0x7f8d9e75b808 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#33 0x7f8da07b8303 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:878:20
#34 0x7f8d9a4f906a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#35 0x7f8d9a41ce97 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#36 0x7f8d9a41cda2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#37 0x7f8d9a41cda2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#38 0x7f8da07b793c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:715:34
#39 0x5606c836ec77 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#40 0x5606c836ec77 in main src/browser/app/nsBrowserApp.cpp:327:18
#41 0x7f8dafe790b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#42 0x5606c834a3fc in _start (/home/user/workspace/browsers/m-c-20220208215108-fuzzing-debug/firefox-bin+0x153fc)

A Pernosco session is available here: https://pernos.co/debug/DH3c5sOmCCccsXQ-BeV8Gw/index.html

emilio's going to look at this, I think; otherwise I can!

Flags: needinfo?(emilio)

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220208215108-bad861b89142) but not with tip (mozilla-central 20220408214449-0671f5ff7249.)
The bug appears to have been fixed in the following build range:

Start: c712ec8864e2ebd4d363fefab6980ab68bff83fd (20220407213814)
End: 6a588f6d08f795ffc8594a01250e3ae3307bde92 (20220407220844)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c712ec8864e2ebd4d363fefab6980ab68bff83fd&tochange=6a588f6d08f795ffc8594a01250e3ae3307bde92
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Flags: needinfo?(dholbert)
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(emilio)
Flags: needinfo?(dholbert)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: