User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

I done Fuzzing the with grizzly harness and found a segmentation fault at unknown address 0x60f000080049, if i enable the popup blocker.

Actual results:

I will try to close the child tab but it is not closing.

Expected results:

After run the Firefox it should not show any error messages and also if I close the child tab it should not open again.

=================================================================
==32432==ERROR: AddressSanitizer: SEGV on unknown address 0x60f000080049 (pc 0x7fffc233659c bp 0x000040086f04 sp 0x7fffc6dc31c0 T6)
==32432==The signal is caused by a READ memory access.
#0 0x7fffc233659b (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x30159b)
#1 0x7fffc2336f3d (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x301f3d)
#2 0x7fffc237feab (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x34aeab)
#3 0x7fffc2380026 (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x34b026)
#4 0x7fffc238148d (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x34c48d)
#5 0x7fffc212eb96 (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0xf9b96)
#6 0x7fffc250117b (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x4cc17b)
#7 0x7fffc24f32bd (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x4be2bd)
#8 0x7fffc24f84f3 (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x4c34f3)
#9 0x7fffc24b9994 (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x484994)
#10 0x7fffc24bc54f (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x48754f)
#11 0x7fffc24bfa81 (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x48aa81)
#12 0x7fffe32ba5af in gleam::ffi_gl::Gl::TexSubImage3D::h9a1dd61d37856cb3 /builds/worker/workspace/build/src/obj-firefox/x86_64-unknown-linux-gnu/release/build/gleam-dc054688264c4906/out/gl_bindings.rs:4662:335
#13 0x7fffe32ba5af in $LT$gleam..gl..GlFns$u20$as$u20$gleam..gl..Gl$GT$::tex_sub_image_3d_pbo::h3bf31ca94b755621 /builds/worker/workspace/build/src/third_party/rust/gleam/src/gl_fns.rs:780:12
#14 0x7fffe30d0bbf in webrender::device::gl::UploadTarget::update_impl::h0d724e7242dab590 /builds/worker/workspace/build/src/gfx/wr/webrender/src/device/gl.rs:3684:16
#15 0x7fffe30df916 in $LT$webrender..device..gl..TextureUploader$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h2502535b793eb09f /builds/worker/workspace/build/src/gfx/wr/webrender/src/device/gl.rs:3523:16
#16 0x7fffe30df916 in core::ptr::real_drop_in_place::hce0b3ad19b17900a /rustc/625451e376bb2e5283fc4741caa0a3e8a2ca4d54/src/libcore/ptr/mod.rs:175
#17 0x7fffe30dd350 in webrender::renderer::Renderer::update_texture_cache::$u7b$$u7b$closure$u7d$$u7d$::hae989bf4e9d2063e /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:3473:24
#18 0x7fffe30dd350 in webrender::profiler::TimeProfileCounter::profile::h5e2deb21899e88e8 /builds/worker/workspace/build/src/gfx/wr/webrender/src/profiler.rs:454:18
#19 0x7fffe30dd350 in webrender::renderer::Renderer::update_texture_cache::he53fbfcca74deed0 /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:3390:8
#20 0x7fffe30e36b1 in webrender::renderer::Renderer::render_impl::$u7b$$u7b$closure$u7d$$u7d$::h9bbef7d3391d5aba /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:3074:12
#21 0x7fffe30e36b1 in webrender::profiler::TimeProfileCounter::profile::ha42b2d3b5621cd68 /builds/worker/workspace/build/src/gfx/wr/webrender/src/profiler.rs:454:18
#22 0x7fffe30e36b1 in webrender::renderer::Renderer::render_impl::hff4b7f662250e181 /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:3064:27
#23 0x7fffe30f4cac in webrender::renderer::Renderer::render::he37aadcc133ce92e /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:2909:21
#24 0x7fffe2f4028e in wr_renderer_render /builds/worker/workspace/build/src/gfx/webrender_bindings/src/bindings.rs:639:10
#25 0x7fffd7215f7d in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool, mozilla::wr::RendererStats*) /builds/worker/workspace/build/src/gfx/webrender_bindings/RendererOGL.cpp:154:29
#26 0x7fffd7214555 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool) /builds/worker/workspace/build/src/gfx/webrender_bindings/RenderThread.cpp:474:31
#27 0x7fffd721318b in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/workspace/build/src/gfx/webrender_bindings/RenderThread.cpp:350:3
#28 0x7fffd723e3e7 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
#29 0x7fffd723e3e7 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130:12
#30 0x7fffd723e3e7 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176:13
#31 0x7fffd48adc20 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:442:9
#32 0x7fffd48adc20 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:450:5
#33 0x7fffd48adc20 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:523:13
#34 0x7fffd48af909 in base::MessagePumpDefault::Run(base::MessagePump::Delegate) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:35:31
#35 0x7fffd48ab6a2 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#36 0x7fffd48ab6a2 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#37 0x7fffd48ab6a2 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#38 0x7fffd48cab21 in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:192:16
#39 0x7fffd48c03cc in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#40 0x7ffff7bbd6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#41 0x7ffff6b9b88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x30159b)
Thread T6 (Renderer) created by T0 (GPU Process) here:
#0 0x55555560b6da in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
#1 0x7fffd48ba66c in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:123:14
#2 0x7fffd48ba66c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:134:10
#3 0x7fffd48ca220 in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:97:8
#4 0x7fffd720f59a in mozilla::wr::RenderThread::Start() /builds/worker/workspace/build/src/gfx/webrender_bindings/RenderThread.cpp:72:16
#5 0x7fffd7153b5d in mozilla::gfx::GPUParent::RecvInit(nsTArray<mozilla::gfx::GfxVarUpdate>&&, mozilla::gfx::DevicePrefs const&, nsTArray<mozilla::gfx::LayerTreeIdMapping>&&) /builds/worker/workspace/build/src/gfx/ipc/GPUParent.cpp:261:5
#6 0x7fffd4fd5900 in mozilla::gfx::PGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PGPUParent.cpp:770:53
#7 0x7fffd499a876 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2208:25
#8 0x7fffd4995891 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2130:9
#9 0x7fffd4997e01 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1972:3
#10 0x7fffd4998cc7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2003:13
#11 0x7fffd378a06a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1250:14
#12 0x7fffd3791511 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#13 0x7fffd49a3a24 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:110:5
#14 0x7fffd48ab6a2 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#15 0x7fffd48ab6a2 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#16 0x7fffd48ab6a2 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#17 0x7fffdc520a48 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#18 0x7fffe056e336 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
#19 0x7fffd48ab6a2 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#20 0x7fffd48ab6a2 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#21 0x7fffd48ab6a2 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#22 0x7fffe056db9a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
#23 0x555555653bec in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#24 0x555555653bec in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272:18
#25 0x7ffff6a9bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

==32432==ABORTING
Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=1.13095) [GFX1-]: Receive IPC close with reason=AbnormalShutdown
Crash Annotation GraphicsCriticalError: |[0]CP+[GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=9.63077) |[1][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=9.64976) [GFX1-]: Receive IPC close with reason=AbnormalShutdown

###!!! [Parent][MessageChannel] Error: (msgtype=0x52001B,name=PGPU::Msg_ShutdownVR) Channel error: cannot send/recv

###!!! [Child][MessageChannel::SendAndWait] Error: (msgtype=0x34001A,name=PCompositorBridge::Msg_WillClose) Channel error: cannot send/recv

Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=0.591207) [GFX1-]: Receive IPC close with reason=AbnormalShutdown
[grz harness][Thu, 21 Nov 2019 09:21:01 GMT] No valid time limit given, using default of 15000
[grz harness][Thu, 21 Nov 2019 09:21:04 GMT] Cleaning up
JavaScript error: file:///home/esecurity/code/browsers/firefox/grizzly_fuzz_harness.html, line 65: NS_ERROR_FAILURE:
JavaScript error: resource://services-settings/RemoteSettingsClient.jsm, line 149: Error: Unknown callback

Hi Tejas and thank you for the bug report. The attached file is actually one of the built-in[1] parts for Grizzly and is not what we require to reproduce the issue. Can you please review the reporting instructions[2] and repackage the test case?

[1] https://github.com/MozillaSecurity/grizzly/blob/master/grizzly/common/harness.html
[2] https://github.com/MozillaSecurity/grizzly/wiki/Managing-Results

I think this should reproduce the issue when using the attached prefs.js file. I'm not sure how long it will take to reproduce though since I don't have a setup to test this with. Judging by the stack we need a Linux machine with a Nvidia card and nouveau drivers.

Tejas, could you test with the attached testcase.html (and pref.js I will also attach) on your setup? Also could you provide some details about the system? OS version, nouveau driver version (info can be found in about:support).

OS Linux 4.15.0-70-generic (Ubuntu 18.04.3 LTS)
Processor: Intel® Xeon(R) CPU E5-1620 0 @ 3.60GHz × 8
Graphics: NVA8 using NVIDIA binary driver-version 340.107 from nvidia-340
WebGL 1 Driver Renderer nouveau -- NVA8
WebGL 1 Driver Version 3.3 (Compatibility Profile) Mesa 19.0.8

(In reply to Tyson Smith [:tsmith] from comment #5)

Created attachment 9112610 [details]
testcase.html

I think this should reproduce the issue when using the attached prefs.js file. I'm not sure how long it will take to reproduce though since I don't have a setup to test this with. Judging by the stack we need a Linux machine with a Nvidia card and nouveau drivers.

Tejas, could you test with the attached testcase.html (and pref.js I will also attach) on your setup? Also could you provide some details about the system? OS version, nouveau driver version (info can be found in about:support).

ok, I will do.

Jessie: are there known issues with nouveau drivers that could cause this, or is this something someone on your team could dig deeper into?

Jeff - do you know if there are any issues with these drivers?

There are no known issues with nouveau drivers. Tejas, can you reproduce the problem with llvmpipe? You should be able to enable llvmpipe by running with LIBGL_ALWAYS_SOFTWARE=1

(In reply to Jeff Muizelaar [:jrmuizel] from comment #12)

There are no known issues with nouveau drivers. Tejas, can you reproduce the problem with llvmpipe? You should be able to enable llvmpipe by running with LIBGL_ALWAYS_SOFTWARE=1

Ok, sure

As per the steps, The following result was found

Jeff, does this look actionable?

That looks like a crash elsewhere:

==24970==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f507df0070b bp 0x7f507054c1d0 sp 0x7f507054b820 T6)
==24970==The signal is caused by a WRITE memory access.
==24970==Hint: address points to the zero page.
    #0 0x7f507df0070a in ~nsCOMPtr_base /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:330:9
    #1 0x7f507df0070a in mozilla::net::nsSocketTransport::InitiateSocket() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:1746:7
    #2 0x7f507df0421d in mozilla::net::nsSocketTransport::OnSocketEvent(unsigned int, nsresult, nsISupports*) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:2217:22
    #3 0x7f507df4a338 in mozilla::net::nsSocketEvent::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:93:17
    #4 0x7f507dc07857 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1241:14
    #5 0x7f507dc1205c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #6 0x7f507df154d4 in mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:1013:11
    #7 0x7f507df1747c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
    #8 0x7f507dc07857 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1241:14
    #9 0x7f507dc1205c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #10 0x7f507ee32e42 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:302:20
    #11 0x7f507ed2b637 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #12 0x7f507ed2b637 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #13 0x7f507ed2b637 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #14 0x7f507dc0097a in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:459:11
    #15 0x7f50a155c25e in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #16 0x7f50a11a46da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #17 0x7f50a018288e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

(In reply to Jeff Muizelaar [:jrmuizel] from comment #16)

That looks like a crash elsewhere:

Yeah that is not an issue. It is an unrelated assertion. Hit MOZ_CRASH(Attempting to connect to non-local address!) at /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:1339

Looks like the reporter was running with MOZ_DISABLE_NONLOCAL_CONNECTIONS=1 without the right prefs.js file. My guess is that Grizzly was run without a prefs.js file and it lead to that.

(In reply to Tejas Ajay Naik from comment #14)

Created attachment 9116317 [details]
0fca04d7_2019-12-17_12-42-26_logs.zip

As per the steps, The following result was found

The above test in comment 5 and comment 6 needs to be run without Grizzly.

To repro you can use FFPuppet.

1. Install FFPuppet (It is used with Grizzly so it should already be installed. More info can be found here: https://github.com/MozillaSecurity/ffpuppet
2. Download testcase.html and prefs.js
3. Run python -m ffpuppet -d -p <prefs_file> -u <testcase> <path_to_filefox>

This will run the testcase locally.

python -m ffpuppet ~/code/browsers/firefox/firefox -p pref.js -d -u testcase.html 
[2019-12-18 10:08:40] Launching Firefox...
[2019-12-18 10:08:50] Running Firefox (pid: 13309)...
[2019-12-18 10:09:02] Shutting down...
[2019-12-18 10:09:02] Firefox process closed
[2019-12-18 10:09:02] Displaying logs...

===
=== Dumping 'log_ffp_asan_13306.log.13363.txt' (10.81KB)
===
=================================================================
==13363==ERROR: AddressSanitizer: SEGV on unknown address 0x60f0002d00c9 (pc 0x7fa40857359c bp 0x000040086f04 sp 0x7fa40e0cc260 T6)
==13363==The signal is caused by a READ memory access.
    #0 0x7fa40857359b  (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x30159b)
    #1 0x7fa408573f3d  (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x301f3d)
    #2 0x7fa4085bceab  (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x34aeab)
    #3 0x7fa4085bd026  (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x34b026)
    #4 0x7fa4085be48d  (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x34c48d)
    #5 0x7fa40836bb96  (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0xf9b96)
    #6 0x7fa40873e17b  (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x4cc17b)
    #7 0x7fa4087302bd  (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x4be2bd)
    #8 0x7fa4087354f3  (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x4c34f3)
    #9 0x7fa4086f6994  (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x484994)
    #10 0x7fa4086f954f  (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x48754f)
    #11 0x7fa4086fc9d7  (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x48a9d7)
    #12 0x7fa4288e7ff7 in gleam::ffi_gl::Gl::TexSubImage2D::h72b10e5895f17a5b /builds/worker/workspace/build/src/obj-firefox/x86_64-unknown-linux-gnu/release/build/gleam-9a4ba89dbedbd1ad/out/gl_bindings.rs:4660:289
    #13 0x7fa4288e7ff7 in _$LT$gleam..gl..GlFns$u20$as$u20$gleam..gl..Gl$GT$::tex_sub_image_2d_pbo::he4d9ebf837a2218e /builds/worker/workspace/build/src/third_party/rust/gleam/src/gl_fns.rs:720:12
    #14 0x7fa42960b52d in webrender::device::gl::UploadTarget::update_impl::hef8c7898691c8e66 /builds/worker/workspace/build/src/gfx/wr/webrender/src/device/gl.rs:3703:16
    #15 0x7fa42961cd01 in _$LT$webrender..device..gl..TextureUploader$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::hdffcfd8bd53fabec /builds/worker/workspace/build/src/gfx/wr/webrender/src/device/gl.rs:3527:16
    #16 0x7fa42961cd01 in core::ptr::real_drop_in_place::hffecef07eadf1df1 /rustc/4560ea788cb760f0a34127156c78e2552949f734/src/libcore/ptr/mod.rs:175
    #17 0x7fa42961cd01 in webrender::renderer::GpuCacheTexture::flush::h9a17f37110c4ceef /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:1544:12
    #18 0x7fa42961cd01 in webrender::renderer::Renderer::update_gpu_cache::_$u7b$$u7b$closure$u7d$$u7d$::h5e776f06582a2710 /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:3356:19
    #19 0x7fa42961cd01 in webrender::profiler::TimeProfileCounter::profile::hecf7cc9e84482912 /builds/worker/workspace/build/src/gfx/wr/webrender/src/profiler.rs:455:18
    #20 0x7fa42961cd01 in webrender::renderer::Renderer::update_gpu_cache::hf2aa23084cf4bdf5 /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:3355:27
    #21 0x7fa429620ca9 in webrender::renderer::Renderer::prepare_gpu_cache::h4cddf42befd811a1 /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:3378:8
    #22 0x7fa429620ca9 in webrender::renderer::Renderer::render_impl::_$u7b$$u7b$closure$u7d$$u7d$::h95ae999999988323 /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:3108:16
    #23 0x7fa429620ca9 in webrender::profiler::TimeProfileCounter::profile::h22ef4317f4772fc0 /builds/worker/workspace/build/src/gfx/wr/webrender/src/profiler.rs:455:18
    #24 0x7fa429620ca9 in webrender::renderer::Renderer::render_impl::h4ac7cffe8fcf31a6 /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:3089:8
    #25 0x7fa42962f77c in webrender::renderer::Renderer::render::hef93f1e58d0583b5 /builds/worker/workspace/build/src/gfx/wr/webrender/src/renderer.rs:2911:21
    #26 0x7fa4298409ce in wr_renderer_render /builds/worker/workspace/build/src/gfx/webrender_bindings/src/bindings.rs:659:10
    #27 0x7fa41e36121d in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool, mozilla::wr::RendererStats*) /builds/worker/workspace/build/src/gfx/webrender_bindings/RendererOGL.cpp:151:29
    #28 0x7fa41e35fd39 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool) /builds/worker/workspace/build/src/gfx/webrender_bindings/RenderThread.cpp:477:31
    #29 0x7fa41e35eb7e in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/workspace/build/src/gfx/webrender_bindings/RenderThread.cpp:353:3
    #30 0x7fa41e38dd96 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #31 0x7fa41e38dd96 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130:12
    #32 0x7fa41e38dd96 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176:13
    #33 0x7fa41bc17a52 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:442:9
    #34 0x7fa41bc18834 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:450:5
    #35 0x7fa41bc1908b in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:523:13
    #36 0x7fa41bc1aa36 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:35:31
    #37 0x7fa41bc17637 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #38 0x7fa41bc17637 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #39 0x7fa41bc17637 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #40 0x7fa41bc360fa in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:192:16
    #41 0x7fa41bc2838c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #42 0x7fa43e0906da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #43 0x7fa43d06e88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/dri/nouveau_dri.so+0x30159b) 
Thread T6 (Renderer) created by T0 (GPU Process) here:
    #0 0x55c7e652f26a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7fa41bc2348c in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7fa41bc2348c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7fa41bc358dd in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7fa41e35ac86 in mozilla::wr::RenderThread::Start() /builds/worker/workspace/build/src/gfx/webrender_bindings/RenderThread.cpp:74:16
    #5 0x7fa41e2bc60f in mozilla::gfx::GPUParent::RecvInit(nsTArray<mozilla::gfx::GfxVarUpdate>&&, mozilla::gfx::DevicePrefs const&, nsTArray<mozilla::gfx::LayerTreeIdMapping>&&) /builds/worker/workspace/build/src/gfx/ipc/GPUParent.cpp:261:5
    #6 0x7fa41c38db81 in mozilla::gfx::PGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PGPUParent.cpp:770:53
    #7 0x7fa41bd119c2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2212:25
    #8 0x7fa41bd0c624 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2134:9
    #9 0x7fa41bd0e8ef in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1973:3
    #10 0x7fa41bd0f7f0 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2004:13
    #11 0x7fa41aaf3857 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1241:14
    #12 0x7fa41aafe05c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #13 0x7fa41bd1d344 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:109:5
    #14 0x7fa41bc17637 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #15 0x7fa41bc17637 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #16 0x7fa41bc17637 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #17 0x7fa422a82a48 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #18 0x7fa4265a99c6 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:946:20
    #19 0x7fa41bc17637 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #20 0x7fa41bc17637 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #21 0x7fa41bc17637 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #22 0x7fa4265a906f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:781:34
    #23 0x55c7e65770c1 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #24 0x55c7e65770c1 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
    #25 0x7fa43cf6eb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

==13363==ABORTING

===
=== Dumping 'log_stdout.txt' (1.33KB)
===
1576643922674	[email protected]	WARN	Loading extension '[email protected]': Reading manifest: Invalid extension permission: networkStatus
1576643926070	[email protected]	WARN	Loading extension '[email protected]': Reading manifest: Invalid extension permission: mozillaAddons
1576643926070	[email protected]	WARN	Loading extension '[email protected]': Reading manifest: Invalid extension permission: telemetry
1576643926071	[email protected]	WARN	Loading extension '[email protected]': Reading manifest: Invalid extension permission: resource://pdf.js/
1576643926071	[email protected]	WARN	Loading extension '[email protected]': Reading manifest: Invalid extension permission: about:reader*
Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=14.2702) Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=13.8608) Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=12.5354) [GFX1-]: Receive IPC close with reason=AbnormalShutdown
[GFX1-]: Receive IPC close with reason=AbnormalShutdown
[GFX1-]: Receive IPC close with reason=AbnormalShutdown

The priority flag is not set for this bug.
:jbonisteel, could you have a look please?

For more information, please visit auto_nag documentation.

Tejas, it looks like you're running with nouveau. Can you reproduce the problem when running with LIBGL_ALWAYS_SOFTWARE=1?