heap-buffer-overflow in [@ blendTextureLinearUpscale]
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox87 | --- | unaffected |
firefox88 | --- | unaffected |
firefox89 | --- | verified |
People
(Reporter: tsmith, Assigned: lsalzman)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(4 files)
First found while fuzzing m-c 20210416-a00cdb29df1f (--enable-address-sanitizer --enable-fuzzing)
This test case was only consistenly reproducable for me when using Xvfb. I was using Grizzly to automate this:
python3 -m grizzly.replay ~/m-c-20210416155149-fuzzing-asan-opt/firefox ~/Desktop/testcase.html --repeat 10 --relaunch 1 --xvfb -p prefs.js
==3356==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc65f2177fc at pc 0x7fc6bf970f06 bp 0x7fc67cfeaed0 sp 0x7fc67cfeaec8
READ of size 16 at 0x7fc65f2177fc thread T66 (Renderer)
#0 0x7fc6bf970f05 in load<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:503:5
#1 0x7fc6bf970f05 in unaligned_load<unsigned char __attribute__((ext_vector_type(16))), unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:532:10
#2 0x7fc6bf970f05 in void blendTextureLinearUpscale<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:219:7
#3 0x7fc6bf95d0ee in unsigned int* blendTextureLinearDispatch<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*, LinearFilter) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:425:9
#4 0x7fc6bf919fdb in int blendTextureLinearRepeat<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar const&, glsl::vec4_scalar const&, glsl::vec4_scalar const&, NoColor, unsigned int*) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:675:15
#5 0x7fc6bfa840bc in brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::swgl_drawSpanRGBA8() /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-51db388d6c37570b/out/brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D.h:969:2
#6 0x7fc6bfa7a7e9 in brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::draw_span_RGBA8(brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag*) /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-51db388d6c37570b/out/brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D.h:1012:42
#7 0x7fc6bfd6567f in draw_span /builds/worker/checkouts/gecko/gfx/wr/swgl/src/program.h:149:12
#8 0x7fc6bfd6567f in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1008:42
#9 0x7fc6bf8c6953 in draw_quad(int, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1592:5
#10 0x7fc6bf8c2313 in void draw_elements<unsigned short>(int, int, unsigned long, VertexArray&, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1622:5
#11 0x7fc6bf8c1fb9 in DrawElementsInstanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2699:7
#12 0x7fc6bed27956 in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::h5eda64c2d50e77be /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:3556:9
#13 0x7fc6bed27956 in webrender::renderer::Renderer::draw_instanced_batch::he82cf5f9df3fb284 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2561:17
#14 0x7fc6bed1355d in webrender::renderer::Renderer::draw_alpha_batch_container::h759cbbb5db45fa8c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:3045:17
#15 0x7fc6bece743d in webrender::renderer::Renderer::draw_picture_cache_target::h134498a9cc4a253a /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2868:9
#16 0x7fc6bece743d in webrender::renderer::Renderer::draw_frame::h20341baafbe8ca20 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4683:21
#17 0x7fc6bed4d2bf in webrender::renderer::Renderer::render_impl::h05e0a812274e4fa6 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2159:17
#18 0x7fc6bed6de79 in webrender::renderer::Renderer::render::h510b6ab158a5e145 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1894:30
#19 0x7fc6befe3eef in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:636:11
#20 0x7fc6b0513c7e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
#21 0x7fc6b05123af in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:486:31
#22 0x7fc6b0511531 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:341:3
#23 0x7fc6b05298c6 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#24 0x7fc6b05298c6 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#25 0x7fc6b05298c6 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#26 0x7fc6ae7c7dd7 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:468:11
#27 0x7fc6ae7c8b3e in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:477:5
#28 0x7fc6ae7c93db in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:552:13
#29 0x7fc6ae7ca6d6 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
#30 0x7fc6ae7c7981 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#31 0x7fc6ae7c7981 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#32 0x7fc6ae7c7981 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#33 0x7fc6ae7e5008 in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:191:16
#34 0x7fc6ae7d8bfc in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#35 0x7fc6d5bd86da in start_thread /build/glibc-S9d2JN/glibc-2.27/nptl/pthread_create.c:463
#36 0x7fc6d4bb671e in clone /build/glibc-S9d2JN/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x7fc65f2177fc is located 4 bytes to the left of 16777216-byte region [0x7fc65f217800,0x7fc660217800)
allocated by thread T66 (Renderer) here:
#0 0x55cd33839a69 in realloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
#1 0x7fc6bf8c8683 in Texture::allocate(bool, int, int) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:492:32
#2 0x7fc6bf8b16bf in set_tex_storage(Texture&, unsigned int, int, int, void*, int, int, int) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1678:5
#3 0x7fc6bf8b117e in TexStorage2D /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1692:3
#4 0x7fc6bf8b2339 in TexImage2D /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1780:3
#5 0x7fc6bdde961a in _$LT$swgl..swgl_fns..Context$u20$as$u20$gleam..gl..Gl$GT$::tex_image_2d::h3675c9495034dfdf /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_fns.rs:995:13
#6 0x7fc6bec5d5e6 in webrender::device::gl::Device::create_texture::he80222307edf0435 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:2482:13
#7 0x7fc6bed30e24 in webrender::renderer::Renderer::update_texture_cache::_$u7b$$u7b$closure$u7d$$u7d$::hf5224d28cb3e3a4f /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2443:29
#8 0x7fc6bed30e24 in core::option::Option$LT$T$GT$::unwrap_or_else::hbf783190e9605207 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/option.rs:427:21
#9 0x7fc6bed30e24 in webrender::renderer::Renderer::update_texture_cache::h1a73318d9702f9fc /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2442:43
#10 0x7fc6bed4c505 in webrender::renderer::Renderer::render_impl::h05e0a812274e4fa6 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2119:13
#11 0x7fc6bed6de79 in webrender::renderer::Renderer::render::h510b6ab158a5e145 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1894:30
#12 0x7fc6befe3eef in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:636:11
#13 0x7fc6b0513c7e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
#14 0x7fc6b05123af in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:486:31
#15 0x7fc6b0511531 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:341:3
#16 0x7fc6b05298c6 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#17 0x7fc6b05298c6 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#18 0x7fc6b05298c6 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#19 0x7fc6ae7c7dd7 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:468:11
#20 0x7fc6ae7c8b3e in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:477:5
#21 0x7fc6ae7c93db in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:552:13
#22 0x7fc6ae7ca6d6 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
#23 0x7fc6ae7c7981 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#24 0x7fc6ae7c7981 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#25 0x7fc6ae7c7981 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
Thread T66 (Renderer) created by T0 here:
#0 0x55cd338241ba in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#1 0x7fc6ae7d30ec in CreateThread /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
#2 0x7fc6ae7d30ec in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
#3 0x7fc6ae7e482d in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:97:8
#4 0x7fc6b050e181 in mozilla::wr::RenderThread::Start() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:92:16
#5 0x7fc6b027d8e9 in gfxPlatform::InitLayersIPC() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1324:7
#6 0x7fc6b0278ee6 in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:964:3
#7 0x7fc6b027783b in gfxPlatform::GetPlatform() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:480:5
#8 0x7fc6b4eca5bc in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/checkouts/gecko/widget/GfxInfoBase.cpp:1781:25
#9 0x7fc6ad6b9591 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#10 0x7fc6af5ed2ea in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1623:10
#11 0x7fc6af5ed2ea in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
#12 0x7fc6af5ed2ea in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
#13 0x7fc6af5f2cd3 in GetAttribute /builds/worker/checkouts/gecko/js/xpconnect/src/xpcprivate.h:1460:12
#14 0x7fc6af5f2cd3 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
#15 0x7fc6b8c745f4 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:437:13
#16 0x7fc6b8c745f4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:522:12
#17 0x7fc6b8c76419 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
#18 0x7fc6b8c7669b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:8
#19 0x7fc6b8c77c7b in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:724:10
#20 0x7fc6b9173acd in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2174:12
#21 0x7fc6b9173acd in GetExistingProperty<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2202:12
#22 0x7fc6b9173acd in NativeGetPropertyInline<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2348:14
#23 0x7fc6b9173acd in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2379:10
#24 0x7fc6b8c62589 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:116:10
#25 0x7fc6b8c62589 in GetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:453:10
#26 0x7fc6b8c62589 in GetElementOperationWithStackIndex /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:560:10
#27 0x7fc6b8c62589 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3055:14
#28 0x7fc6b8c4422e in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:406:13
#29 0x7fc6b8c74733 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:554:13
#30 0x7fc6b8c76419 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
#31 0x7fc6b8c7669b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:8
#32 0x7fc6b94e3a30 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2767:10
#33 0x7fc6af5e0011 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:971:17
#34 0x7fc6ad6baee0 in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#35 0x7fc6ad6b9c7a in SharedStub (/home/twsmith/workspace/browsers/m-c-20210416155149-fuzzing-asan-opt/libxul.so+0x509ac7a)
#36 0x7fc6ad61a3a8 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/components/nsCategoryManager.cpp:687:19
#37 0x7fc6b8a3c8b2 in nsXREDirProvider::DoStartup() /builds/worker/checkouts/gecko/toolkit/xre/nsXREDirProvider.cpp:977:11
#38 0x7fc6b8a18169 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5098:18
#39 0x7fc6b8a1b346 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5539:8
#40 0x7fc6b8a1c123 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5598:21
#41 0x55cd3386c902 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:220:22
#42 0x55cd3386c902 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:347:16
#43 0x7fc6d4ab6bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
Reporter | ||
Comment 1•3 years ago
|
||
Reporter | ||
Comment 2•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/hH_FkZiAIWsukwA4iTKraA/index.html
Assignee | ||
Comment 3•3 years ago
|
||
Assignee | ||
Comment 4•3 years ago
|
||
Depends on D112444
Updated•3 years ago
|
Assignee | ||
Comment 5•3 years ago
•
|
||
This is just another expression of bug 1701975. It can only at best cause it to sample a couple bytes in front of the allocated texture's heap memory, but no further than that, and was regressed by bug 1678783.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 6•3 years ago
|
||
Regression only affects nightly, and fix is confirmed by Tyson.
Comment 7•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210416155149-a62c94365ebb.
The bug appears to have been introduced in the following build range:
Start: 7552f5acc03b5fd126d584a4fa8b324afbf1a471 (20210406094706)
End: dcc9ca0ad46eea95eacc9071ba55015a8803e224 (20210406075638)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=7552f5acc03b5fd126d584a4fa8b324afbf1a471&tochange=dcc9ca0ad46eea95eacc9071ba55015a8803e224
![]() |
||
Comment 8•3 years ago
|
||
Check for negative sample bounds r=tsmith,kvark
https://hg.mozilla.org/integration/autoland/rev/3c2dc2a4800277b5af54b1bca558fd486a01c828
https://hg.mozilla.org/mozilla-central/rev/3c2dc2a48002
Comment 9•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210417214426-60929718b9c0.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Comment 10•3 years ago
|
||
:lsalzman, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Description
•