Report from m-c 20200807-5860b7b7c7a4

==38558==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001a (pc 0x7f0a57e79b6f bp 0x7ffd7c680fd0 sp 0x7ffd7c680dc0 T0)
==38558==The signal is caused by a READ memory access.
==38558==Hint: address points to the zero page.
    #0 0x7f0a57e79b6e in GetPerFrameKey /gecko/layout/painting/nsDisplayList.h
    #1 0x7f0a57e79b6e in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:453:7
    #2 0x7f0a57e792a8 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:838:31
    #3 0x7f0a57f47561 in MergeState::MergeChildLists(nsDisplayItem*, nsDisplayItem*, nsDisplayItem*) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:515:37
    #4 0x7f0a57e7a035 in MergeState::ProcessItemFromNewList(nsDisplayItem*, mozilla::Maybe<Index<MergedListUnits> > const&) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:484:9
    #5 0x7f0a57e792a8 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&, nsDisplayItem*) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:838:31
    #6 0x7f0a57e7e7bb in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) /gecko/layout/painting/RetainedDisplayListBuilder.cpp:1498:7
    #7 0x7f0a57777fc9 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /gecko/layout/base/nsLayoutUtils.cpp:4183:40
    #8 0x7f0a5768ea7b in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /gecko/layout/base/PresShell.cpp:6370:5
    #9 0x7f0a5708e60e in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /gecko/view/nsViewManager.cpp:460:18
    #10 0x7f0a5708dccd in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /gecko/view/nsViewManager.cpp:395:22
    #11 0x7f0a5709059d in nsViewManager::ProcessPendingUpdates() /gecko/view/nsViewManager.cpp:1018:5
    #12 0x7f0a57609aea in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:2280:11
    #13 0x7f0a576158a9 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:373:13
    #14 0x7f0a576158a9 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /gecko/layout/base/nsRefreshDriver.cpp:352:7
    #15 0x7f0a57615521 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:367:5
    #16 0x7f0a57624582 in RunRefreshDrivers /gecko/layout/base/nsRefreshDriver.cpp:819:5
    #17 0x7f0a57624582 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:737:16
    #18 0x7f0a57623b60 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /gecko/layout/base/nsRefreshDriver.cpp:639:7
    #19 0x7f0a57612a62 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /gecko/layout/base/nsRefreshDriver.cpp:538:20
    #20 0x7f0a4eab6ac9 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:242:16
    #21 0x7f0a4eab2fb5 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:512:26
    #22 0x7f0a4eab0e72 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:371:15
    #23 0x7f0a4eab12af in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:168:36
    #24 0x7f0a4eac28d1 in operator() /gecko/xpcom/threads/TaskController.cpp:83:37
    #25 0x7f0a4eac28d1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #26 0x7f0a4eae798c in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:14
    #27 0x7f0a4eaf287c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #28 0x7f0a4fec89ef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #29 0x7f0a4fda9257 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #30 0x7f0a4fda9257 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #31 0x7f0a4fda9257 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #32 0x7f0a57139278 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #33 0x7f0a5ad24fb6 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #34 0x7f0a4fda9257 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #35 0x7f0a4fda9257 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #36 0x7f0a4fda9257 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #37 0x7f0a5ad2459f in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #38 0x562d2a6cbca3 in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #39 0x562d2a6cbca3 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
    #40 0x7f0a6bd6d0b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
    #41 0x562d2a620609 in _start (/home/worker/builds/m-c-20200807152823-fuzzing-asan-opt/firefox+0xa5609)

Bugmon Analysis:
Unable to reproduce bug using the following builds:

mozilla-central 20200925214743-b7717ee20ba9
mozilla-central 20200807152823-5860b7b7c7a4
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Couldn't reproduce with the latest Nightly on Mac/Win/Linux.

I can still reproduce this with m-c 20210329-098c3172afae, the test is not 100% reliable. I will get a Pernosco session.

(In reply to Tyson Smith [:tsmith] from comment #3)

I can still reproduce this with m-c 20210329-098c3172afae, the test is not 100% reliable. I will get a Pernosco session.

Thank you. I actually managed to reproduce this locally as well, this only triggers with WebRender disabled (but the crash is in display list merging code).

Is this still to be considered S2 given that it only triggers with WebRender disabled?

Can you reproduce this anymore?

No I cannot reproduce the issue. It was last reported by fuzzers targeting m-c 20220619-31a47343b91e.

Is it worth landing the crash test?

Sure.

https://hg.mozilla.org/mozilla-central/rev/9c8659b7682c