Found while fuzzing m-c 20230305-c8b5160f1983 (--enable-undefined-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --cpu x86 --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --headless

This test case requires a 32 bit build.

src/gl.cc:562:16: runtime error: pointer index expression with base 0x92cfa800 overflowed to 0x51606d58
    #0 0xece1c635 in Texture::sample_ptr(int, int) const /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc
    #1 0xed344879 in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:901:26
    #2 0xece36cc5 in draw_quad(int, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1625:5
    #3 0xece32a9e in void draw_elements<unsigned short>(int, int, unsigned int, VertexArray&, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1655:5
    #4 0xece326ac in DrawElementsInstanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2748:7
    #5 0xecdf4ad6 in _$LT$swgl..swgl_fns..Context$u20$as$u20$gleam..gl..Gl$GT$::draw_elements_instanced::hf5395df85753afd9 /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_fns.rs:1551:13
    #6 0xecc395cb in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::h85fc3030ed110cfc /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:3720:9
    #7 0xecc395cb in webrender::renderer::Renderer::draw_instanced_batch::h26bdcc9cfaa2bc13 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1984:17
    #8 0xecc3ef65 in webrender::renderer::Renderer::draw_alpha_batch_container::h640ed9f439c2fe42 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2639:17
    #9 0xecc51fee in webrender::renderer::Renderer::draw_picture_cache_target::h25b885a41d215cbc /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2429:17
    #10 0xecc51fee in webrender::renderer::Renderer::draw_frame::h48a4e7321220bf34 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4399:21
    #11 0xecc287f6 in webrender::renderer::Renderer::render_impl::h848a85004bd694db /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1480:17
    #12 0xecc2652c in webrender::renderer::Renderer::render::hd308f74651d91b9d /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1197:30
    #13 0xec93438c in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:614:11
    #14 0xdaf0f5d2 in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186:19
    #15 0xdaf0c33d in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:600:31
    #16 0xdaf0ad6c in mozilla::wr::RenderThread::HandleFrameOneDocInner(mozilla::wr::WrWindowId, bool, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:459:3
    #17 0xdaf0a1be in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:411:3
    #18 0xdaf3498c in decltype(*fp.*fp0(Get<0u>(fp1).PassAsParameter(), Get<1u>(fp1).PassAsParameter(), Get<2u>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, bool, bool>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool>, StoreCopyPassByConstLRef<bool>, 0u, 1u, 2u>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool, bool), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool>, StoreCopyPassByConstLRef<bool>>&, std::integer_sequence<unsigned int, 0u, 1u, 2u>) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:12
    #19 0xdaf344e2 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1169:12
    #20 0xdaf344e2 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1216:13
    #21 0xd75b1222 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233:16
    #22 0xd75c048a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #23 0xd940339c in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
    #24 0xd9205ad7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #25 0xd9205ad7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #26 0xd9205ad7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #27 0xd75a5e9c in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
    #28 0xf75e612f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #29 0x566f6d79 in __asan::AsanThread::ThreadStart(unsigned long long) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277:25
    #30 0x566d208e in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:199:13
    #31 0xf79beb90  (/lib/i386-linux-gnu/libc.so.6+0x86b90) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)
    #32 0xf7a5b64b  (/lib/i386-linux-gnu/libc.so.6+0x12364b) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)

prefs.js file for bugmon

(In reply to Bugmon [:jkratzer for issues] from comment #2)

Unable to reproduce bug 1820903 using build mozilla-central 20230305091344-c8b5160f1983.

Right bugmon does not support 32 bit builds atm.

Pernosco possible?

Not with 32 bit builds, but I can get an rr trace and share it. Does that work?

The grizzly-framework does not accept the --headless argument at all, and I can't seem to repro at all if I omit it?

Just running the testcase with an asan 32 bit build doesn't seem to repro either?

So, I've had zero luck in getting grizzly to cooperate on this, on multiple Linux installs. Firefox (whether from fuzzfetch or my own builds) always just fails to launch as a 32 bit asan build within grizzly. i.e. I just get the following:

[2023-04-07 00:30:20] Starting Grizzly Replay
[2023-04-07 00:30:20] Running browser headless (default)
[2023-04-07 00:30:20] Ignoring: log-limit, timeout
[2023-04-07 00:30:20] Using time limit: 30s, timeout: 45s
[2023-04-07 00:30:20] Repeat: 1, Minimum crashes: 1, Relaunch 1
[2023-04-07 00:30:22] Failure during launch (retries 2)
[2023-04-07 00:30:23] Failure during launch (retries 1)
[2023-04-07 00:30:24] Launch failed, please verify browser build works as expected
[2023-04-07 00:30:24] === BEGIN REPORT ===
==3693417==WARNING: AddressSanitizer failed to allocate 0x4c bytes
==3693417==WARNING: AddressSanitizer failed to allocate 0x41 bytes
==3693417==WARNING: AddressSanitizer failed to allocate 0x4a00 bytes
==3693417==WARNING: AddressSanitizer failed to allocate 0x98 bytes
==3693417==WARNING: AddressSanitizer failed to allocate 0x4 bytes
=================================================================
==3693417==ERROR: AddressSanitizer: SEGV on unknown address 0x00000001 (pc 0x56788435 bp 0xff9ce248 sp 0xff9cdf20 T0)
==3693417==The signal is caused by a WRITE memory access.
==3693417==Hint: address points to the zero page.
    #0 0x56788435 in mozilla::baseprofiler::profiler_init(void*) /builds/worker/checkouts/gecko/mozglue/baseprofiler/core/platform.cpp:2644:3
    #1 0x56746b96 in AutoProfilerInit /builds/worker/workspace/obj-build/dist/include/BaseProfiler.h:439:33
    #2 0x56746b96 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:290:3
    #3 0xf7966904 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1b904) (BuildId: 06f1a99b8165a296e9a13f9e7ce42732abaf77f1)
    #4 0x56684570 in _start (/home/lee/grizz/firefox/firefox-bin+0xf5570) (BuildId: 5ad240e05e1376f8ae43ff26884300d85a620c3f)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/mozglue/baseprofiler/core/platform.cpp:2644:3 in mozilla::baseprofiler::profiler_init(void*)
==3693417==ABORTING

The best I can do is make an educated guess then. If what I think is going on is going on, then this is pretty much harmless. It is most likely calculating a pointer to a row that will never actually be sampled from. Pixel coordinates are still used to guide whether any sampling will take place, and it will detect that the pixel coordinates of the row are outside the clip rect and exit the loop. Simply as an optimization, it calculates a pointer to the start of the row and steps this pointer at every iteration to avoid extra branching or row math, but sampling is always guarded by the check if the coordinates are inside the clipping rectangle. I have not found any way to coax the coordinates to be outside of the clip rect or do anything I would consider 'wild', so this is the only way I can see this warning being triggered. Based on that, this would not be exploitable and is just a warning.

Tyson, any help you could provide to Lee on this Grizzly issue?

(In reply to Lee Salzman [:lsalzman] from comment #6)

The grizzly-framework does not accept the --headless argument at all, and I can't seem to repro at all if I omit it?

Sounds like you are running an old version. pip install --upgrade grizzly-framework should do what you need.

Just running the testcase with an asan 32 bit build doesn't seem to repro either?

This looks like a browser start up OOM, not sure why it's happening.

Either way I've created an rr recording and shared it via google drive. Hopefully this provides the information required to diagnose the issue.

How do I use the rr trace?

What I really need is a mozconfig by which I can make an independent build that works that I can actually introspect or modify the code, rather than a trace. And then I need the testcase to be reproducible with that build outside of grizzly.

After struggling a bit trying to figure out how the rr trace is supposed to be loaded, the best I can get is this:

rr: Tracees had XSAVEC but XSAVEC is not available now; Replay will probably fail because glibc dynamic loader uses XSAVEC

Trace XCR0 value 0x2ff != our XCR0 value 0x7; Replay will probably fail because glibc dynamic loader examines XCR0

"environ":[[ERROR /home/lee/rr/src/ExtraRegisters.cc:479:set_to_raw_data()] Unsupported CPU features found: got 0x201 (x87 PKRU), supported: 0x7 (x87 SSE AVX); Consider using rr cpufeatures and rr record --disable-cpuid-features-(ext)
[FATAL /home/lee/rr/src/TraceStream.cc:574:read_frame()] Invalid extended register data in trace

(In reply to Lee Salzman [:lsalzman] from comment #10)

How do I use the rr trace?

The docs can be found here:
https://rr-project.org/
https://github.com/rr-debugger/rr/wiki/Usage

Sorry Pernosco doesn't support 32-bit recording so we need to run rr locally.

What I really need is a mozconfig by which I can make an independent build that works that I can actually introspect or modify the code, rather than a trace. And then I need the testcase to be reproducible with that build outside of grizzly.

Here is the mozconfig I use (change the LLVM_HOME). ASan is not required since this issue is detected via UBSan. Omitting ASan might speed things up.

mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/objdir-ff-ubsan

# Adjust this to the number of CPU cores + 2
mk_add_options MOZ_MAKE_FLAGS=-j30

ac_add_options --target=i686-pc-linux

#ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer
ac_add_options --enable-fuzzing

#export ASAN_OPTIONS="detect_leaks=0"
#export RUSTFLAGS="$RUSTFLAGS -Zsanitizer=address"

# Ensure you set this to your LLVM_HOME path
export LLVM_HOME="/home/twsmith/.mozbuild/clang"

# Set CC/CXX based on LLVM_HOME
export CC="$LLVM_HOME/bin/clang"
export CXX="$LLVM_HOME/bin/clang++"

# This will ensure the symbolizer is packaged with the binary
export LLVM_SYMBOLIZER="$LLVM_HOME/bin/llvm-symbolizer"

ac_add_options --disable-elf-hack
ac_add_options --disable-jemalloc
ac_add_options --disable-crashreporter

# Keep symbols to symbolize ASan traces later
export MOZ_DEBUG_SYMBOLS=1
ac_add_options --enable-debug-symbols
ac_add_options --disable-install-strip
ac_add_options --enable-valgrind
ac_add_options --enable-optimize="-O1 -g"
ac_add_options --disable-debug

As an environment sanity check you can try the TC builds found here: https://firefox-ci-tc.services.mozilla.com/tasks/index/gecko.v2.mozilla-central.latest.firefox/linux-fuzzing-asan-opt

If one of those build don't launch properly something else is blocking.

And then I need the testcase to be reproducible with that build outside of grizzly.

There is nothing Grizzly specific about this test case.

What's the command-line to launch the test and reproduce out of Grizzly, please?

I finally managed to get a build that would work with Grizzly. This is pretty much what I suspected. This is just a warning about a code cleanliness issue, but it does not represent an actual security vulnerability at all. The pointer will never be used in this case.

Comment on attachment 9327593 [details]
Bug 1820903 - Clamp initial y inside clip rect. r?aosmond

Security Approval Request

• How easily could an exploit be constructed based on the patch?: It can't. This is just an ubsan warning that doesn't lead to a threat that could be exploited.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?:
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?:
• How likely is this patch to cause regressions; how much testing does it need?: Unlikely.
• Is Android affected?: Yes

Comment on attachment 9327593 [details]
Bug 1820903 - Clamp initial y inside clip rect. r?aosmond

Approved to land and uplift

Landed: https://hg.mozilla.org/integration/autoland/rev/1381726e6d29ada0be914784b73fea114cf7338a

Backed out for causing asan mochitest failures:
https://hg.mozilla.org/integration/autoland/rev/ae6f2fb7248827b1b4bd0d80d6958cf1a1f960ac

Push with failure
Failure log

[task 2023-04-11T17:46:53.525Z] 17:46:53     INFO - GECKO(1595) | src/gl.cc:562:16: runtime error: addition of unsigned offset to 0x7faffb710800 overflowed to 0x7faffb68d800
[task 2023-04-11T17:46:55.083Z] 17:46:55     INFO - GECKO(1595) |     #0 0x7fb059887008 in sample_ptr /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:562:16
[task 2023-04-11T17:46:55.083Z] 17:46:55     INFO - GECKO(1595) |     #1 0x7fb059887008 in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:901:26
[task 2023-04-11T17:46:55.085Z] 17:46:55     INFO - GECKO(1595) |     #2 0x7fb059371a73 in draw_quad(int, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1625:5
[task 2023-04-11T17:46:55.086Z] 17:46:55     INFO - GECKO(1595) |     #3 0x7fb05936d27b in void draw_elements<unsigned short>(int, int, unsigned long, VertexArray&, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1655:5
[task 2023-04-11T17:46:55.087Z] 17:46:55     INFO - GECKO(1595) |     #4 0x7fb05936cb9d in DrawElementsInstanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2748:7
[task 2023-04-11T17:46:55.088Z] 17:46:55     INFO - GECKO(1595) |     #5 0x7fb058bb023b in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::hbad93f51dbf0e657 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:3723:9
[task 2023-04-11T17:46:55.089Z] 17:46:55     INFO - GECKO(1595) |     #6 0x7fb058bb023b in webrender::renderer::Renderer::draw_instanced_batch::hbc7db5b58bf17bd7 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2018:17
[task 2023-04-11T17:46:55.089Z] 17:46:55     INFO - GECKO(1595) |     #7 0x7fb058b9a869 in webrender::renderer::Renderer::draw_alpha_batch_container::h15d61c1f6a1bd80e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2673:17
[task 2023-04-11T17:46:55.090Z] 17:46:55     INFO - GECKO(1595) |     #8 0x7fb058b71c76 in webrender::renderer::Renderer::draw_picture_cache_target::h93c974177ba40002 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2463:17
[task 2023-04-11T17:46:55.091Z] 17:46:55     INFO - GECKO(1595) |     #9 0x7fb058b71c76 in webrender::renderer::Renderer::draw_frame::hc06fd927699f4fff /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4433:21
[task 2023-04-11T17:46:55.092Z] 17:46:55     INFO - GECKO(1595) |     #10 0x7fb058b1e329 in webrender::renderer::Renderer::render_impl::h9593e87977ebeccb /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1514:17
[task 2023-04-11T17:46:55.093Z] 17:46:55     INFO - GECKO(1595) |     #11 0x7fb058bbc054 in webrender::renderer::Renderer::render::he6edbb5e898fd9bb /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1231:30
[task 2023-04-11T17:46:55.094Z] 17:46:55     INFO - GECKO(1595) |     #12 0x7fb058cada34 in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:619:11
[task 2023-04-11T17:46:55.095Z] 17:46:55     INFO - GECKO(1595) |     #13 0x7fb04626b591 in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:190:19
[task 2023-04-11T17:46:55.096Z] 17:46:55     INFO - GECKO(1595) |     #14 0x7fb046269290 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:849:31
[task 2023-04-11T17:46:55.097Z] 17:46:55     INFO - GECKO(1595) |     #15 0x7fb046267d7e in mozilla::wr::RenderThread::HandleFrameOneDocInner(mozilla::wr::WrWindowId, bool, bool, mozilla::Maybe<mozilla::wr::FramePublishId>) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:692:3
[task 2023-04-11T17:46:55.098Z] 17:46:55     INFO - GECKO(1595) |     #16 0x7fb0462666b0 in HandleFrameOneDoc /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:639:3
[task 2023-04-11T17:46:55.098Z] 17:46:55     INFO - GECKO(1595) |     #17 0x7fb0462666b0 in WrNotifierEvent_HandleNewFrameReady /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:600:3
[task 2023-04-11T17:46:55.099Z] 17:46:55     INFO - GECKO(1595) |     #18 0x7fb0462666b0 in mozilla::wr::RenderThread::HandleWrNotifierEvents(mozilla::wr::WrWindowId) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:555:9
[task 2023-04-11T17:46:55.107Z] 17:46:55     INFO - GECKO(1595) |     #19 0x7fb0462871f7 in operator()<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
[task 2023-04-11T17:46:55.107Z] 17:46:55     INFO - GECKO(1595) |     #20 0x7fb0462871f7 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/invoke.h:60:14
[task 2023-04-11T17:46:55.108Z] 17:46:55     INFO - GECKO(1595) |     #21 0x7fb0462871f7 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/invoke.h:95:14
[task 2023-04-11T17:46:55.109Z] 17:46:55     INFO - GECKO(1595) |     #22 0x7fb0462871f7 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> > &, 0UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/tuple:1662:14
[task 2023-04-11T17:46:55.114Z] 17:46:55     INFO - GECKO(1595) |     #23 0x7fb0462871f7 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId> > &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/tuple:1671:14
[task 2023-04-11T17:46:55.115Z] 17:46:55     INFO - GECKO(1595) |     #24 0x7fb0462871f7 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
[task 2023-04-11T17:46:55.115Z] 17:46:55     INFO - GECKO(1595) |     #25 0x7fb0462871f7 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
[task 2023-04-11T17:46:55.116Z] 17:46:55     INFO - GECKO(1595) |     #26 0x7fb04322d7fb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233:16
[task 2023-04-11T17:46:55.116Z] 17:46:55     INFO - GECKO(1595) |     #27 0x7fb04323a714 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
[task 2023-04-11T17:46:55.117Z] 17:46:55     INFO - GECKO(1595) |     #28 0x7fb044c5043a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
[task 2023-04-11T17:46:55.117Z] 17:46:55     INFO - GECKO(1595) |     #29 0x7fb044a9f9ba in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
[task 2023-04-11T17:46:55.118Z] 17:46:55     INFO - GECKO(1595) |     #30 0x7fb044a9f9ba in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
[task 2023-04-11T17:46:55.118Z] 17:46:55     INFO - GECKO(1595) |     #31 0x7fb044a9f9ba in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
[task 2023-04-11T17:46:55.119Z] 17:46:55     INFO - GECKO(1595) |     #32 0x7fb043223aa8 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
[task 2023-04-11T17:46:55.119Z] 17:46:55     INFO - GECKO(1595) |     #33 0x7fb069d00b5f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
[task 2023-04-11T17:46:55.120Z] 17:46:55     INFO - GECKO(1595) |     #34 0x7fb069a196da in start_thread /tmp/glibc/nptl/pthread_create.c:463
[task 2023-04-11T17:46:55.120Z] 17:46:55     INFO - GECKO(1595) |     #35 0x7fb0687dca3e in __clone /tmp/glibc/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
[task 2023-04-11T17:46:55.121Z] 17:46:55     INFO - GECKO(1595) | SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/gl.cc:562:16 in

Clamp initial y inside clip rect. r=aosmond
https://hg.mozilla.org/integration/autoland/rev/96cc21f9cc0511f7259509050dfe5e6a3dbe9996
https://hg.mozilla.org/mozilla-central/rev/96cc21f9cc05

Fragment navigation may change document URI scheme from https to http. r=ckerschb,nika,smaug
https://hg.mozilla.org/integration/autoland/rev/d841063b73d7d850d864f72123420931c602b9ee
https://hg.mozilla.org/mozilla-central/rev/d841063b73d7

Since nightly and release are affected, beta will likely be affected too.
For more information, please visit auto_nag documentation.

(In reply to Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout) from comment #20)

Fragment navigation may change document URI scheme from https to http. r=ckerschb,nika,smaug
https://hg.mozilla.org/integration/autoland/rev/d841063b73d7d850d864f72123420931c602b9ee
https://hg.mozilla.org/mozilla-central/rev/d841063b73d7

I think this is for bug 1804684.

The patch landed in nightly and beta is affected.
:lsalzman, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox113 to wontfix.

For more information, please visit auto_nag documentation.

Lee, this is rated S2 & sec-high. Why are we wontfixing this for backport?

This is just a warning that has no security implications. It should not be sec-high or S2.