Closed Bug 1715915 Opened 4 years ago Closed 3 years ago

crash at null in [@ mozilla::gfx::FilterNodeSoftware::GetInputRectInRect]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox91 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
189 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20210610-fc6124f09abd (--enable-address-sanitizer --enable-fuzzing)

==14760==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbe6640542e bp 0x7fffd79cf370 sp 0x7fffd79cf0a0 T0)
==14760==The signal is caused by a READ memory access.
==14760==Hint: address points to the zero page.
    #0 0x7fbe6640542e in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:873:18
    #1 0x7fbe664078d4 in mozilla::gfx::FilterNodeTransformSoftware::SourceRectForOutputRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:1146:10
    #2 0x7fbe664091e6 in mozilla::gfx::FilterNodeTransformSoftware::GetOutputRectInRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:1226:21
    #3 0x7fbe66405449 in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:873:18
    #4 0x7fbe66405449 in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:873:18
    #5 0x7fbe6640bb1c in mozilla::gfx::FilterNodeColorMatrixSoftware::GetOutputRectInRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:1536:10
    #6 0x7fbe66405449 in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:873:18
    #7 0x7fbe6641ec2a in mozilla::gfx::FilterNodeCropSoftware::GetOutputRectInRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:3190:10
    #8 0x7fbe66405449 in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:873:18
    #9 0x7fbe6640bb1c in mozilla::gfx::FilterNodeColorMatrixSoftware::GetOutputRectInRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:1536:10
    #10 0x7fbe66405449 in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:873:18
    #11 0x7fbe6641ec2a in mozilla::gfx::FilterNodeCropSoftware::GetOutputRectInRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:3190:10
    #12 0x7fbe66405449 in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:873:18
    #13 0x7fbe664016b1 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:561:24
    #14 0x7fbe662fd21c in mozilla::gfx::RecordedDrawFilter::PlayEvent(mozilla::gfx::Translator*) const /gecko/gfx/2d/RecordedEventImpl.h:2876:7
    #15 0x7fbe66488361 in std::function<bool (mozilla::gfx::RecordedEvent*)>::operator()(mozilla::gfx::RecordedEvent*) const /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
    #16 0x7fbe664457bb in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::EventStream>(mozilla::gfx::EventStream&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) /gecko/gfx/2d/RecordedEventImpl.h:3989:5
    #17 0x7fbe6c6ce7db in mozilla::layout::PrintTranslator::TranslateRecording(mozilla::layout::PRFileDescStream&) /gecko/layout/printing/PrintTranslator.cpp:50:20
    #18 0x7fbe6c6d1f26 in mozilla::layout::RemotePrintJobParent::PrintPage(mozilla::layout::PRFileDescStream&, nsRefCountedHashtable<nsUint64HashKey, RefPtr<mozilla::gfx::RecordedDependentSurface> >*) /gecko/layout/printing/ipc/RemotePrintJobParent.cpp:167:26
    #19 0x7fbe6c6d1e4b in mozilla::layout::RemotePrintJobParent::FinishProcessingPage(nsRefCountedHashtable<nsUint64HashKey, RefPtr<mozilla::gfx::RecordedDependentSurface> >*) /gecko/layout/printing/ipc/RemotePrintJobParent.cpp:146:17
    #20 0x7fbe6c6d1ccb in mozilla::layout::RemotePrintJobParent::RecvProcessPage(nsTArray<unsigned long>&&) /gecko/layout/printing/ipc/RemotePrintJobParent.cpp:121:5
    #21 0x7fbe658ebe4b in mozilla::layout::PRemotePrintJobParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemotePrintJobParent.cpp:301:28
    #22 0x7fbe653f113e in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6652:32
    #23 0x7fbe6511d81a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2155:25
    #24 0x7fbe65119f48 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2079:9
    #25 0x7fbe6511b8a5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1924:3
    #26 0x7fbe6511c40b in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1955:13
    #27 0x7fbe63f42a62 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:479:16
    #28 0x7fbe63f0f6d0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:782:26
    #29 0x7fbe63f0cf18 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:618:15
    #30 0x7fbe63f0d62d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:402:36
    #31 0x7fbe63f4caa1 in operator() /gecko/xpcom/threads/TaskController.cpp:135:37
    #32 0x7fbe63f4caa1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #33 0x7fbe63f29e48 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1159:16
    #34 0x7fbe63f34b8c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #35 0x7fbe65124f9f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #36 0x7fbe6502c421 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #37 0x7fbe6502c421 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #38 0x7fbe6502c421 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #39 0x7fbe6b8ced17 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #40 0x7fbe6f906527 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:273:30
    #41 0x7fbe6fb0ae67 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5239:22
    #42 0x7fbe6fb0cebe in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5437:8
    #43 0x7fbe6fb0dc13 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5496:21
    #44 0x563af742715a in do_main /gecko/browser/app/nsBrowserApp.cpp:224:22
    #45 0x563af742715a in main /gecko/browser/app/nsBrowserApp.cpp:351:16
    #46 0x7fbe858e30b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #47 0x563af7377a49 in _start (/home/worker/builds/m-c-20210610154745-fuzzing-asan-opt/firefox+0x5ba49)
Severity: -- → S2
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210610215038-8508c35e4979.
The bug appears to have been introduced in the following build range:

Start: 3009bdef939c0786c38c376de07ba615cbca0d8b (20210427221830)
End: cd81489560e48d19e43f8438c0c939fb58023648 (20210501093251)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3009bdef939c0786c38c376de07ba615cbca0d8b&tochange=cd81489560e48d19e43f8438c0c939fb58023648

Whiteboard: [bugmon:bisected,confirmed]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210610154745-fc6124f09abd) but not with tip (mozilla-central 20211203213802-92df9c655be5.)
The bug appears to have been fixed in the following build range:

Start: f5cb6b2465f3042f3ec5bb096a75fbe24f71465e (20211116073345)
End: 5d32dbafda59a62fba936250375782a4cc9c6300 (20211116082732)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f5cb6b2465f3042f3ec5bb096a75fbe24f71465e&tochange=5d32dbafda59a62fba936250375782a4cc9c6300
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: