Found while fuzzing m-c 20230829-490db6af9df7 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --cpu x86 --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==16873==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0xd486866c bp 0x9c1f8f28 sp 0x9c1f8e00 T44)
==16873==The signal is caused by a READ memory access.
==16873==Hint: address points to the zero page.
    #0 0xd486866c in Init /builds/worker/checkouts/gecko/gfx/2d/DrawTargetOffset.cpp:19:16
    #1 0xd486866c in mozilla::gfx::Factory::CreateOffsetDrawTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>) /builds/worker/checkouts/gecko/gfx/2d/Factory.cpp:497:12
    #2 0xd4794f39 in mozilla::gfx::RecordedCreateDrawTargetForFilter::PlayEvent(mozilla::gfx::Translator*) const /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:2136:7
    #3 0xd4812866 in operator() /builds/worker/checkouts/gecko/gfx/2d/InlineTranslator.cpp:78:31
    #4 0xd4812866 in std::_Function_handler<bool (mozilla::gfx::RecordedEvent*), mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned int)::$_0>::_M_invoke(std::_Any_data const&, mozilla::gfx::RecordedEvent*&&) /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:282:9
    #5 0xd47b6940 in operator() /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
    #6 0xd47b6940 in DoWithEvent<MemReader> /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:4198:5
    #7 0xd47b6940 in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned int) /builds/worker/checkouts/gecko/gfx/2d/InlineTranslator.cpp:68:20
    #8 0xd5b66443 in Moz2DRenderCallback /builds/worker/checkouts/gecko/gfx/webrender_bindings/Moz2DImageRenderer.cpp:427:20
    #9 0xd5b66443 in wr_moz2d_render_cb /builds/worker/checkouts/gecko/gfx/webrender_bindings/Moz2DImageRenderer.cpp:471:10
    #10 0xebb390be in webrender_bindings::moz2d_renderer::rasterize_blob::_$u7b$$u7b$closure$u7d$$u7d$::h67631506e575930d /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:615:16
    #11 0xebb390be in webrender_bindings::moz2d_renderer::autoreleasepool::h626b055418332c28 /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:596:9
    #12 0xebb390be in webrender_bindings::moz2d_renderer::rasterize_blob::he20705a7157dc3ec /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:613:18
    #13 0xebb1e5fb in core::ops::function::Fn::call::he60173dd348fd3c7 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/core/src/ops/function.rs:79:5
    #14 0xebb1e5fb in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnMut$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_mut::hea71384858e5fd90 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/core/src/ops/function.rs:272:13
    #15 0xebb1e5fb in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$mut$u20$F$GT$::call_once::hf3441d5cba915f60 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/core/src/ops/function.rs:305:13
    #16 0xebb1e5fb in core::option::Option$LT$T$GT$::map::hfc6977191036d31b /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/core/src/option.rs:1075:29
    #17 0xebb1e5fb in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::h17f8df3243725863 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/core/src/iter/adapters/map.rs:103:26
    #18 0xebb1e5fb in rayon::iter::plumbing::Folder::consume_iter::hf2611faed4ec7995 /builds/worker/checkouts/gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:178:21
    #19 0xebb1e5fb in _$LT$rayon..iter..map..MapFolder$LT$C$C$F$GT$$u20$as$u20$rayon..iter..plumbing..Folder$LT$T$GT$$GT$::consume_iter::hc6f58341e4cf3d17 /builds/worker/checkouts/gecko/third_party/rust/rayon/src/iter/map.rs:248:21
    #20 0xebb1e5fb in rayon::iter::plumbing::Producer::fold_with::hea2ce5270316e0dc /builds/worker/checkouts/gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:110:9
    #21 0xebb1e5fb in rayon::iter::plumbing::bridge_producer_consumer::helper::h2fa83641ce6192b9 /builds/worker/checkouts/gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:438:13
    #22 0xebada8aa in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::h77798440c63a0f10 /builds/worker/checkouts/gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #23 0xebada8aa in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::h0efb8d9cda06dd1e /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #24 0xebada8aa in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h6f89745bf2f8827d /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/core/src/panic/unwind_safe.rs:271:9
    #25 0xebada8aa in std::panicking::try::do_call::h187ca3ddeaaa3b2f /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/panicking.rs:500:40
    #26 0xebada8aa in std::panicking::try::h6e99667fc6c4b153 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/panicking.rs:464:19
    #27 0xebada8aa in std::panic::catch_unwind::h2abc22b9126dc200 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/panic.rs:142:14
    #28 0xebada8aa in rayon_core::unwind::halt_unwinding::h189c2a6e2b4d4ec2 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
    #29 0xebada8aa in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h6183b1efb142c0ef /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/join/mod.rs:142:24
    #30 0xebb1e8bd in rayon_core::registry::in_worker::h52d3e773f363dcd6 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs
    #31 0xebb1e8bd in rayon_core::join::join_context::h8565585ce9f4bce4 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #32 0xebb1e8bd in rayon::iter::plumbing::bridge_producer_consumer::helper::h2fa83641ce6192b9 /builds/worker/checkouts/gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #33 0xebadaa2c in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hc3a1d90507871eca /builds/worker/checkouts/gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:427:21
    #34 0xebadaa2c in rayon_core::join::join_context::call_b::_$u7b$$u7b$closure$u7d$$u7d$::h7dbb4bb9dc2645c0 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/join/mod.rs:129:25
    #35 0xebadaa2c in rayon_core::job::StackJob$LT$L$C$F$C$R$GT$::run_inline::hf191168588a48889 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:102:9
    #36 0xebadaa2c in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h6183b1efb142c0ef /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/join/mod.rs:159:36
    #37 0xebb1e8bd in rayon_core::registry::in_worker::h52d3e773f363dcd6 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs
    #38 0xebb1e8bd in rayon_core::join::join_context::h8565585ce9f4bce4 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #39 0xebb1e8bd in rayon::iter::plumbing::bridge_producer_consumer::helper::h2fa83641ce6192b9 /builds/worker/checkouts/gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #40 0xebada8aa in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::h77798440c63a0f10 /builds/worker/checkouts/gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:418:21
    #41 0xebada8aa in rayon_core::join::join_context::call_a::_$u7b$$u7b$closure$u7d$$u7d$::h0efb8d9cda06dd1e /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/join/mod.rs:124:17
    #42 0xebada8aa in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h6f89745bf2f8827d /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/core/src/panic/unwind_safe.rs:271:9
    #43 0xebada8aa in std::panicking::try::do_call::h187ca3ddeaaa3b2f /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/panicking.rs:500:40
    #44 0xebada8aa in std::panicking::try::h6e99667fc6c4b153 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/panicking.rs:464:19
    #45 0xebada8aa in std::panic::catch_unwind::h2abc22b9126dc200 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/panic.rs:142:14
    #46 0xebada8aa in rayon_core::unwind::halt_unwinding::h189c2a6e2b4d4ec2 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
    #47 0xebada8aa in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h6183b1efb142c0ef /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/join/mod.rs:142:24
    #48 0xebb1e8bd in rayon_core::registry::in_worker::h52d3e773f363dcd6 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs
    #49 0xebb1e8bd in rayon_core::join::join_context::h8565585ce9f4bce4 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/join/mod.rs:132:5
    #50 0xebb1e8bd in rayon::iter::plumbing::bridge_producer_consumer::helper::h2fa83641ce6192b9 /builds/worker/checkouts/gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:416:47
    #51 0xebb20d9f in rayon::iter::plumbing::bridge_producer_consumer::helper::_$u7b$$u7b$closure$u7d$$u7d$::hc3a1d90507871eca /builds/worker/checkouts/gecko/third_party/rust/rayon/src/iter/plumbing/mod.rs:427:21
    #52 0xebb20d9f in rayon_core::join::join_context::call_b::_$u7b$$u7b$closure$u7d$$u7d$::h7dbb4bb9dc2645c0 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/join/mod.rs:129:25
    #53 0xebb20d9f in rayon_core::job::JobResult$LT$T$GT$::call::_$u7b$$u7b$closure$u7d$$u7d$::h67a820a0f4c0e4ba /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:218:41
    #54 0xebb20d9f in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h4ea5c50cf90088c9 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/core/src/panic/unwind_safe.rs:271:9
    #55 0xebb20d9f in std::panicking::try::do_call::h74d997907327a9e8 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/panicking.rs:500:40
    #56 0xebb20d9f in std::panicking::try::h807ed9634dc5a1e0 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/panicking.rs:464:19
    #57 0xebb20d9f in std::panic::catch_unwind::h568f51a9d6984860 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/panic.rs:142:14
    #58 0xebb20d9f in rayon_core::unwind::halt_unwinding::hd1a0410e06cf5ccd /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/unwind.rs:17:5
    #59 0xebb20d9f in rayon_core::job::JobResult$LT$T$GT$::call::h24218defe57f0d7d /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:218:15
    #60 0xebb20d9f in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::h4649e919991c5f0c /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:120:32
    #61 0xed675f4e in rayon_core::job::JobRef::execute::hf8de6f43f49047d1 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:64:9
    #62 0xed675f4e in rayon_core::registry::WorkerThread::execute::h041c8f34c38b063a /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:880:13
    #63 0xed675f4e in rayon_core::registry::WorkerThread::wait_until_cold::haa52aae007ae8f62 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:826:22
    #64 0xed67653a in rayon_core::registry::WorkerThread::wait_until::h1b40755981767422 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:809:13
    #65 0xed67653a in rayon_core::registry::wait_until_out_of_work::hdfcb3adbd4687389 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:975:5
    #66 0xed672bbf in rayon_core::registry::main_loop::h8526c4300c716222 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:955:5
    #67 0xed672bbf in rayon_core::registry::ThreadBuilder::run::hd4178a8bd8b51ea4 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:54:18
    #68 0xed66ed04 in _$LT$rayon_core..registry..DefaultSpawn$u20$as$u20$rayon_core..registry..ThreadSpawn$GT$::spawn::_$u7b$$u7b$closure$u7d$$u7d$::hc686fff17194c16f /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:99:20
    #69 0xed66ed04 in std::sys_common::backtrace::__rust_begin_short_backtrace::h015223e80ecc2dc1 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/sys_common/backtrace.rs:135:18
    #70 0xed66f647 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h3fea5796c4d64744 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/thread/mod.rs:529:17
    #71 0xed66f647 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb383af4b089baecc /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/core/src/panic/unwind_safe.rs:271:9
    #72 0xed66f647 in std::panicking::try::do_call::hdb9155f3ce022eda /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/panicking.rs:500:40
    #73 0xed66f647 in std::panicking::try::h04eb2d910b04ac65 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/panicking.rs:464:19
    #74 0xed66f647 in std::panic::catch_unwind::h4739ab8822910e36 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/panic.rs:142:14
    #75 0xed66f647 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h068f3022c3c4e89b /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/thread/mod.rs:528:30
    #76 0xed66f647 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hb880b897b6adf942 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/core/src/ops/function.rs:250:5
    #77 0xed77b4ea in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h3b648595c157383b /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/alloc/src/boxed.rs:1993:9
    #78 0xed77b4ea in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::he4fd5407a55440e4 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/alloc/src/boxed.rs:1993:9
    #79 0xed77b4ea in std::sys::unix::thread::Thread::new::thread_start::h83939deda7afa123 /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library/std/src/sys/unix/thread.rs:108:17
    #80 0x56772cc9 in __asan::AsanThread::ThreadStart(unsigned long long) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277:25
    #81 0x5674bb1e in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:199:13
    #82 0xf7886b90  (/lib/i386-linux-gnu/libc.so.6+0x86b90) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)
    #83 0xf792364b  (/lib/i386-linux-gnu/libc.so.6+0x12364b) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)

Looks like we could be passing through a null DrawTarget in a WebRender callback or in our 2D drawing or in our Cairo usage. I'll clean up those callsites.

Most of our calls that create a DrawTarget are null-checked. This patch
fixes up the few that were not already checked.

Verified bug as reproducible on mozilla-central 20230906214643-360d86fdb97b.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: f7eac47f5daa86a7f28257322b36cf85ae49c7f6 (20221119085828)
End: 490db6af9df770b2ccc4bba6b10d0ce9ead57034 (20230829110923)
BuildFlags: BuildFlags(asan=True, tsan=None, debug=None, fuzzing=True, coverage=None, valgrind=None, no_opt=None, fuzzilli=None, nyx=None)

https://hg.mozilla.org/mozilla-central/rev/0600aa34323a

Bug marked as FIXED but still reproduces on mozilla-central 20230907040951-f829a45e2207. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.

I confirmed this is still reproducible.

Sorry for the mishandling of this. I'll check against the testcase and be sure I can reproduce before offering another "fix".

I can't replicate on macOS with the directions in comment 0. But I did find one more unprotected call which I will patch.

Tyson, can you confirm that a build with attachment 9352123 [details] applied fixes the Bug?

Thanks for the patch, it does indeed resolve this issue. However the attached test case triggers bug 1711602 when the patch is applied.

(In reply to Tyson Smith [:tsmith] from comment #12)

Thanks for the patch, it does indeed resolve this issue. However the attached test case triggers bug 1711602 when the patch is applied.

Hmmm.. but we should land this patch and close this Bug?

I think so.

https://hg.mozilla.org/mozilla-central/rev/b921c18fb4cf

Bug marked as FIXED but still reproduces on mozilla-central 20230908211202-eb062b89c03a. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.

Confirmed this is fixed. Bugmon is now hitting bug 1711602. Thank you.