Closed Bug 1278305 Opened 8 years ago Closed 7 years ago

NULL deref crash [@ gfxContext::ChangeTransform]

Categories

(Core :: Graphics: Layers, defect, P3)

Product:
Core
Component:
Graphics: Layers
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: truber, Unassigned)

Details

(4 keywords, Whiteboard: [sg:dos][gfx-noted])

Crash Data

Attachments

(3 files)

Testcase
382 bytes, text/plain
Details
m-c-1465207052-dbg.txt
115.21 KB, text/plain
Details
m-c-e27fe24a746f-opt-asan.txt
14.53 KB, text/plain
Details 
The attached testcase crashes on mozilla-central revision e27fe24a746f. Not sure if this is graphics or layout but doesn't reproduce on Linux.

Backtrace (m-c-e27fe24a746f-opt-asan)
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: Invalid target in gfxContext::ForDrawTarget 0x0 (t=7.88986) [GFX1-]: Invalid target in gfxContext::ForDrawTarget 0x0
ASAN:DEADLYSIGNAL
=================================================================
==14290==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000068 (pc 0x000110acb97f bp 0x7fff5584ca90 sp 0x7fff5584c840 T0)
    #0 0x110acb97e in gfxContext::ChangeTransform(mozilla::gfx::Matrix const&, bool) (/Users/truber/src/m/c/ff64-asan-release/dist/Nightly.app/Contents/MacOS/XUL+0x28cc97e)
    #1 0x110abd9e9 in gfxContext::SetMatrix(gfxMatrix const&) (/Users/truber/src/m/c/ff64-asan-release/dist/Nightly.app/Contents/MacOS/XUL+0x28be9e9)
    #2 0x116d0de2b in nsSVGIntegrationUtils::PaintFramesWithEffects(nsSVGIntegrationUtils::PaintFramesParams const&) (/Users/truber/src/m/c/ff64-asan-release/dist/Nightly.app/Contents/MacOS/XUL+0x8b0ee2b)
    #3 0x116749f93 in nsDisplaySVGEffects::PaintAsLayer(nsDisplayListBuilder*, nsRenderingContext*, mozilla::layers::LayerManager*) (/Users/truber/src/m/c/ff64-asan-release/dist/Nightly.app/Contents/MacOS/XUL+0x854af93)
    #4 0x1165d41f0 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) (/Users/truber/src/m/c/ff64-asan-release/dist/Nightly.app/Contents/MacOS/XUL+0x83d51f0)


Backtrace (tinderbox debug build m-c-1465207052-dbg)
[GFX1-]: Invalid target in gfxContext::ForDrawTarget 0x0
Assertion failure: mRawPtr != 0 (You can't dereference a NULL RefPtr with operator->().), at /builds/slave/m-cen-m64-d-000000000000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:297
#01: mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) [gfx/layers/basic/BasicLayers.h:127]
#02: mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) [layout/base/FrameLayerBuilder.cpp:5851]
#03: mozilla::layers::ClientMultiTiledLayerBuffer::Update(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) [gfx/src/nsRegion.h:75]
Attached file Testcase 
Group: core-security → gfx-core-security

    
    

    
  
regression from when or what?
Flags: needinfo?(jschwartzentruber)

    
  
Flags: needinfo?(jschwartzentruber)
Keywords: regression

    
    

    
  
(In reply to Daniel Veditz [:dveditz] from comment #4)
> regression from when or what?

By accident. The keyword is in the template I used and I didn't catch it.
Group: gfx-core-security
Keywords: csectype-nullptr
Whiteboard: [sg:dos]
Flags: needinfo?(milan)
Priority: -- → P3
Whiteboard: [sg:dos] → [sg:dos][gfx-noted]

    
    

    
  
Does this still reproduce for you?
Flags: needinfo?(jschwartzentruber)

    
    

    
  
No, I can't reproduce this with/without stylo or e10s on OSX m-c rev e897e367d3bd489422d86fbdfac54925c18329d2.
Flags: needinfo?(jschwartzentruber)
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(ryanvm)
Flags: needinfo?(milan)
Flags: in-testsuite?
Resolution: --- → WORKSFORME
Flags: needinfo?(ryanvm)
Flags: in-testsuite?
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: