Closed Bug 1278305 Opened 9 years ago Closed 8 years ago

NULL deref crash [@ gfxContext::ChangeTransform]

Categories

(Core :: Graphics: Layers, defect, P3)

Product:
Core
Component:
Graphics: Layers
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: truber, Unassigned)

Details

(4 keywords, Whiteboard: [sg:dos][gfx-noted])

Crash Data

Attachments

(3 files)

Testcase
382 bytes, text/plain
Details
m-c-1465207052-dbg.txt
115.21 KB, text/plain
Details
m-c-e27fe24a746f-opt-asan.txt
14.53 KB, text/plain
Details
The attached testcase crashes on mozilla-central revision e27fe24a746f. Not sure if this is graphics or layout but doesn't reproduce on Linux. Backtrace (m-c-e27fe24a746f-opt-asan) Crash Annotation GraphicsCriticalError: |[0][GFX1-]: Invalid target in gfxContext::ForDrawTarget 0x0 (t=7.88986) [GFX1-]: Invalid target in gfxContext::ForDrawTarget 0x0 ASAN:DEADLYSIGNAL ================================================================= ==14290==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000068 (pc 0x000110acb97f bp 0x7fff5584ca90 sp 0x7fff5584c840 T0) #0 0x110acb97e in gfxContext::ChangeTransform(mozilla::gfx::Matrix const&, bool) (/Users/truber/src/m/c/ff64-asan-release/dist/Nightly.app/Contents/MacOS/XUL+0x28cc97e) #1 0x110abd9e9 in gfxContext::SetMatrix(gfxMatrix const&) (/Users/truber/src/m/c/ff64-asan-release/dist/Nightly.app/Contents/MacOS/XUL+0x28be9e9) #2 0x116d0de2b in nsSVGIntegrationUtils::PaintFramesWithEffects(nsSVGIntegrationUtils::PaintFramesParams const&) (/Users/truber/src/m/c/ff64-asan-release/dist/Nightly.app/Contents/MacOS/XUL+0x8b0ee2b) #3 0x116749f93 in nsDisplaySVGEffects::PaintAsLayer(nsDisplayListBuilder*, nsRenderingContext*, mozilla::layers::LayerManager*) (/Users/truber/src/m/c/ff64-asan-release/dist/Nightly.app/Contents/MacOS/XUL+0x854af93) #4 0x1165d41f0 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) (/Users/truber/src/m/c/ff64-asan-release/dist/Nightly.app/Contents/MacOS/XUL+0x83d51f0) Backtrace (tinderbox debug build m-c-1465207052-dbg) [GFX1-]: Invalid target in gfxContext::ForDrawTarget 0x0 Assertion failure: mRawPtr != 0 (You can't dereference a NULL RefPtr with operator->().), at /builds/slave/m-cen-m64-d-000000000000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:297 #01: mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) [gfx/layers/basic/BasicLayers.h:127] #02: mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) [layout/base/FrameLayerBuilder.cpp:5851] #03: mozilla::layers::ClientMultiTiledLayerBuffer::Update(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) [gfx/src/nsRegion.h:75]
Attached file Testcase
Group: core-security → gfx-core-security
regression from when or what?
Flags: needinfo?(jschwartzentruber)
Flags: needinfo?(jschwartzentruber)
Keywords: regression
(In reply to Daniel Veditz [:dveditz] from comment #4) > regression from when or what? By accident. The keyword is in the template I used and I didn't catch it.
Group: gfx-core-security
Keywords: csectype-nullptr
Whiteboard: [sg:dos]
Flags: needinfo?(milan)
Priority: -- → P3
Whiteboard: [sg:dos] → [sg:dos][gfx-noted]
Does this still reproduce for you?
Flags: needinfo?(jschwartzentruber)
No, I can't reproduce this with/without stylo or e10s on OSX m-c rev e897e367d3bd489422d86fbdfac54925c18329d2.
Flags: needinfo?(jschwartzentruber)
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(ryanvm)
Flags: needinfo?(milan)
Flags: in-testsuite?
Resolution: --- → WORKSFORME
Flags: needinfo?(ryanvm)
Flags: in-testsuite?
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: