Closed
Bug 1284578
Opened 8 years ago
Closed 8 years ago
MOZ_CRASH "SkCubicClipper::ChopMonoAtY(c, y, &t)" in [@tangent_cubic]
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | fixed |
People
(Reporter: tsmith, Assigned: lsalzman)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(2 files)
|
252 bytes,
text/html
|
Details | |
|
1.79 KB,
patch
|
jrmuizel
:
review+
|
Details | Diff | Splinter Review |
Found with debug build.
/builds/slave/m-cen-l64-asan-d-0000000000000/build/src/gfx/skia/skia/src/core/SkPath.cpp:3042: fatal error: ""SkCubicClipper::ChopMonoAtY(c, y, &t)""
Abort from sk_abort
Hit MOZ_CRASH() at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/memory/mozalloc/mozalloc_abort.cpp:33
ASAN:DEADLYSIGNAL
=================================================================
==16483==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004e19d3 bp 0x7ffd569c8a20 sp 0x7ffd569c8a10 T0)
#0 0x4e19d2 in mozalloc_abort(char const*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/memory/mozalloc/mozalloc_abort.cpp:33:5
#1 0x7f278de67644 in sk_abort_no_print() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/gfx/skia/skia/src/ports/SkMemory_mozalloc.cpp:16:5
#2 0x7f278df4823d in tangent_cubic(SkPoint const*, float, float, SkTDArray<SkPoint>*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/gfx/skia/skia/src/core/SkPath.cpp:3042:9
#3 0x7f278df46364 in SkPath::contains(float, float) const /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/gfx/skia/skia/src/core/SkPath.cpp:3205:17
#4 0x7f2787f84b2a in mozilla::gfx::SkPathContainsPoint(SkPath const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::Matrix const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/gfx/2d/PathSkia.cpp:138:10
#5 0x7f2787f84a20 in mozilla::gfx::PathSkia::ContainsPoint(mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::Matrix const&) const /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/gfx/2d/PathSkia.cpp:148:10
#6 0x7f278a22c176 in mozilla::dom::CanvasRenderingContext2D::IsPointInPath(double, double, mozilla::dom::CanvasWindingRule const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/canvas/CanvasRenderingContext2D.cpp:4445:10
#7 0x7f2789628fed in mozilla::dom::CanvasRenderingContext2DBinding::isPointInPath(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:3737:19
#8 0x7f278a175d5d in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/bindings/BindingUtils.cpp:2784:13
#9 0x7f278eaa4afa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jscntxtinlines.h:232:15
#10 0x7f278eaa469f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:441:16
#11 0x7f278eaa4f79 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:498:12
#12 0x7f278ea9ae31 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:2873:18
#13 0x7f278ea89802 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:399:12
#14 0x7f278eaa6c06 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:679:15
#15 0x7f278eaa750c in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:711:12
#16 0x7f278e6a610c in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsapi.cpp:4406:19
#17 0x7f278e6a6a63 in Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsapi.cpp:4433:12
#18 0x7f2788a9403f in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/base/nsJSUtils.cpp:206:12
#19 0x7f2788a94b93 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/base/nsJSUtils.cpp:266:10
#20 0x7f2788b022f1 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/base/nsScriptLoader.cpp:2010:12
#21 0x7f2788affdf7 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/base/nsScriptLoader.cpp:1808:10
#22 0x7f2788af2686 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/base/nsScriptLoader.cpp:1546:10
#23 0x7f2788af10f3 in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/base/nsScriptElement.cpp:141:10
#24 0x7f2787f2e0de in nsIScriptElement::AttemptToExecute() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/base/nsIScriptElement.h:221:18
#25 0x7f2787f2d4d3 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:664:16
#26 0x7f2787f2c758 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:488:7
#27 0x7f2787f2ffd4 in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:128:9
#28 0x7f278672e864 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/xpcom/threads/nsThread.cpp:1073:7
#29 0x7f27867b64a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
#30 0x7f2787221f59 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/ipc/glue/MessagePump.cpp:100:21
#31 0x7f2787192e67 in MessageLoop::RunInternal() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/ipc/chromium/src/base/message_loop.cc:235:3
#32 0x7f2787192cf9 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/ipc/chromium/src/base/message_loop.cc:208:3
#33 0x7f278b6e27ca in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/widget/nsBaseAppShell.cpp:156:3
#34 0x7f278cde976c in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:284:19
#35 0x7f278cedf616 in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4390:10
#36 0x7f278cee0c37 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4513:8
#37 0x7f278cee1893 in XRE_main /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4608:16
#38 0x4dffe9 in do_main(int, char**, char**, nsIFile*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/browser/app/nsBrowserApp.cpp:254:10
#39 0x4df74d in main /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/browser/app/nsBrowserApp.cpp:390:16
#40 0x7f27a1a4f82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#41 0x41c134 in _start (/home/user/workspace/browsers/firefox_dbg/firefox+0x41c134)
|
Assignee | |
Comment 1•8 years ago
|
||
This is just a straight backport of an upstream fix: https://skia.googlesource.com/skia/+/276e63361c73fed6c6528b322400ece81fd1d067
|
||
Updated•8 years ago
|
Attachment #8768158 -
Flags: review?(jmuizelaar) → review+
Pushed by lsalzman@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/85a0402746aa backport of Skia fix for SkCubicClipper::ChopMonoAtY. r=jrmuizel
|
||
Comment 3•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/85a0402746aa
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
||
Comment 4•8 years ago
|
||
Is there a reason the testcase wasn't landed as a crashtest?
Flags: needinfo?(lsalzman)
Flags: in-testsuite?
Pushed by lsalzman@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/ef71d77aca9f add crashtest. r=me
|
|
Assignee | |
Comment 6•8 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #4) > Is there a reason the testcase wasn't landed as a crashtest? Fixed.
Flags: needinfo?(lsalzman)
|
|
||
Updated•8 years ago
|
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 7•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/ef71d77aca9f
You need to log in
before you can comment on or make changes to this bug.
Description
•