Closed
Bug 1287652
Opened 9 years ago
Closed 9 years ago
SEGV on unknown address 0x44 in [@mozilla::gfx::SetPaintPattern]
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | fixed |
People
(Reporter: tsmith, Assigned: ethlin)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [fuzzblocker])
Attachments
(4 files)
|
9.35 KB,
text/plain
|
Details | |
|
207 bytes,
text/html
|
Details | |
|
3.08 KB,
patch
|
mchang
:
review+
|
Details | Diff | Splinter Review |
|
1.17 KB,
patch
|
mchang
:
review+
|
Details | Diff | Splinter Review |
This is a fuzz blocker. It is triggered every 5 or so iterations. Please fix ASAP.
Repros on non ASan and non debug builds.
Log from an ASan build:
==60217==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000044 (pc 0x7fa8351d91aa bp 0x7ffe09054b30 sp 0x7ffe090547e0 T0)
#0 0x7fa8351d91a9 in mozilla::gfx::SetPaintPattern(SkPaint&, mozilla::gfx::Pattern const&, float) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/2d/DrawTargetSkia.cpp:229:61
#1 0x7fa8351d7f18 in AutoPaintSetup /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/2d/DrawTargetSkia.cpp:319:5
#2 0x7fa8351d7f18 in mozilla::gfx::DrawTargetSkia::FillGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::GlyphRenderingOptions const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/2d/DrawTargetSkia.cpp:1029
#3 0x7fa8358a4863 in GlyphBufferAzure::Flush(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxFont.cpp:1667:21
#4 0x7fa83586efa3 in ~GlyphBufferAzure /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxFont.cpp:1570:9
#5 0x7fa83586efa3 in gfxFont::DrawGlyphs(gfxShapedText const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, FontDrawParams const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxFont.cpp:1968
#6 0x7fa835872bc8 in gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, unsigned short) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxFont.cpp:2152:9
#7 0x7fa8358e0a4d in gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, gfxPoint*, gfxTextRun::PropertyProvider*, gfxTextRun::Range, TextRunDrawParams&, unsigned short) const /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxTextRun.cpp:412:5
...
see log.txt for full log.
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [fuzzblocker]
|
Assignee | |
Comment 2•9 years ago
|
||
We should have some error handling for the CanvasGradient which has no ColorStop. D2D1 has handled it[1]. Skia and Cairo should do this as well.
[1] https://dxr.mozilla.org/mozilla-central/source/gfx/2d/DrawTargetD2D1.cpp#1634
Assignee: nobody → ethlin
|
|
Assignee | |
Comment 3•9 years ago
|
||
Check if the 'stops' is nullptr. After study, I think cairo works well in this case.
Attachment #8772321 -
Flags: review?(mchang)
|
||
Updated•9 years ago
|
Attachment #8772321 -
Flags: review?(mchang) → review+
|
|
Assignee | |
Comment 4•9 years ago
|
||
|
|
Assignee | |
Updated•9 years ago
|
Keywords: checkin-needed
|
||
Comment 5•9 years ago
|
||
Any particular reason we aren't landing the testcase as a crashtest?
Flags: needinfo?(ethlin)
Flags: in-testsuite?
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1afe2708eef5
Add error handling while colorstop is empty. r=mchang
Keywords: checkin-needed
|
|
||
Comment 7•9 years ago
|
||
Yes sorry my mistake, can we also please check in the testcase as a crash test.
|
|
Assignee | |
Comment 8•9 years ago
|
||
I should add the crash testcase for this bug.
Flags: needinfo?(ethlin)
Attachment #8773117 -
Flags: review?(mchang)
|
|
||
Comment 9•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
|
||
Comment 10•9 years ago
|
||
Comment on attachment 8773117 [details] [diff] [review]
crash testcase
Review of attachment 8773117 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks!
Attachment #8773117 -
Flags: review?(mchang) → review+
|
|
||
Updated•9 years ago
|
Flags: in-testsuite? → in-testsuite+
Keywords: checkin-needed
|
||
Comment 11•9 years ago
|
||
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d300e4be79b7
Add crash test case. r=mchang
Keywords: checkin-needed
|
|
||
Comment 12•9 years ago
|
||
| bugherder | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•