Closed
Bug 1287652
Opened 8 years ago
Closed 8 years ago
SEGV on unknown address 0x44 in [@mozilla::gfx::SetPaintPattern]
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
Tracking | Status | |
---|---|---|
firefox50 | --- | fixed |
People
(Reporter: tsmith, Assigned: ethlin)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [fuzzblocker])
Attachments
(4 files)
9.35 KB,
text/plain
|
Details | |
207 bytes,
text/html
|
Details | |
3.08 KB,
patch
|
mchang
:
review+
|
Details | Diff | Splinter Review |
1.17 KB,
patch
|
mchang
:
review+
|
Details | Diff | Splinter Review |
This is a fuzz blocker. It is triggered every 5 or so iterations. Please fix ASAP. Repros on non ASan and non debug builds. Log from an ASan build: ==60217==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000044 (pc 0x7fa8351d91aa bp 0x7ffe09054b30 sp 0x7ffe090547e0 T0) #0 0x7fa8351d91a9 in mozilla::gfx::SetPaintPattern(SkPaint&, mozilla::gfx::Pattern const&, float) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/2d/DrawTargetSkia.cpp:229:61 #1 0x7fa8351d7f18 in AutoPaintSetup /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/2d/DrawTargetSkia.cpp:319:5 #2 0x7fa8351d7f18 in mozilla::gfx::DrawTargetSkia::FillGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::GlyphRenderingOptions const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/2d/DrawTargetSkia.cpp:1029 #3 0x7fa8358a4863 in GlyphBufferAzure::Flush(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxFont.cpp:1667:21 #4 0x7fa83586efa3 in ~GlyphBufferAzure /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxFont.cpp:1570:9 #5 0x7fa83586efa3 in gfxFont::DrawGlyphs(gfxShapedText const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, FontDrawParams const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxFont.cpp:1968 #6 0x7fa835872bc8 in gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, unsigned short) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxFont.cpp:2152:9 #7 0x7fa8358e0a4d in gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, gfxPoint*, gfxTextRun::PropertyProvider*, gfxTextRun::Range, TextRunDrawParams&, unsigned short) const /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxTextRun.cpp:412:5 ... see log.txt for full log.
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Updated•8 years ago
|
Whiteboard: [fuzzblocker]
Assignee | ||
Comment 2•8 years ago
|
||
We should have some error handling for the CanvasGradient which has no ColorStop. D2D1 has handled it[1]. Skia and Cairo should do this as well. [1] https://dxr.mozilla.org/mozilla-central/source/gfx/2d/DrawTargetD2D1.cpp#1634
Assignee: nobody → ethlin
Assignee | ||
Comment 3•8 years ago
|
||
Check if the 'stops' is nullptr. After study, I think cairo works well in this case.
Attachment #8772321 -
Flags: review?(mchang)
Updated•8 years ago
|
Attachment #8772321 -
Flags: review?(mchang) → review+
Assignee | ||
Comment 4•8 years ago
|
||
try server: https://treeherder.mozilla.org/#/jobs?repo=try&revision=2d3af9d63646
Assignee | ||
Updated•8 years ago
|
Keywords: checkin-needed
Comment 5•8 years ago
|
||
Any particular reason we aren't landing the testcase as a crashtest?
Flags: needinfo?(ethlin)
Flags: in-testsuite?
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1afe2708eef5 Add error handling while colorstop is empty. r=mchang
Keywords: checkin-needed
Comment 7•8 years ago
|
||
Yes sorry my mistake, can we also please check in the testcase as a crash test.
Assignee | ||
Comment 8•8 years ago
|
||
I should add the crash testcase for this bug.
Flags: needinfo?(ethlin)
Attachment #8773117 -
Flags: review?(mchang)
Comment 9•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/1afe2708eef5
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Comment 10•8 years ago
|
||
Comment on attachment 8773117 [details] [diff] [review] crash testcase Review of attachment 8773117 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8773117 -
Flags: review?(mchang) → review+
Updated•8 years ago
|
Flags: in-testsuite? → in-testsuite+
Keywords: checkin-needed
Comment 11•8 years ago
|
||
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d300e4be79b7 Add crash test case. r=mchang
Keywords: checkin-needed
Comment 12•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/d300e4be79b7
You need to log in
before you can comment on or make changes to this bug.
Description
•