1287652 - SEGV on unknown address 0x44 in [@mozilla::gfx::SetPaintPattern]

Status: RESOLVED FIXED

(Core :: Graphics: Canvas2D, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: log.txt

This is a fuzz blocker. It is triggered every 5 or so iterations. Please fix ASAP.

Repros on non ASan and non debug builds.

Log from an ASan build:
==60217==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000044 (pc 0x7fa8351d91aa bp 0x7ffe09054b30 sp 0x7ffe090547e0 T0)
    #0 0x7fa8351d91a9 in mozilla::gfx::SetPaintPattern(SkPaint&, mozilla::gfx::Pattern const&, float) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/2d/DrawTargetSkia.cpp:229:61
    #1 0x7fa8351d7f18 in AutoPaintSetup /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/2d/DrawTargetSkia.cpp:319:5
    #2 0x7fa8351d7f18 in mozilla::gfx::DrawTargetSkia::FillGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::GlyphRenderingOptions const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/2d/DrawTargetSkia.cpp:1029
    #3 0x7fa8358a4863 in GlyphBufferAzure::Flush(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxFont.cpp:1667:21
    #4 0x7fa83586efa3 in ~GlyphBufferAzure /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxFont.cpp:1570:9
    #5 0x7fa83586efa3 in gfxFont::DrawGlyphs(gfxShapedText const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, FontDrawParams const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxFont.cpp:1968
    #6 0x7fa835872bc8 in gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, unsigned short) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxFont.cpp:2152:9
    #7 0x7fa8358e0a4d in gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, gfxPoint*, gfxTextRun::PropertyProvider*, gfxTextRun::Range, TextRunDrawParams&, unsigned short) const /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxTextRun.cpp:412:5
...
see log.txt for full log.

Comment 1

[Tyson Smith [:tsmith]]

Attachment: test_case.html

Comment 2

[Ethan Lin[:ethlin]]

We should have some error handling for the CanvasGradient which has no ColorStop. D2D1 has handled it[1]. Skia and Cairo should do this as well.

[1] https://dxr.mozilla.org/mozilla-central/source/gfx/2d/DrawTargetD2D1.cpp#1634

Comment 3

[Ethan Lin[:ethlin]]

Attachment: error handling

Check if the 'stops' is nullptr. After study, I think cairo works well in this case.

Comment 4

[Ethan Lin[:ethlin]]

try server:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=2d3af9d63646

Comment 5

[Ryan VanderMeulen [:RyanVM]]

Any particular reason we aren't landing the testcase as a crashtest?

Comment 6

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1afe2708eef5
Add error handling while colorstop is empty. r=mchang

Comment 7

[Mason Chang [Inactive] [:mchang]]

Yes sorry my mistake, can we also please check in the testcase as a crash test.

Comment 8

[Ethan Lin[:ethlin]]

Attachment: crash testcase

I should add the crash testcase for this bug.

Comment 9

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/1afe2708eef5

Comment 10

[Mason Chang [Inactive] [:mchang]]

Comment on attachment 8773117 [details] [diff] [review]
crash testcase

Review of attachment 8773117 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!

Comment 11

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d300e4be79b7
Add crash test case. r=mchang

Comment 12

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/d300e4be79b7