Closed Bug 1302186 Opened 8 years ago Closed 7 years ago

AddressSanitizer: memcpy-param-overlap: memory ranges overlap in [@ S32_Opaque_BlitRow32]

Categories

(Core :: Graphics, defect, P3)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox51 --- affected

People

(Reporter: truber, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-undefined, testcase, Whiteboard: [gfx-noted])

Attachments

(2 files)

testcase
286 bytes, text/html
Details
log.txt
24.91 KB, text/plain
Details
Attached file testcase 
The attached testcase crashes on mozilla-central revision 20160912-1851b78b5a96

Backtrace:
==7983==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7fba1e6e38c4,0x7fba1e6e7398) and [0x7fba1e6e3800, 0x7fba1e6e72d4) overlap
    #0 0x49ad76 in __asan_memcpy /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393:3
    #1 0x7fba59be291e in S32_Opaque_BlitRow32(unsigned int*, unsigned int const*, int, unsigned int) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBlitRow_D32.cpp:20:5
    #2 0x7fba5a0c2cf8 in Sprite_D32_S32::blitRect(int, int, int, int) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkSpriteBlitter_ARGB32.cpp:45:13
    #3 0x7fba5a07b097 in blitrect /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan.cpp:14:5
    #4 0x7fba5a07b097 in SkScan::FillIRect(SkIRect const&, SkRegion const*, SkBlitter*) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan.cpp:29
    #5 0x7fba5a07b5ac in SkScan::FillIRect(SkIRect const&, SkRasterClip const&, SkBlitter*) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan.cpp:72:9
    #6 0x7fba59e83785 in SkDraw::drawBitmap(SkBitmap const&, SkMatrix const&, SkRect const*, SkPaint const&) const /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1310:17
    #7 0x7fba59bc94b8 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2367:13
    #8 0x7fba5226d379 in mozilla::gfx::DrawTargetSkia::CopySurface(mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/DrawTargetSkia.cpp:1657:3
    #9 0x7fba52270ba3 in mozilla::gfx::DrawTarget::CopyRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/2D.h:889:5
    #10 0x7fba5254d3b2 in mozilla::layers::RotatedContentBuffer::BeginPaint(mozilla::layers::PaintedLayer*, unsigned int) /home/worker/workspace/build/src/gfx/layers/RotatedBuffer.cpp:600:11
Attached file log.txt 
Flags: in-testsuite?
Whiteboard: [gfx-noted]

    
    

    
  
This should already be fixed by bug 1301920. RotatedBuffer calls CopyRect, which draws from a snapshot of the draw target back onto itself. Bug 1301920 fixed the copy-on-write handling of snapshots, so that the snapshot should now be an actual copy by the time it gets to Skia in this case.

Can you confirm it is fixed?
Flags: needinfo?(jschwartzentruber)

    
    

    
  
Confirmed, this is fixed in the m-c nightlies around that commit.
Flags: needinfo?(jschwartzentruber)

    
  
Severity: normal → critical
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: