Bug 1306890 (CVE-2017-5406)

SEGV in SkBlitLCD16OpaqueRow_SSE2

RESOLVED FIXED

Status

()

RESOLVED FIXED
2 years ago
10 months ago

People

(Reporter: attekett, Assigned: vliu)

Tracking

({csectype-bounds, sec-high})

unspecified
csectype-bounds, sec-high
Points:
---
Bug Flags:
sec-bounty +
qe-verify +

Firefox Tracking Flags

(firefox-esr45 unaffected, firefox51+ wontfix, firefox52 fixed)

Details

(Whiteboard: [post-critsmash-triage][adv-main52+])

Attachments

(4 attachments)

(Reporter)

Description

2 years ago
Created attachment 8796864 [details]
firefox-SEGV-20f-20f-20f-0f3-2e50-min.html

Tested on:

OS: Ubuntu 16.04.1 LTS

Firefox: ASAN-build moz_source_stamp: f713114b8c8d352b668b3e8052bc51ece4df34e0

prefs.js from https://github.com/MozillaSecurity/fuzzdata/blob/master/settings/firefox/prefs.js

ASAN-trace:

ASAN:DEADLYSIGNAL
=================================================================
==2203==ERROR: AddressSanitizer: SEGV on unknown address 0x11dfdd40f2ff (pc 0x7ffb1f2b6e47 bp 0x7fffa27f3960 sp 0x7fffa27f3930 T0)
    #0 0x7ffb1f2b6e46 in SkBlitLCD16OpaqueRow_SSE2(unsigned int*, unsigned short const*, unsigned int, int, unsigned int) /home/worker/workspace/build/src/gfx/skia/skia/src/opts/SkBlitRow_opts_SSE2.cpp:459:57
    #1 0x7ffb1f356e51 in D32_LCD16_Proc /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBlitMask_D32.cpp:46:9
    #2 0x7ffb1f356e51 in SkBlitMask::BlitColor(SkPixmap const&, SkMask const&, SkIRect const&, unsigned int) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBlitMask_D32.cpp:67
    #3 0x7ffb1f14be95 in SkARGB32_Opaque_Blitter::blitMask(SkMask const&, SkIRect const&) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBlitter_ARGB32.cpp:188:9
    #4 0x7ffb1f64ede2 in DrawOneGlyph::blitMask(SkMask const&, SkIRect const&) const /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1551:13
    #5 0x7ffb1f64e540 in DrawOneGlyph::operator()(SkGlyph const&, SkPoint, SkPoint) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1511:17
    #6 0x7ffb1f6512dd in SkFindAndPlaceGlyph::GlyphFindAndPlaceFullPixel<DrawOneGlyph&, (SkPaint::Align)0, (SkFindAndPlaceGlyph::SelectKerning)0>::findAndPositionGlyph(char const**, SkPoint, DrawOneGlyph&) /home/w
orker/workspace/build/src/gfx/skia/skia/src/core/SkFindAndPlaceGlyph.h:504:17
    #7 0x7ffb1f6479bb in void SkFindAndPlaceGlyph::ProcessPosText<DrawOneGlyph&>(SkPaint::TextEncoding, char const*, unsigned long, SkPoint, SkMatrix const&, float const*, int, SkPaint::Align, SkGlyphCache*, DrawO
neGlyph&) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkFindAndPlaceGlyph.h:685:9
    #8 0x7ffb1f646906 in SkDraw::drawPosText(char const*, unsigned long, float const*, int, SkPoint const&, SkPaint const&) const /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1676:5
    #9 0x7ffb1f3351ba in SkBitmapDevice::drawPosText(SkDraw const&, void const*, unsigned long, float const*, int, SkPoint const&, SkPaint const&) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBitmapDe
vice.cpp:345:5
    #10 0x7ffb1f38c0b0 in SkCanvas::onDrawPosText(void const*, unsigned long, SkPoint const*, SkPaint const&) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2576:9
    #11 0x7ffb1f38e33f in SkCanvas::drawPosText(void const*, unsigned long, SkPoint const*, SkPaint const&) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2651:5
    #12 0x7ffb17965856 in mozilla::gfx::DrawTargetSkia::FillGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::GlyphRe
nderingOptions const*) /home/worker/workspace/build/src/gfx/2d/DrawTargetSkia.cpp:1328:3
    #13 0x7ffb18032bed in GlyphBufferAzure::Flush(bool) /home/worker/workspace/build/src/gfx/thebes/gfxFont.cpp:1666:21
    #14 0x7ffb17ffd9e3 in ~GlyphBufferAzure /home/worker/workspace/build/src/gfx/thebes/gfxFont.cpp:1569:9
    #15 0x7ffb17ffd9e3 in gfxFont::DrawGlyphs(gfxShapedText const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, FontDrawParams const&) /home/worker/workspace/build/src/gfx/thebes/gfxFont.cpp:1
968
    #16 0x7ffb1800156b in gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, unsigned short) /home/worker/workspace/build/src/gfx/thebes/gfxFont.cpp:2156:9
    #17 0x7ffb18070b4d in gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, gfxPoint*, gfxTextRun::PropertyProvider*, gfxTextRun::Range, TextRunDrawParams&, unsigned short) const /home/worker/workspace/build/src
/gfx/thebes/gfxTextRun.cpp:413:5
    #18 0x7ffb18073617 in gfxTextRun::Draw(gfxTextRun::Range, gfxPoint, gfxTextRun::DrawParams const&) const /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:667:9
    #19 0x7ffb1cf2e581 in DrawTextRun(gfxTextRun const*, gfxPoint const&, gfxTextRun::Range, nsTextFrame::DrawTextRunParams const&) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:6835:7
    #20 0x7ffb1cf2da56 in nsTextFrame::DrawTextRun(gfxTextRun::Range, gfxPoint const&, nsTextFrame::DrawTextRunParams const&) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:6845:3
    #21 0x7ffb1cf231f8 in nsTextFrame::DrawText(gfxTextRun::Range, gfxPoint const&, nsTextFrame::DrawTextParams const&) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:7028:5
    #22 0x7ffb1cf16139 in nsTextFrame::PaintText(nsTextFrame::PaintTextParams const&, nsCharClipDisplayItem const&, float) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:6799:3
    #23 0x7ffb1d0967b2 in SVGTextFrame::PaintSVG(gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:3691:9
    #24 0x7ffb1d095043 in nsDisplaySVGText::Paint(nsDisplayListBuilder*, nsRenderingContext*) /home/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:3122:23
.
.
.
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/worker/workspace/build/src/gfx/skia/skia/src/opts/SkBlitRow_opts_SSE2.cpp:459:57 in SkBlitLCD16OpaqueRow_SSE2(unsigned int*, unsigned short const*, unsigned int, int, unsigned int)
==2203==ABORTING
(Reporter)

Updated

2 years ago
Component: General → Graphics
Group: core-security → gfx-core-security
Component: Graphics → Canvas: 2D
(Assignee)

Comment 1

2 years ago
Created attachment 8798700 [details]
backtrace-of-crash.txt

I can reproduce this test case in my local gecko-dev build, with Mac. The attached file was the back trace I saw. I am not sure if it hit the same issue because the backtrace was not totally the same between this.
(Reporter)

Comment 2

2 years ago
That trace looks like OOM to me.

On Ubuntu I don't see that: 
/Volumes/firefoxos/gecko-dev/gfx/skia/skia/include/core/SkRect.h:269: fatal error: ""left < right && top < bottom""
Abort from sk_abort
Hit MOZ_CRASH() at /Volumes/firefoxos/gecko-dev/memory/mozalloc/mozalloc_abort.cpp:33


With build from: https://public-artifacts.taskcluster.net/UXfrLXB1T5OS0Pa7sizXng/0/public/build/target.tar.bz2

We crash directly with SIGSEGV:

.
.
.
ATTENTION: default value of option force_s3tc_enable overridden by environment.
ATTENTION: default value of option force_s3tc_enable overridden by environment.
[New Thread 0x7fffb09ff700 (LWP 12988)]
[New Thread 0x7fffaff8f700 (LWP 12989)]
[New Thread 0x7fffaf753700 (LWP 12990)]
[New Thread 0x7fffaf687700 (LWP 12991)]
[New Thread 0x7fffaecff700 (LWP 12992)]
[New Thread 0x7fffae196700 (LWP 12993)]
JavaScript error: file:///home/attekett/results/attachment.cgi.html, line 1: ReferenceError: init is not defined

Thread 1 "firefox" received signal SIGSEGV, Segmentation fault.
0x00007fffe4db8ec7 in SkBlitLCD16OpaqueRow_SSE2 () at /home/worker/workspace/build/src/gfx/skia/skia/src/opts/SkBlitRow_opts_SSE2.cpp:459
459	/home/worker/workspace/build/src/gfx/skia/skia/src/opts/SkBlitRow_opts_SSE2.cpp: No such file or directory.
(gdb) bt
#0  0x00007fffe4db8ec7 in SkBlitLCD16OpaqueRow_SSE2 () at /home/worker/workspace/build/src/gfx/skia/skia/src/opts/SkBlitRow_opts_SSE2.cpp:459
#1  0x00007fffe4e58ed2 in D32_LCD16_Proc () at /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBlitMask_D32.cpp:46
#2  BlitColor () at /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBlitMask_D32.cpp:67
#3  0x00007fffe4c4df16 in blitMask () at /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBlitter_ARGB32.cpp:188
#4  0x00007fffe5150e63 in blitMask () at /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1551
#5  0x00007fffe51505c1 in operator() () at /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1511
#6  0x00007fffe515335e in findAndPositionGlyph () at /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkFindAndPlaceGlyph.h:504
#7  0x00007fffe5149a3c in ProcessPosText<DrawOneGlyph&> () at /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkFindAndPlaceGlyph.h:685
#8  0x00007fffe5148987 in drawPosText () at /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1676
#9  0x00007fffe4e3723b in SkBitmapDevice::drawPosText(SkDraw const&, void const*, unsigned long, float const*, int, SkPoint const&, SkPaint const&) ()
    at /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:345
#10 0x00007fffe4e8e131 in onDrawPosText () at /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2576
#11 0x00007fffe4e903c0 in drawPosText () at /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2651
.
.
.
(Assignee)

Comment 3

2 years ago
Ok, I will file a new bug if they are different. Another thing is why this bug set as  Security-Sensitive? Should I also do that for the new filed bug? Thanks
Flags: needinfo?(attekett)
Vincent Liu, also make sure you are using an ASan build and the same prefs.js as Atte did.
(Reporter)

Comment 5

2 years ago
From my point-of-view, that crash is OOM, so we can wait until this issue is fixed and see if it still reproduces. 

It might be that it is the same underlying issue, but because of different prefs or lack of ASAN it is not triggered in the same place.
Flags: needinfo?(attekett)
(Assignee)

Comment 6

2 years ago
Created attachment 8800492 [details]
crash-report-on-ASAN-build.log

(In reply to Christoph Diehl [:posidron] from comment #4)
> Vincent Liu, also make sure you are using an ASan build and the same
> prefs.js as Atte did.

I'd established ASAN build on my Ubuntu 14.04 LTS. I also put prefs.js into "gecko-dev/browser/app/profile/" in the latest central. After that, I still see the attached crash information.


JavaScript error: file:///home/vliu-pc/proj/gecko-dev/firefox-SEGV-20f-20f-20f-0f3-2e50-min.html, line 1: ReferenceError: init is not defined
/home/vliu-pc/proj/gecko-dev-asan/gfx/skia/skia/include/core/SkRect.h:269: fatal error: ""left < right && top < bottom""
Abort from sk_abort
Hit MOZ_CRASH() at /home/vliu-pc/proj/gecko-dev-asan/memory/mozalloc/mozalloc_abort.cpp:33

Program /home/vliu-pc/proj/gecko-dev-asan/objdir-ff-asan/dist/bin/firefox (pid = 1248) received signal 11.
Stack:
#01: ???[/home/vliu-pc/proj/gecko-dev-asan/objdir-ff-asan/dist/bin/libxul.so +0xd1825bc]
#02: ???[/lib/x86_64-linux-gnu/libpthread.so.0 +0x10330]
#03: mozalloc_abort(char const*)[/home/vliu-pc/proj/gecko-dev-asan/objdir-ff-asan/dist/bin/firefox +0xfd9f5]
#04: ???[/home/vliu-pc/proj/gecko-dev-asan/objdir-ff-asan/dist/bin/libxul.so +0xc618900]
#05: ???[/home/vliu-pc/proj/gecko-dev-asan/objdir-ff-asan/dist/bin/libxul.so +0xc57ab22]
#06: ???[/home/vliu-pc/proj/gecko-dev-asan/objdir-ff-asan/dist/bin/libxul.so +0xc579c23]
#07: ???[/home/vliu-pc/proj/gecko-dev-asan/objdir-ff-asan/dist/bin/libxul.so +0xc57d142]
#08: ???[/home/vliu-pc/proj/gecko-dev-asan/objdir-ff-asan/dist/bin/libxul.so +0xc577f07]
#09: ???[/home/vliu-pc/proj/gecko-dev-asan/objdir-ff-asan/dist/bin/libxul.so +0xc571963]
I was able to reproduce both the issue Atte initially reported using an optimized ASan build and the issue noted in comment #6 using an ASan debug build. In both cases I used the prefs.js file from the report. It seems that the test case triggers a skia assertion before hitting the SEGV Atte reported.

Vincent, please retry with a non debug ASan build and that *should* allow you to reproduce the issue.
Flags: sec-bounty?
(Assignee)

Comment 8

2 years ago
Created attachment 8802375 [details] [diff] [review]
WIP.patch

(In reply to Tyson Smith [:tsmith] from comment #7)
> I was able to reproduce both the issue Atte initially reported using an
> optimized ASan build and the issue noted in comment #6 using an ASan debug
> build. In both cases I used the prefs.js file from the report. It seems that
> the test case triggers a skia assertion before hitting the SEGV Atte
> reported.
> 
> Vincent, please retry with a non debug ASan build and that *should* allow
> you to reproduce the issue.

Thanks for your information and my optimized Asan build had SEGV crash in SkBlitLCD16OpaqueRow_SSE2.
Took time to look into this and found it crashed in the same function when I saw it on the debug Asan build or even on my mac.
The attached patch can fix this issue when I saw it under debug build. It also works ​on Asan release build. Maybe you can also try this WIP. But more better solution would be applied into central by next skia upstream by updating Skia to the milestone 55 branch in [1].

[1]: https://skia.googlesource.com/skia/+/875e13ca0990e32da9db639743a913efe77f7e89
(Assignee)

Updated

2 years ago
Assignee: nobody → vliu
Depends on: 1299435
Attachment #8800492 - Attachment mime type: text/x-log → text/plain
Keywords: csectype-bounds, sec-high
Vincent, can you work on getting this bug fixed? Thanks.
Flags: needinfo?(vliu)
(Assignee)

Comment 10

2 years ago
(In reply to Andrew McCreight [:mccr8] from comment #9)
> Vincent, can you work on getting this bug fixed? Thanks

As comment 8 said, skia upstream by updating Skia to the milestone 55 would fix this issue. The detailed about Skia upstream saw in bug 1299435. I'd also tried the latest Asan build and confirms this bug has been fixed. You can also get the latest build to make sure it. I will close this bug. Reopen if someone can still reproduce it.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(vliu)
Resolution: --- → DUPLICATE
Duplicate of bug: 1299435
Better to make this "FIXED, depends on" rather than a dupe so we don't lose track of the fact that a security bug was fixed, and may need backporting.

Does this affect ESR-45? Or did that build not use Skia in the same ways?
status-firefox51: --- → affected
status-firefox52: --- → fixed
status-firefox-esr45: --- → ?
tracking-firefox51: --- → +
Flags: sec-bounty? → sec-bounty+
Resolution: DUPLICATE → FIXED
Group: gfx-core-security → core-security-release
Per bug 1299435, let updating Skia to m55 branch ride the train. Mark 51 as fix-optional.
status-firefox51: affected → fix-optional
WTH is "fix-optional?" Isn't that just "not tracking." This new state in the status will mess up queries.
Flags: needinfo?(vliu)
(Assignee)

Comment 14

2 years ago
"fix-optional" may refers to the status of bug 1299435.
Flags: needinfo?(vliu)
Vincent: what's the status of this bug on ESR-45? If I'm reading it right, bug 1299435 comment 0 implies Skia is not used by default on ESR-45.
status-firefox51: fix-optional → wontfix
Flags: needinfo?(vliu)
(In reply to Daniel Veditz [:dveditz] from comment #15)
> Vincent: what's the status of this bug on ESR-45? If I'm reading it right,
> bug 1299435 comment 0 implies Skia is not used by default on ESR-45.

We only started using Skia for content rendering in 51, so ESR-45 is unaffected.
status-firefox-esr45: ? → unaffected
Flags: needinfo?(vliu)
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main52+]
Alias: CVE-2017-5406
Group: core-security-release

Comment 17

10 months ago
(In reply to Atte Kettunen from comment #0)
> Created attachment 8796864 [details]
> firefox-SEGV-20f-20f-20f-0f3-2e50-min.html
> 
> Tested on:
> 
> OS: Ubuntu 16.04.1 LTS
> 
> Firefox: ASAN-build moz_source_stamp:
> f713114b8c8d352b668b3e8052bc51ece4df34e0
> 
> prefs.js from
> https://github.com/MozillaSecurity/fuzzdata/blob/master/settings/firefox/
> prefs.js
> 
> ASAN-trace:
> 
> ASAN:DEADLYSIGNAL
> =================================================================
> ==2203==ERROR: AddressSanitizer: SEGV on unknown address 0x11dfdd40f2ff (pc
> 0x7ffb1f2b6e47 bp 0x7fffa27f3960 sp 0x7fffa27f3930 T0)
>     #0 0x7ffb1f2b6e46 in SkBlitLCD16OpaqueRow_SSE2(unsigned int*, unsigned
> short const*, unsigned int, int, unsigned int)
> /home/worker/workspace/build/src/gfx/skia/skia/src/opts/SkBlitRow_opts_SSE2.
> cpp:459:57
>     #1 0x7ffb1f356e51 in D32_LCD16_Proc
> /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBlitMask_D32.cpp:
> 46:9
>     #2 0x7ffb1f356e51 in SkBlitMask::BlitColor(SkPixmap const&, SkMask
> const&, SkIRect const&, unsigned int)
> /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBlitMask_D32.cpp:67
>     #3 0x7ffb1f14be95 in SkARGB32_Opaque_Blitter::blitMask(SkMask const&,
> SkIRect const&)
> /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBlitter_ARGB32.cpp:
> 188:9
>     #4 0x7ffb1f64ede2 in DrawOneGlyph::blitMask(SkMask const&, SkIRect
> const&) const
> /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1551:13
>     #5 0x7ffb1f64e540 in DrawOneGlyph::operator()(SkGlyph const&, SkPoint,
> SkPoint)
> /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1511:17
>     #6 0x7ffb1f6512dd in
> SkFindAndPlaceGlyph::GlyphFindAndPlaceFullPixel<DrawOneGlyph&,
> (SkPaint::Align)0,
> (SkFindAndPlaceGlyph::SelectKerning)0>::findAndPositionGlyph(char const**,
> SkPoint, DrawOneGlyph&) /home/w
> orker/workspace/build/src/gfx/skia/skia/src/core/SkFindAndPlaceGlyph.h:504:17
>     #7 0x7ffb1f6479bb in void
> SkFindAndPlaceGlyph::ProcessPosText<DrawOneGlyph&>(SkPaint::TextEncoding,
> char const*, unsigned long, SkPoint, SkMatrix const&, float const*, int,
> SkPaint::Align, SkGlyphCache*, DrawO
> neGlyph&)
> /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkFindAndPlaceGlyph.
> h:685:9
>     #8 0x7ffb1f646906 in SkDraw::drawPosText(char const*, unsigned long,
> float const*, int, SkPoint const&, SkPaint const&) const
> /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1676:5
>     #9 0x7ffb1f3351ba in SkBitmapDevice::drawPosText(SkDraw const&, void
> const*, unsigned long, float const*, int, SkPoint const&, SkPaint const&)
> /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBitmapDe
> vice.cpp:345:5
>     #10 0x7ffb1f38c0b0 in SkCanvas::onDrawPosText(void const*, unsigned
> long, SkPoint const*, SkPaint const&)
> /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2576:9
>     #11 0x7ffb1f38e33f in SkCanvas::drawPosText(void const*, unsigned long,
> SkPoint const*, SkPaint const&)
> /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2651:5
>     #12 0x7ffb17965856 in
> mozilla::gfx::DrawTargetSkia::FillGlyphs(mozilla::gfx::ScaledFont*,
> mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&,
> mozilla::gfx::DrawOptions const&, mozilla::gfx::GlyphRe
> nderingOptions const*)
> /home/worker/workspace/build/src/gfx/2d/DrawTargetSkia.cpp:1328:3
>     #13 0x7ffb18032bed in GlyphBufferAzure::Flush(bool)
> /home/worker/workspace/build/src/gfx/thebes/gfxFont.cpp:1666:21
>     #14 0x7ffb17ffd9e3 in ~GlyphBufferAzure
> /home/worker/workspace/build/src/gfx/thebes/gfxFont.cpp:1569:9
>     #15 0x7ffb17ffd9e3 in gfxFont::DrawGlyphs(gfxShapedText const*, unsigned
> int, unsigned int, gfxPoint*, TextRunDrawParams const&, FontDrawParams
> const&) /home/worker/workspace/build/src/gfx/thebes/gfxFont.cpp:1
> 968
>     #16 0x7ffb1800156b in gfxFont::Draw(gfxTextRun const*, unsigned int,
> unsigned int, gfxPoint*, TextRunDrawParams const&, unsigned short)
> /home/worker/workspace/build/src/gfx/thebes/gfxFont.cpp:2156:9
>     #17 0x7ffb18070b4d in gfxTextRun::DrawGlyphs(gfxFont*,
> gfxTextRun::Range, gfxPoint*, gfxTextRun::PropertyProvider*,
> gfxTextRun::Range, TextRunDrawParams&, unsigned short) const
> /home/worker/workspace/build/src
> /gfx/thebes/gfxTextRun.cpp:413:5
>     #18 0x7ffb18073617 in gfxTextRun::Draw(gfxTextRun::Range, gfxPoint,
> gfxTextRun::DrawParams const&) const
> /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:667:9
>     #19 0x7ffb1cf2e581 in DrawTextRun(gfxTextRun const*, gfxPoint const&,
> gfxTextRun::Range, nsTextFrame::DrawTextRunParams const&)
> /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:6835:7
>     #20 0x7ffb1cf2da56 in nsTextFrame::DrawTextRun(gfxTextRun::Range,
> gfxPoint const&, nsTextFrame::DrawTextRunParams const&)
> /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:6845:3
>     #21 0x7ffb1cf231f8 in nsTextFrame::DrawText(gfxTextRun::Range, gfxPoint
> const&, nsTextFrame::DrawTextParams const&)
> /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:7028:5
>     #22 0x7ffb1cf16139 in
> nsTextFrame::PaintText(nsTextFrame::PaintTextParams const&,
> nsCharClipDisplayItem const&, float)
> /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:6799:3
>     #23 0x7ffb1d0967b2 in SVGTextFrame::PaintSVG(gfxContext&, gfxMatrix
> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*)
> /home/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:3691:9
>     #24 0x7ffb1d095043 in nsDisplaySVGText::Paint(nsDisplayListBuilder*,
> nsRenderingContext*)
> /home/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:3122:23
> .
> .
> .
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV
> /home/worker/workspace/build/src/gfx/skia/skia/src/opts/SkBlitRow_opts_SSE2.
> cpp:459:57 in SkBlitLCD16OpaqueRow_SSE2(unsigned int*, unsigned short
> const*, unsigned int, int, unsigned int)
> ==2203==ABORTING

(In reply to Vincent Liu[:vliu] from comment #1)
> Created attachment 8798700 [details]
> backtrace-of-crash.txt
> 
> I can reproduce this test case in my local gecko-dev build, with Mac. The
> attached file was the back trace I saw. I am not sure if it hit the same
> issue because the backtrace was not totally the same between this.
You need to log in before you can comment on or make changes to this bug.