Closed Bug 1323837 Opened 8 years ago Closed 8 years ago

Crash at null [@mozilla::gfx::DrawTargetD2D1::FinalizeDrawing]

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Platform:
All
Windows
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox51 --- fixed
firefox52 --- fixed
firefox53 --- fixed

People

(Reporter: tsmith, Assigned: pchang)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase, Whiteboard: [gfx-noted][fuzzblocker])

Attachments

(3 files)

test_case.html
209 bytes, text/html
Details
log.txt
5.30 KB, text/plain
Details
Bug 1323837 - Draw nothing if there are no color stops for gradient effect,
58 bytes, text/x-review-board-request
bas.schouten
: review+
gchang
: approval-mozilla-aurora+
gchang
: approval-mozilla-beta+
Details
Attached file test_case.html
==10324==ERROR: AddressSanitizer: access-violation on unknown address 0x00000000 0010 (pc 0x7ff810193764 bp 0x000000000000 sp 0x00e8269f7fb0 T0) ==10324==The signal is caused by a READ memory access. ==10324==Hint: address points to the zero page. #0 0x7ff810193763 in ⌂gdiplus_NULL_THUNK_DATA_DLA (C:\windows\SYSTEM32\d2d1.dll+0x180043763) #1 0x7fffd3021bc5 in mozilla::gfx::DrawTargetD2D1::FinalizeDrawing(enum mozilla::gfx::CompositionOp,class mozilla::gfx::Pattern const &) c:\m-c\gfx\2d\DrawTargetD2D1.cpp:1392 #2 0x7fffd304197d in mozilla::gfx::DrawTargetD2D1::Fill(class mozilla::gfx::Path const *,class mozilla::gfx::Pattern const &,struct mozilla::gfx::DrawOptions const &) c:\m-c\gfx\2d\DrawTargetD2D1.cpp:529 #3 0x7fffd8a77671 in mozilla::dom::CanvasRenderingContext2D::Fill(class mozilla::dom::CanvasPath const &,enum mozilla::dom::CanvasWindingRule const &) c:\m-c\dom\canvas\CanvasRenderingContext2D.cpp:3195 #4 0x7fffd6c883e8 in mozilla::dom::CanvasRenderingContext2DBinding::fill C:\m-c\obj64-clang-cl-optimized\dom\bindings\CanvasRenderingContext2DBinding.cpp:3451 #5 0x7fffd88b76c6 in mozilla::dom::GenericBindingMethod(struct JSContext *,unsigned int,class JS::Value *) c:\m-c\dom\bindings\BindingUtils.cpp:2886 ... see log.txt
Attached file log.txt
Whiteboard: [fuzzblocker]
Assignee: nobody → howareyou322
Whiteboard: [fuzzblocker] → [gfx-noted][fuzzblocker]
Comment on attachment 8819183 [details] Bug 1323837 - Draw nothing if there are no color stops for gradient effect, https://reviewboard.mozilla.org/r/99038/#review99286 ::: gfx/2d/DrawTargetD2D1.cpp:1387 (Diff revision 1) > > + if (!pat->mStops.get()) { > + // Draw nothing because of no stops > + return; > + } > + I guess early return here is fine because there is another StopCollection validation before rendering. http://searchfox.org/mozilla-central/source/gfx/2d/RadialGradientEffectD2D1.cpp#115
Comment on attachment 8819183 [details] Bug 1323837 - Draw nothing if there are no color stops for gradient effect, https://reviewboard.mozilla.org/r/99038/#review99798 ::: gfx/2d/DrawTargetD2D1.cpp:1383 (Diff revision 1) > if (pat->mCenter1 == pat->mCenter2 && pat->mRadius1 == pat->mRadius2) { > // Draw nothing! > return; > } > > + if (!pat->mStops.get()) { nit: I don't think the .get() is required, is it?
Attachment #8819183 - Flags: review+
Comment on attachment 8819183 [details] Bug 1323837 - Draw nothing if there are no color stops for gradient effect, https://reviewboard.mozilla.org/r/99038/#review99798 > nit: I don't think the .get() is required, is it? yes, I just updated the patch
Pushed by pchang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/981f3d75def4 Draw nothing if there are no color stops for gradient effect, r=bas
https://hg.mozilla.org/mozilla-central/rev/981f3d75def4
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox53: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment on attachment 8819183 [details] Bug 1323837 - Draw nothing if there are no color stops for gradient effect, Approval Request Comment [Feature/Bug causing the regression]:None [User impact if declined]: might have chance to hit crash for windows user [Is this code covered by automated tests?]:no [Has the fix been verified in Nightly?]: It was landed for two weeks without problem [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]:no [Is the change risky?]:no [Why is the change risky/not risky?]: it's a pointer checking [String changes made/needed]:none
Attachment #8819183 - Flags: approval-mozilla-beta?
Attachment #8819183 - Flags: approval-mozilla-aurora?
Comment on attachment 8819183 [details] Bug 1323837 - Draw nothing if there are no color stops for gradient effect, Fix a crash. Beta51+ & Aurora52+. Should be in 51 RC.
Attachment #8819183 - Flags: approval-mozilla-beta?
Attachment #8819183 - Flags: approval-mozilla-beta+
Attachment #8819183 - Flags: approval-mozilla-aurora?
Attachment #8819183 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: