Closed Bug 1330012 Opened 4 years ago Closed 4 years ago

Assertion failure: cachedInt < (1 << (sizeof(mPowTable[i]) * 8)) (mPowCache integer type too small)

Categories

(Core :: Graphics, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox51 --- wontfix
firefox52 --- wontfix
firefox-esr52 --- fixed
firefox53 --- fixed
firefox54 --- fixed

People

(Reporter: tsmith, Assigned: milan)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [gfx-noted])

Attachments

(2 files)

Attached file test_case.html
Assertion failure: cachedInt < (1 << (sizeof(mPowTable[i]) * 8)) (mPowCache integer type too small), at /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:59

==3273==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc13bcf8fe6 bp 0x7ffe171a86d0 sp 0x7ffe171a8690 T0)
    #0 0x7fc13bcf8fe5 in mozilla::gfx::(anonymous namespace)::PowCache::CacheForExponent(float) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:53:7
    #1 0x7fc13bcfd9aa in mozilla::gfx::(anonymous namespace)::SpotLightSoftware::Prepare() /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3374:3
    #2 0x7fc13bcfc279 in already_AddRefed<mozilla::gfx::DataSourceSurface> mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::(anonymous namespace)::SpotLightSoftware, mozilla::gfx::(anonymous namespace)::DiffuseLightingSoftware>::DoRender<int>(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, int) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3529:3
    #3 0x7fc13bcfba9f in mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::(anonymous namespace)::SpotLightSoftware, mozilla::gfx::(anonymous namespace)::DiffuseLightingSoftware>::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3464:12
    #4 0x7fc13bcaa851 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:613:21
    #5 0x7fc13bcac0e0 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:714:17
    #6 0x7fc13bcc2dbf in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3126:10
    #7 0x7fc13bcaa851 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:613:21
    #8 0x7fc13bc8531c in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:566:14
    #9 0x7fc13bd66700 in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/src/FilterSupport.cpp:1360:3
    #10 0x7fc13fe5aa35 in nsFilterInstance::Render(mozilla::gfx::DrawTarget*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:510:3
    #11 0x7fc13fe5a2aa in nsFilterInstance::PaintFilteredFrame(nsIFrame*, mozilla::gfx::DrawTarget*, gfxMatrix const&, nsSVGFilterPaintCallback*, nsRegion const*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:79:10
    #12 0x7fc13fe8a5db in nsSVGIntegrationUtils::PaintFilter(nsSVGIntegrationUtils::PaintFramesParams const&) /home/worker/workspace/build/src/layout/svg/nsSVGIntegrationUtils.cpp:1107:3
    #13 0x7fc14009d460 in nsDisplayFilter::PaintAsLayer(nsDisplayListBuilder*, nsRenderingContext*, mozilla::layers::LayerManager*) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:7625:30
    #14 0x7fc140028785 in mozilla::PaintInactiveLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsDisplayItem*, gfxContext*, nsRenderingContext*) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:3714:5
    #15 0x7fc140028077 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:5908:7
    #16 0x7fc14002a075 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6097:5
    #17 0x7fc13bfe562d in mozilla::layers::ClientPaintedLayer::PaintThebes() /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:83:5
    #18 0x7fc13bfe5f91 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:137:3
    #19 0x7fc13c00d781 in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:60:7
    #20 0x7fc13c00d781 in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:60:7
    #21 0x7fc13bfe11e2 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:324:7
    #22 0x7fc13bfe188d in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:377:3
    #23 0x7fc140078603 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2066:3
    #24 0x7fc13faa04b8 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3674:7
    #25 0x7fc13f9cffa3 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /home/worker/workspace/build/src/layout/base/PresShell.cpp:6357:5
    #26 0x7fc13f44b960 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /home/worker/workspace/build/src/view/nsViewManager.cpp:483:7
    #27 0x7fc13f44b315 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:415:9
    #28 0x7fc13f44da99 in nsViewManager::ProcessPendingUpdates() /home/worker/workspace/build/src/view/nsViewManager.cpp:1113:5
    #29 0x7fc13f9712ab in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1999:7
    #30 0x7fc13f978e7e in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:295:7
    #31 0x7fc13f978c5f in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:317:5
    #32 0x7fc13f97be05 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:668:5
    #33 0x7fc13f97aec5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:588:9
    #34 0x7fc13f97b664 in mozilla::detail::RunnableMethodImpl<void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, false, mozilla::TimeStamp>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:803:7
    #35 0x7fc13a696732 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1240:7
    #36 0x7fc13a724330 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:390:10
    #37 0x7fc13b1dfad9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #38 0x7fc13b14b097 in MessageLoop::RunInternal() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #39 0x7fc13b14af29 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211:3
    #40 0x7fc13f4b211a in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #41 0x7fc140ce0acc in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
    #42 0x7fc140e05c69 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4494:10
    #43 0x7fc140e07363 in XREMain::XRE_main(int, char**, mozilla::XREAppData const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4623:8
    #44 0x7fc140e07fe2 in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4714:16
    #45 0x4e041e in do_main(int, char**, char**, nsIFile*) /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:319:10
    #46 0x4df9eb in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:452:16
    #47 0x7fc156b3682f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #48 0x41c164 in _start (/home/user/workspace/browsers/firefox_dbg/firefox+0x41c164)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:53:7 in mozilla::gfx::(anonymous namespace)::PowCache::CacheForExponent(float)
==3273==ABORTING
I can reproduce this.
Assignee: nobody → milan
Priority: -- → P3
Whiteboard: [gfx-noted]
Whie the spec sets the valid range for specularExponent on the feSpecularLighting to [1,128], it is silent for the acceptable range of values for the same attribute on feSpotLight.  Setting the negative value breaks the assumptions we have when caching the power table results.
Attachment #8825559 - Flags: review?(bas) → review?(mstange)
Comment on attachment 8825559 [details]
Bug 1330012: When caching power table for filters, avoid and optimize out the degenerate cases. r=mstange

https://reviewboard.mozilla.org/r/103682/#review105420

Looks good to me, but I'd really like Markus to have a look at this as I believe he wrote this code.
Attachment #8825559 - Flags: review+
Comment on attachment 8825559 [details]
Bug 1330012: When caching power table for filters, avoid and optimize out the degenerate cases. r=mstange

https://reviewboard.mozilla.org/r/103682/#review106292

That's some gnarly code that I wrote there. Thank you for fixing the comment and the unused member variable.

Unfortunately, we can't put the "if" into the render code, because it means that rendering can take varying amounts of time depending on the color of the input pixel, which would leak information. We need to make sure that the processor executes the same code for all input values.
Attachment #8825559 - Flags: review?(mstange) → review-
(In reply to Markus Stange [:mstange] from comment #5)
> ...
> 
> Unfortunately, we can't put the "if" into the render code, because it means
> that rendering can take varying amounts of time depending on the color of
> the input pixel, which would leak information. We need to make sure that the
> processor executes the same code for all input values.

Good point.  Made the change.  There is one "if" left in the render code, but it is specific to the exponent value on the filter, not the value of the pixel, which should be OK.  If we do find the extra test is impacting performance, we may want to pull that out of the loop and have a concept of a "returns black" quick path.  Not sure it's worth it.
Attachment #8825559 - Attachment description: Bug 1330012: When caching power table for filters, avoid and optimize out the degenerate cases. .schouten → Bug 1330012: When caching power table for filters, avoid and optimize out the degenerate cases. r=mstange
Attachment #8825559 - Flags: review+ → review?(mstange)
Comment on attachment 8825559 [details]
Bug 1330012: When caching power table for filters, avoid and optimize out the degenerate cases. r=mstange

https://reviewboard.mozilla.org/r/103682/#review109432

Thanks, sorry for the review delay.
Attachment #8825559 - Flags: review?(mstange) → review+
Pushed by msreckovic@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/664cd8b23a38
When caching power table for filters, avoid and optimize out the degenerate cases. r=bas,mstange.schouten
https://hg.mozilla.org/mozilla-central/rev/664cd8b23a38
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Discussing this with mstange on IRC, this looks worth backporting. Please request Beta/esr52 approval on this when you get a chance.
Flags: needinfo?(milan)
Comment on attachment 8825559 [details]
Bug 1330012: When caching power table for filters, avoid and optimize out the degenerate cases. r=mstange

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: Ryan and Markus thought it was a good idea :)  Null pointer SEGV.
User impact if declined: Bad things happen with invalid exponents in filters.
Fix Landed on Version: 54
Risk to taking this patch (and alternatives if risky): Has been on 54 for a while, without a problem. We do have a test that is fixed by it.

Let me know if this doesn't apply cleanly to 53 or 52
Flags: needinfo?(milan)
Attachment #8825559 - Flags: approval-mozilla-esr52?
Attachment #8825559 - Flags: approval-mozilla-beta?
Comment on attachment 8825559 [details]
Bug 1330012: When caching power table for filters, avoid and optimize out the degenerate cases. r=mstange

Sounds like maybe performance is a concern but let's fix this for the test failure. Should land for beta 2.
Attachment #8825559 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Setting qe-verify- since this seems to have automated coverage. Milan, if you think manual QA should instead be looking at this, please feel free to flip the flag.
Flags: qe-verify-
Comment on attachment 8825559 [details]
Bug 1330012: When caching power table for filters, avoid and optimize out the degenerate cases. r=mstange

crash fix for 52.1.0esr
Attachment #8825559 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
You need to log in before you can comment on or make changes to this bug.