Assertion failure: firstStop >= 0.0 (Failed to fix stop offsets), at /home/worker/workspace/build/src/layout/painting/nsCSSRenderingGradients.cpp:758

NEW
Unassigned

Status

()

--
critical
2 years ago
9 months ago

People

(Reporter: jkratzer, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, crash, testcase})

unspecified
assertion, crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox55 wontfix, firefox56 wontfix, firefox57 wontfix, firefox58 wontfix, firefox59 ?)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8856562 [details]
Testcase

Testcase found while fuzzing mozilla-central asan-debug rev 20170410-b1364675bdf5.

Assertion failure: firstStop >= 0.0 (Failed to fix stop offsets), at /home/worker/workspace/build/src/layout/painting/nsCSSRenderingGradients.cpp:758

ASAN:DEADLYSIGNAL
=================================================================
==26434==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fded7be29f7 bp 0x7ffdaf11e060 sp 0x7ffdaf11daa0 T0)
==26434==The signal is caused by a WRITE memory access.
==26434==Hint: address points to the zero page.
    #0 0x7fded7be29f6 in mozilla::nsCSSGradientRenderer::Create(nsPresContext*, nsStyleGradient*, nsRect const&, nsRect const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, nsSize const&) /home/worker/workspace/build/src/layout/painting/nsCSSRenderingGradients.cpp:656:59
    #1 0x7fded7c239f4 in mozilla::nsImageRenderer::Draw(nsPresContext*, nsRenderingContext&, nsRect const&, nsRect const&, nsRect const&, nsPoint const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, float) /home/worker/workspace/build/src/layout/painting/nsImageRenderer.cpp:529:9
    #2 0x7fded7bbd30a in mozilla::nsImageRenderer::DrawLayer(nsPresContext*, nsRenderingContext&, nsRect const&, nsRect const&, nsPoint const&, nsRect const&, nsSize const&, float) /home/worker/workspace/build/src/layout/painting/nsImageRenderer.cpp:673:10
    #3 0x7fded7bb876b in nsCSSRendering::PaintStyleImageLayerWithSC(nsCSSRendering::PaintBGParams const&, nsRenderingContext&, nsStyleContext*, nsStyleBorder const&) /home/worker/workspace/build/src/layout/painting/nsCSSRendering.cpp:2693:30
    #4 0x7fded7bb767c in nsCSSRendering::PaintStyleImageLayer(nsCSSRendering::PaintBGParams const&, nsRenderingContext&) /home/worker/workspace/build/src/layout/painting/nsCSSRendering.cpp:1938:10
    #5 0x7fded7bfdcb3 in nsDisplayBackgroundImage::PaintInternal(nsDisplayListBuilder*, nsRenderingContext*, nsRect const&, nsRect*) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:3593:5
    #6 0x7fded7719531 in nsDisplayCanvasBackgroundImage::Paint(nsDisplayListBuilder*, nsRenderingContext*) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:390:3
    #7 0x7fded7ba4c09 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6077:21
    #8 0x7fded7ba6a11 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6252:19
    #9 0x7fded3a590da in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:86:5
    #10 0x7fded3a599a0 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:140:3
    #11 0x7fded3a7b730 in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29
    #12 0x7fded3a7b730 in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29
    #13 0x7fded3a55653 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:358:13
    #14 0x7fded3a55c6d in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:411:3
    #15 0x7fded7bf4633 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2246:17
Flags: in-testsuite?
Regression from bug 1352380 as confirmed by mozregression. Still reproduces on trunk.
Blocks: 1352380
Has Regression Range: --- → yes
status-firefox55: --- → wontfix
status-firefox56: --- → wontfix
status-firefox57: --- → wontfix
status-firefox58: --- → fix-optional
status-firefox-esr52: --- → unaffected
You need to log in before you can comment on or make changes to this bug.