Closed Bug 1355130 Opened 4 years ago Closed 2 months ago

Assertion failure: firstStop >= 0.0 (Failed to fix stop offsets), at /home/worker/workspace/build/src/layout/painting/nsCSSRenderingGradients.cpp:758

Categories

(Core :: Web Painting, defect)

defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox-esr52 --- unaffected
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- ?

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

Attached file Testcase
Testcase found while fuzzing mozilla-central asan-debug rev 20170410-b1364675bdf5.

Assertion failure: firstStop >= 0.0 (Failed to fix stop offsets), at /home/worker/workspace/build/src/layout/painting/nsCSSRenderingGradients.cpp:758

ASAN:DEADLYSIGNAL
=================================================================
==26434==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fded7be29f7 bp 0x7ffdaf11e060 sp 0x7ffdaf11daa0 T0)
==26434==The signal is caused by a WRITE memory access.
==26434==Hint: address points to the zero page.
    #0 0x7fded7be29f6 in mozilla::nsCSSGradientRenderer::Create(nsPresContext*, nsStyleGradient*, nsRect const&, nsRect const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, nsSize const&) /home/worker/workspace/build/src/layout/painting/nsCSSRenderingGradients.cpp:656:59
    #1 0x7fded7c239f4 in mozilla::nsImageRenderer::Draw(nsPresContext*, nsRenderingContext&, nsRect const&, nsRect const&, nsRect const&, nsPoint const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, float) /home/worker/workspace/build/src/layout/painting/nsImageRenderer.cpp:529:9
    #2 0x7fded7bbd30a in mozilla::nsImageRenderer::DrawLayer(nsPresContext*, nsRenderingContext&, nsRect const&, nsRect const&, nsPoint const&, nsRect const&, nsSize const&, float) /home/worker/workspace/build/src/layout/painting/nsImageRenderer.cpp:673:10
    #3 0x7fded7bb876b in nsCSSRendering::PaintStyleImageLayerWithSC(nsCSSRendering::PaintBGParams const&, nsRenderingContext&, nsStyleContext*, nsStyleBorder const&) /home/worker/workspace/build/src/layout/painting/nsCSSRendering.cpp:2693:30
    #4 0x7fded7bb767c in nsCSSRendering::PaintStyleImageLayer(nsCSSRendering::PaintBGParams const&, nsRenderingContext&) /home/worker/workspace/build/src/layout/painting/nsCSSRendering.cpp:1938:10
    #5 0x7fded7bfdcb3 in nsDisplayBackgroundImage::PaintInternal(nsDisplayListBuilder*, nsRenderingContext*, nsRect const&, nsRect*) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:3593:5
    #6 0x7fded7719531 in nsDisplayCanvasBackgroundImage::Paint(nsDisplayListBuilder*, nsRenderingContext*) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:390:3
    #7 0x7fded7ba4c09 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6077:21
    #8 0x7fded7ba6a11 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6252:19
    #9 0x7fded3a590da in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:86:5
    #10 0x7fded3a599a0 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:140:3
    #11 0x7fded3a7b730 in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29
    #12 0x7fded3a7b730 in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29
    #13 0x7fded3a55653 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:358:13
    #14 0x7fded3a55c6d in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:411:3
    #15 0x7fded7bf4633 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2246:17
Flags: in-testsuite?
Regression from bug 1352380 as confirmed by mozregression. Still reproduces on trunk.
Blocks: 1352380
Has Regression Range: --- → yes

I have attempted reproducing this assertion failure on Ubuntu 20 with build Release v85.0.1 asan debug and Nightly v87.0a1 asan debug using the test case in comment 0, but the assertion could not be reproduced.

Could this issue have been fixed in the meantime? (or have I tested incorrectly?)
Can you confirm this? I could not find the originally reported revision to confirm my steps to reproduce.

Flags: needinfo?(jkratzer)

(In reply to Bodea Daniel [:danibodea] from comment #3)

I have attempted reproducing this assertion failure on Ubuntu 20 with build Release v85.0.1 asan debug and Nightly v87.0a1 asan debug using the test case in comment 0, but the assertion could not be reproduced.

Could this issue have been fixed in the meantime? (or have I tested incorrectly?)
Can you confirm this? I could not find the originally reported revision to confirm my steps to reproduce.

I am unable to repeat this as well. I attempted to bisect the original testcase however, the oldest available build on taskcluster did not trigger the assertion above. I think we can safely close this as WFM.

Flags: needinfo?(jkratzer)

Resolving as Worksforme based on the comment above.

Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.