Closed Bug 1356062 Opened 3 years ago Closed 3 years ago

libcairo: crash at null in [ @active_edges]

Categories

(Core :: Graphics, defect)

defect
Not set

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox55 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file test_case.html
This was found fuzzing on mozilla-central Ubuntu 16.04

#0  active_edges (polygon=0x7fffffff9750, top=0, left=0x51e1400) at ../../../../src/cairo-polygon-intersect.c:1170
#1  intersection_sweep (polygon=0x7fffffff9750, num_events=<optimized out>, start_events=<optimized out>) at ../../../../src/cairo-polygon-intersect.c:1206
#2  _cairo_polygon_intersect (a=a@entry=0x7fffffff9750, winding_a=<optimized out>, b=b@entry=0x7fffffff8eb0, winding_b=winding_b@entry=0) at ../../../../src/cairo-polygon-intersect.c:1405
#3  0x00007ffff368754a in _cairo_polygon_intersect_with_boxes (polygon=polygon@entry=0x7fffffff9750, winding=winding@entry=0x7fffffff9710, boxes=<optimized out>, num_boxes=<optimized out>) at ../../../../src/cairo-polygon-intersect.c:1465
#4  0x00007ffff3650aa4 in _cairo_clip_get_polygon (clip=clip@entry=0x51142a0, polygon=polygon@entry=0x7fffffff9750, fill_rule=fill_rule@entry=0x7fffffff9710, antialias=antialias@entry=0x7fffffff9720) at ../../../../src/cairo-clip-polygon.c:108
#5  0x00007ffff3697897 in clip_and_composite_boxes (compositor=compositor@entry=0x7ffff393f040 <spans>, extents=extents@entry=0x7fffffff9ff0, boxes=boxes@entry=0x7fffffff9bd0) at ../../../../src/cairo-spans-compositor.c:859
#6  0x00007ffff36980ae in clip_and_composite_boxes (compositor=0x7ffff393f040 <spans>, extents=0x7fffffff9ff0, boxes=0x7fffffff9bd0) at ../../../../src/cairo-spans-compositor.c:901
#7  0x00007ffff36984bc in _cairo_spans_compositor_fill (_compositor=0x7ffff393f040 <spans>, extents=0x7fffffff9ff0, path=0x1de5b48, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT) at ../../../../src/cairo-spans-compositor.c:1126
#8  0x00007ffff3652a90 in _cairo_compositor_fill (compositor=0x7ffff393f040 <spans>, surface=0x5229dc0, op=<optimized out>, source=<optimized out>, path=0x1de5b48, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x5114520) at ../../../../src/cairo-compositor.c:203
#9  0x00007ffff3664127 in _cairo_image_surface_fill (abstract_surface=<optimized out>, op=<optimized out>, source=<optimized out>, path=<optimized out>, fill_rule=<optimized out>, tolerance=<optimized out>, antialias=<optimized out>, clip=0x5114520) at ../../../../src/cairo-image-surface.c:985
#10 0x00007ffff369b7d7 in _cairo_surface_fill (surface=0x5229dc0, op=CAIRO_OPERATOR_OVER, source=0x7fffffffa3c0, path=0x1de5b48, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x5114520) at ../../../../src/cairo-surface.c:2341
#11 0x00007ffff365b14c in _cairo_gstate_fill (gstate=0x50cd840, path=0x1de5b48) at ../../../../src/cairo-gstate.c:1317
#12 0x00007ffff3654279 in _cairo_default_context_fill (abstract_cr=0x1de57e0) at ../../../../src/cairo-default-context.c:1055
#13 0x00007ffff364d2b5 in cairo_fill (cr=0x1de57e0) at ../../../../src/cairo.c:2205
#14 0x00007ffff4aeb861 in gtk_css_image_gradient_draw (image=0x50aee10, cr=0x1de57e0, width=348, height=14754944) at /build/gtk+3.0-PCLr8A/gtk+3.0-3.18.9/./gtk/gtkcssimagegradient.c:252
#15 0x00007ffff4ae87b9 in _gtk_css_image_draw (image=0x50aee10, cr=0x1de57e0, width=348, height=14754944) at /build/gtk+3.0-PCLr8A/gtk+3.0-3.18.9/./gtk/gtkcssimage.c:236
#16 0x00007ffff4c0f792 in _gtk_theming_background_paint_layer (cr=0x1de57e0, idx=0, bg=0x7fffffffa6d0) at /build/gtk+3.0-PCLr8A/gtk+3.0-3.18.9/./gtk/gtkrenderbackground.c:142
#17 gtk_css_style_render_background (style=<optimized out>, cr=cr@entry=0x1de57e0, x=x@entry=0, y=y@entry=-7377478, width=width@entry=348, height=height@entry=14754944, junction=junction@entry=GTK_JUNCTION_NONE) at /build/gtk+3.0-PCLr8A/gtk+3.0-3.18.9/./gtk/gtkrenderbackground.c:336
#18 0x00007ffff4c0d200 in gtk_render_background (context=0x5060d20, cr=0x1de57e0, x=0, y=-7377478, width=348, height=14754944) at /build/gtk+3.0-PCLr8A/gtk+3.0-3.18.9/./gtk/gtkrender.c:283
#19 0x00007fffe9aa68ce in moz_gtk_entry_paint (cr=cr@entry=0x1de57e0, rect=rect@entry=0x7fffffffaaf0, style=style@entry=0x5060d20, state=0x7fffffffab00) at /home/worker/workspace/build/src/widget/gtk/gtk3drawing.cpp:918
#20 0x00007fffe9aabab1 in moz_gtk_widget_paint (widget=widget@entry=MOZ_GTK_ENTRY, cr=cr@entry=0x1de57e0, rect=rect@entry=0x7fffffffaaf0, state=state@entry=0x7fffffffab00, flags=flags@entry=-21016, direction=direction@entry=GTK_TEXT_DIR_LTR) at /home/worker/workspace/build/src/widget/gtk/gtk3drawing.cpp:2871
#21 0x00007fffe9ac55bf in DrawThemeWithCairo (aTransparency=nsITheme::eUnknownTransparency, aGDKRect=..., aDrawSize=..., aDrawOrigin=..., aSnapped=true, aScaleFactor=<optimized out>, aDirection=GTK_TEXT_DIR_LTR, aFlags=-21016, aGTKWidgetType=MOZ_GTK_ENTRY, aState=..., aDrawTarget=0x50e7250, aContext=0x52299f0) at /home/worker/workspace/build/src/widget/gtk/nsNativeThemeGTK.cpp:954
#22 nsNativeThemeGTK::DrawWidgetBackground (this=0x29bf900, aContext=<optimized out>, aFrame=0x50b4f80, aWidgetType=<optimized out>, aRect=..., aDirtyRect=...) at /home/worker/workspace/build/src/widget/gtk/nsNativeThemeGTK.cpp:1211
#23 0x00007fffe9dab2d9 in nsDisplayThemedBackground::PaintInternal (this=0x50cbdc8, aBuilder=<optimized out>, aCtx=0x7fffffffade8, aBounds=..., aClipRect=<optimized out>) at /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:3791
#24 0x00007fffe9ddc318 in mozilla::FrameLayerBuilder::PaintItems (this=this@entry=0x5157f70, aItems=..., aRect=..., aContext=aContext@entry=0x52299f0, aRC=aRC@entry=0x7fffffffade8, aBuilder=aBuilder@entry=0x7fffffffb828, aPresContext=0x5174560, aOffset=..., aXScale=aXScale@entry=1, aYScale=aYScale@entry=1, aCommonClipCount=0) at /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6077
#25 0x00007fffe9ddc894 in mozilla::FrameLayerBuilder::DrawPaintedLayer (aLayer=0x50d1140, aContext=0x52299f0, aRegionToDraw=..., aDirtyRegion=..., aClip=<optimized out>, aRegionToInvalidate=..., aCallbackData=0x7fffffffb828) at /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6255
#26 0x00007fffe8e3c1ca in mozilla::layers::ClientPaintedLayer::PaintThebes (this=this@entry=0x50d1140, aReadbackUpdates=aReadbackUpdates@entry=0x7fffffffb020) at /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:92
#27 0x00007fffe8e3fbdd in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback (this=0x50d1140, aReadback=0x7fffffffb070) at /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:140
#28 0x00007fffe8e3ddb4 in mozilla::layers::ClientContainerLayer::RenderLayer (this=0x50cec90) at /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57
#29 0x00007fffe8e3ddb4 in mozilla::layers::ClientContainerLayer::RenderLayer (this=0x4316a90) at /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57
Neither Tyson nor myself can reproduce.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.