Closed
Bug 1358795
Opened 8 years ago
Closed 8 years ago
crash at null [@DataAtOffset] in gfx/2d/DataSurfaceHelpers.cpp:92
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
DUPLICATE
of bug 1332980
| Tracking | Status | |
|---|---|---|
| firefox55 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase)
Attachments
(2 files)
This bug looks a lot like bug 1329849
==25378==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6ba94afbe6 bp 0x7ffc2dd0adb0 sp 0x7ffc2dd0ad70 T0)
==25378==The signal is caused by a WRITE memory access.
==25378==Hint: address points to the zero page.
#0 0x7f6ba94afbe5 in AnnotateMozCrashReason /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:40:19
#1 0x7f6ba94afbe5 in mozilla::gfx::DataAtOffset(mozilla::gfx::DataSourceSurface*, mozilla::gfx::DataSourceSurface::MappedSurface const*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>) /home/worker/workspace/build/src/gfx/2d/DataSurfaceHelpers.cpp:92
#2 0x7f6ba954a41a in DoRender<int> /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3549:25
#3 0x7f6ba954a41a in mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::(anonymous namespace)::PointLightSoftware, mozilla::gfx::(anonymous namespace)::SpecularLightingSoftware>::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3487
#4 0x7f6ba94ebcf2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
#5 0x7f6ba94f36e9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
#6 0x7f6ba951f145 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3140:10
#7 0x7f6ba94ebcf2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
...
see log.txt
Flags: in-testsuite?
|
Reporter | |
Comment 1•8 years ago
|
||
|
||
Updated•8 years ago
|
Assignee: nobody → kechen
|
|
||
Comment 2•8 years ago
|
||
The reason of the crash is that the value we set to kernelUnitLength is 4398046511104 which is bigger than the maximum number that a 32bit integer can present.
So when passing this number to function "Render" in [1] and casting it to a 32bit integer, we will get an assertion in [2].
Not sure why we cast the number to 32bit integer in [1], but perhaps we should check the number range in the if branch.
[1] https://hg.mozilla.org/mozilla-central/annotate/48c0fd9c9ec5d68061ea7b59358874ae8da72572/gfx/2d/FilterNodeSoftware.cpp#l3487
[2] https://dxr.mozilla.org/mozilla-central/rev/48c0fd9c9ec5d68061ea7b59358874ae8da72572/gfx/2d/FilterNodeSoftware.cpp#3509
|
|
||
Comment 3•8 years ago
|
||
Also IntRect in [1] is not enough in this case.
[1] https://dxr.mozilla.org/mozilla-central/rev/48c0fd9c9ec5d68061ea7b59358874ae8da72572/gfx/2d/FilterNodeSoftware.cpp#3513
|
|
||
Comment 4•8 years ago
|
||
Hello Vincent, do you have any idea about this?
Assignee: kechen → nobody
Flags: needinfo?(vliu)
|
|
||
Comment 5•8 years ago
|
||
I think this is duplicate of Bug 1332980.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(vliu)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•