Crash in sse2::blit_row_s32a_opaque

NEW
Unassigned

Status

()

Core
Graphics
--
critical
a year ago
a year ago

People

(Reporter: mccr8, Unassigned)

Tracking

({crash, steps-wanted, testcase-wanted})

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

a year ago
This bug was filed from the Socorro interface and is 
report bp-ceb1ffdb-74f9-4ed2-bd85-2a9db0170511.
=============================================================

18 crashes on the 5-10 Nightly, but all from a single installation. There are a few hundred crashes across all branches. Maybe we're running invalid instructions for a particular CPU? Though they are mostly EXCEPTION_ACCESS_VIOLATION_READ so maybe this is just bad memory or the like.

Comment 1

a year ago
At a first look of the minidump, the access violation reading location 0x000000002A8B3000. The source code was shown in [1]. The address value of src seems a non-NULL value which stored in R10(000000002A8B2FF0). But the value it pointed to couldn't be read from mini-dump. Based on this, I can't think of any possible reason to cause the crash.


[1]: https://searchfox.org/mozilla-central/rev/cd8c561106d804e26bc09389f18f361846d005eb/gfx/skia/skia/src/opts/SkBlitRow_opts.h#125

Lee, could you please have a look into this? Really thanks
Flags: needinfo?(lsalzman)
The Skia code where the crash signature is occurring itself is fine. I extensively checked this. It appears something upstream of it is passing in an invalid SourceSurface which is getting read down there. Maybe this is because somehow the memory it points to got freed, or the structure itself was somehow corrupted to point to a garbage address.

I did pretty much a full audit of DrawTargetSkia looking for potential use-after-free cases related to Snapshot() or other possible 
Moz2d-related sources of invalid SourceSurfaceSkias, and I could not find anything that looked causative.

Also, the address of the invalid memory that is being read looks too random right now to judge much about what's going on based on it.

I think we really need to find some way to reliably reproduce to make local investigation feasible before much can be done here.
Flags: needinfo?(lsalzman)
Keywords: steps-wanted, testcase-wanted
You need to log in before you can comment on or make changes to this bug.