Closed
Bug 1364778
Opened 7 years ago
Closed 7 years ago
crash near null in [@ aaa_walk_convex_edges]
Categories
(Core :: Graphics, defect, P1)
Core
Graphics
Tracking
()
RESOLVED
DUPLICATE
of bug 1364691
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase, Whiteboard: [gfx-noted])
Attachments
(1 file)
|
242 bytes,
text/html
|
Details |
Found while fuzzing mozilla-central 20170513-73b3fc64525b
==12988==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f8463982134 bp 0x7fff9ef93430 sp 0x7fff9ef925a0 T0)
==12988==The signal is caused by a READ memory access.
==12988==Hint: address points to the zero page.
#0 0x7f8463982133 in aaa_walk_convex_edges /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AAAPath.cpp:1023:21
#1 0x7f8463982133 in aaa_fill_path /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AAAPath.cpp:1676
#2 0x7f8463982133 in SkScan::AAAFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AAAPath.cpp:1813
#3 0x7f8463998b44 in SkScan::AAAFillPath(SkPath const&, SkRasterClip const&, SkBlitter*) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AAAPath.cpp:1833:9
#4 0x7f84630ed409 in SkScan::AntiFillPath(SkPath const&, SkRasterClip const&, SkBlitter*) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AntiPath.cpp:774:9
#5 0x7f84635a8acc in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1070:5
#6 0x7f84635a9485 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1163:11
#7 0x7f846329c3fc in drawPath /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.h:55:15
#8 0x7f846329c3fc in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:235
#9 0x7f84632c7434 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2227:23
#10 0x7f845cca7c09 in mozilla::gfx::DrawTargetSkia::Fill(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/DrawTargetSkia.cpp:937:12
#11 0x7f8461e94fd9 in mozilla::SVGGeometryFrame::Render(gfxContext*, unsigned int, gfxMatrix const&, unsigned int) /home/worker/workspace/build/src/layout/svg/SVGGeometryFrame.cpp:819:21
#12 0x7f8461e94272 in mozilla::SVGGeometryFrame::PaintSVG(gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*, unsigned int) /home/worker/workspace/build/src/layout/svg/SVGGeometryFrame.cpp:300:14
#13 0x7f8461e9263d in nsDisplaySVGGeometry::Paint(nsDisplayListBuilder*, nsRenderingContext*) /home/worker/workspace/build/src/layout/svg/SVGGeometryFrame.cpp:131:45
#14 0x7f84621817c9 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6036:21
#15 0x7f84621842a4 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6211:19
#16 0x7f845d100b6a in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:86:5
#17 0x7f845d1017e6 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:140:3
#18 0x7f845d1327ff in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29
#19 0x7f845d1327ff in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29
#20 0x7f845d0fc226 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:375:13
#21 0x7f845d0fca97 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:433:3
#22 0x7f84621f80d7 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2292:17
#23 0x7f84619f3bae in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3721:12
#24 0x7f84618f9986 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /home/worker/workspace/build/src/layout/base/PresShell.cpp:6498:5
#25 0x7f8461159b42 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /home/worker/workspace/build/src/view/nsViewManager.cpp:481:19
#26 0x7f8461158aa5 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:413:33
#27 0x7f846115c445 in nsViewManager::ProcessPendingUpdates() /home/worker/workspace/build/src/view/nsViewManager.cpp:1095:5
#28 0x7f846185a738 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1985:11
#29 0x7f8461865b03 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:300:7
#30 0x7f84618657d4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:322:5
#31 0x7f8461867e8b in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:753:5
#32 0x7f8461867e8b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:666
#33 0x7f84618631d7 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:512:20
#34 0x7f845b1d6a30 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1270:14
#35 0x7f845b1d3478 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:393:10
#36 0x7f845bf7c0a6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:124:5
#37 0x7f845bedade0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
#38 0x7f845bedade0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#39 0x7f845bedade0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#40 0x7f84611d4c1f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
#41 0x7f846484de91 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30
#42 0x7f8464a19784 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4553:22
#43 0x7f8464a1b1dc in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4733:8
#44 0x7f8464a1c3d1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4826:21
#45 0x4eb5a3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
#46 0x4eb5a3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309
#47 0x7f847685982f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
#48 0x41d0f8 in _start (/home/user/workspace/browsers/firefox_cnt/firefox+0x41d0f8)Flags: in-testsuite?
|
||
Comment 1•7 years ago
|
||
Hi Vincent, Are you able to reproduce the crash with the test https://bugzilla.mozilla.org/attachment.cgi?id=8867562 ?
Flags: needinfo?(vliu)
Priority: -- → P1
Whiteboard: [gfx-noted]
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•7 years ago
|
Flags: needinfo?(vliu)
You need to log in
before you can comment on or make changes to this bug.
Description
•