1407470 - crash at null in [@ mozilla::nsImageRenderer::Draw]

Status: RESOLVED FIXED

(Core :: Web Painting, defect)

Description

[Tyson Smith [:tsmith] (PTO until June 5)]

Attachment: test_case.html

==27013==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f296a24de42 bp 0x7fff50515870 sp 0x7fff50515850 T0)
==27013==The signal is caused by a WRITE memory access.
==27013==Hint: address points to the zero page.
    #0 0x7f296a24de41 in CrashTelemetryEvent /src/gfx/thebes/gfxPlatform.cpp:377:3
    #1 0x7f296a24de41 in CrashStatsLogForwarder::CrashAction(mozilla::gfx::LogReason) /src/gfx/thebes/gfxPlatform.cpp:411
    #2 0x7f2969b13c0e in CrashAction /src/gfx/2d/Factory.cpp:1141:33
    #3 0x7f2969b13c0e in WriteLog /src/gfx/2d/Logging.h:525
    #4 0x7f2969b13c0e in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::Flush() /src/gfx/2d/Logging.h:282
    #5 0x7f296f4df18d in ~Log /src/obj-firefox/dist/include/mozilla/gfx/Logging.h:274:5
    #6 0x7f296f4df18d in mozilla::nsImageRenderer::Draw(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, nsRect const&, nsPoint const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, float) /src/layout/painting/nsImageRenderer.cpp:507
    #7 0x7f296f42607b in mozilla::nsImageRenderer::DrawLayer(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, nsPoint const&, nsRect const&, nsSize const&, float) /src/layout/painting/nsImageRenderer.cpp:728:10
    #8 0x7f296f41e5eb in nsCSSRendering::PaintStyleImageLayerWithSC(nsCSSRendering::PaintBGParams const&, gfxContext&, nsStyleContext*, nsStyleBorder const&) /src/layout/painting/nsCSSRendering.cpp:2727:30
    #9 0x7f296f17aad5 in PaintMaskSurface(nsSVGIntegrationUtils::PaintFramesParams const&, mozilla::gfx::DrawTarget*, float, nsStyleContext*, nsTArray<nsSVGMaskFrame*> const&, mozilla::gfx::BaseMatrix<double> const&, nsPoint const&) /src/layout/svg/nsSVGIntegrationUtils.cpp:503:9
    #10 0x7f296f17c5bf in CreateAndPaintMaskSurface /src/layout/svg/nsSVGIntegrationUtils.cpp:578:3
    #11 0x7f296f17c5bf in nsSVGIntegrationUtils::PaintMaskAndClipPath(nsSVGIntegrationUtils::PaintFramesParams const&) /src/layout/svg/nsSVGIntegrationUtils.cpp:928
    #12 0x7f296f4d54a2 in nsDisplayMask::PaintAsLayer(nsDisplayListBuilder*, gfxContext*, mozilla::layers::LayerManager*) /src/layout/painting/nsDisplayList.cpp:9150:3
    #13 0x7f296f3ff1f3 in PaintInactiveLayer /src/layout/painting/FrameLayerBuilder.cpp:3699:41
    #14 0x7f296f3ff1f3 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /src/layout/painting/FrameLayerBuilder.cpp:6042
    #15 0x7f296f401dc8 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /src/layout/painting/FrameLayerBuilder.cpp:6222:19
    #16 0x7f296a07748c in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /src/gfx/layers/client/ClientPaintedLayer.cpp:166:5
    #17 0x7f296a078949 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /src/gfx/layers/client/ClientPaintedLayer.cpp:297:3
    #18 0x7f296a0af32f in mozilla::layers::ClientContainerLayer::RenderLayer() /src/gfx/layers/client/ClientContainerLayer.h:57:29
    #19 0x7f296a0af32f in mozilla::layers::ClientContainerLayer::RenderLayer() /src/gfx/layers/client/ClientContainerLayer.h:57:29
    #20 0x7f296a0af32f in mozilla::layers::ClientContainerLayer::RenderLayer() /src/gfx/layers/client/ClientContainerLayer.h:57:29
    #21 0x7f296a0716fa in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /src/gfx/layers/client/ClientLayerManager.cpp:380:13
    #22 0x7f296a072047 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /src/gfx/layers/client/ClientLayerManager.cpp:438:3
    #23 0x7f296f477533 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /src/layout/painting/nsDisplayList.cpp:2349:17
    #24 0x7f296ec6c6d4 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /src/layout/base/nsLayoutUtils.cpp:3843:12
    #25 0x7f296eb65dde in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /src/layout/base/PresShell.cpp:6424:5
    #26 0x7f296e367fe9 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /src/view/nsViewManager.cpp:480:19
    #27 0x7f296e366d4b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /src/view/nsViewManager.cpp:412:33
    #28 0x7f296e36a6c5 in nsViewManager::ProcessPendingUpdates() /src/view/nsViewManager.cpp:1102:5
    #29 0x7f296eac51ad in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:2091:11
    #30 0x7f296eacbe39 in nsRefreshDriver::FinishedWaitingForTransaction() /src/layout/base/nsRefreshDriver.cpp:2199:5
    #31 0x7f296a074130 in mozilla::layers::ClientLayerManager::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /src/gfx/layers/client/ClientLayerManager.cpp:529:32
    #32 0x7f296a15457b in mozilla::layers::CompositorBridgeChild::RecvDidComposite(unsigned long const&, unsigned long const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /src/gfx/layers/ipc/CompositorBridgeChild.cpp:536:8
    #33 0x7f2969177de6 in mozilla::layers::PCompositorBridgeChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PCompositorBridgeChild.cpp:1441:20
    #34 0x7f2968ad8799 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2119:25
    #35 0x7f2968ad57af in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2049:17
    #36 0x7f2968ad6ee4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1895:5
    #37 0x7f2968ad7538 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:1928:15
    #38 0x7f2967cf3116 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1037:14
    #39 0x7f2967d0cea8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:524:10
    #40 0x7f2968ae0411 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21
    #41 0x7f2968a426db in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10
    #42 0x7f2968a426db in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319
    #43 0x7f2968a426db in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299
    #44 0x7f296e3e6c1f in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:158:27
    #45 0x7f2972530b01 in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #46 0x7f2972721a1b in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4694:22
    #47 0x7f29727235e5 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4856:8
    #48 0x7f2972724996 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4951:21
    #49 0x4ec41c in do_main /src/browser/app/nsBrowserApp.cpp:231:22
    #50 0x4ec41c in main /src/browser/app/nsBrowserApp.cpp:304
    #51 0x7f298564f82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #52 0x41daf8 in _start (firefox+0x41daf8)

Comment 1

[Ryan VanderMeulen [:RyanVM]]

INFO: Last good revision: 5697f69b1426ffc358a8b9f7f1b209057a9a7782
INFO: First bad revision: 2948eef417064e0aed75af92c4a5c731c79905f6
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5697f69b1426ffc358a8b9f7f1b209057a9a7782&tochange=2948eef417064e0aed75af92c4a5c731c79905f6

Comment 2

[Lee Salzman [:lsalzman]]

I can't this testcase to reproduce for me at all on Linux. Any more information about where and how you're getting it to repro?

Comment 3

[Lee Salzman [:lsalzman]]

It should also be noted this is a gfxDevCrash() call. Which means it's basically just an assert getting triggered, but this will not trigger at all in a release. So this is not really a sec bug at all, as the gfxDevCrash() call purposely makes the crash happen via that mechanism.

Comment 4

[Ryan VanderMeulen [:RyanVM]]

Crashes regular Windows nightlies for me on Win10.

Comment 5

[Jesse Schwartzentruber (:truber)]

This reproduces for me with default prefs on linux in m-c rev 20171010-e897e367d3bd both asan-opt and debug from taskcluster.


Assertion failure: [GFX1 28]: ImageRenderer::Draw problem 0, at /builds/worker/workspace/build/src/gfx/2d/Logging.h:520
#0: mozilla::gfx::Log<3, mozilla::gfx::BasicLogger>::WriteLog, at gfx/2d/Logging.h:521
#1: mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::~Log, at gfx/2d/Logging.h:519
#2: mozilla::nsImageRenderer::Draw, at layout/painting/nsImageRenderer.cpp:513
#3: mozilla::nsImageRenderer::DrawLayer, at layout/painting/nsImageRenderer.cpp:733
#4: nsCSSRendering::PaintStyleImageLayerWithSC, at layout/painting/nsCSSRendering.cpp:2732
#5: PaintMaskSurface, at layout/svg/nsSVGIntegrationUtils.cpp:504
#6: nsSVGIntegrationUtils::PaintMaskAndClipPath, at layout/svg/nsSVGIntegrationUtils.cpp:581
#7: nsDisplayMask::PaintAsLayer, at layout/painting/nsDisplayList.cpp:9150
#8: mozilla::FrameLayerBuilder::PaintItems, at layout/painting/FrameLayerBuilder.cpp:3699
#9: mozilla::FrameLayerBuilder::DrawPaintedLayer, at layout/painting/FrameLayerBuilder.cpp:6225
#10: mozilla::layers::ClientPaintedLayer::PaintThebes, at gfx/layers/client/ClientPaintedLayer.cpp:172
#11: mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback, at gfx/layers/client/ClientPaintedLayer.cpp:297
#12: mozilla::layers::ClientContainerLayer::RenderLayer, at gfx/layers/client/ClientContainerLayer.h:57
#13: mozilla::layers::ClientContainerLayer::RenderLayer, at gfx/layers/client/ClientContainerLayer.h:57
#14: mozilla::layers::ClientLayerManager::EndTransactionInternal, at gfx/layers/client/ClientLayerManager.cpp:380
#15: mozilla::layers::ClientLayerManager::EndTransaction, at gfx/layers/client/ClientLayerManager.cpp:438
#16: nsDisplayList::PaintRoot, at layout/painting/nsDisplayList.cpp:2350
#17: nsLayoutUtils::PaintFrame, at layout/base/nsLayoutUtils.cpp:3843
#18: mozilla::PresShell::Paint, at layout/base/PresShell.cpp:6425
#19: nsViewManager::ProcessPendingUpdatesPaint, at view/nsViewManager.cpp:480
#20: nsViewManager::ProcessPendingUpdatesForView, at view/nsViewManager.cpp:412
#21: nsViewManager::ProcessPendingUpdates, at view/nsViewManager.cpp:1102
#22: nsRefreshDriver::Tick, at layout/base/nsRefreshDriver.cpp:2091

Comment 6

[Milan Sreckovic [:milan] (needinfo for best results)]

Comment 5 has a really strange stack as it looks like gfxContext::CreatePreservingTransformOrNull(tempDT) returns null in nsImageRenderer::Draw, which suggests
tempDT->SetTransform makes the draw target invalid.

Comment 0 stack suggests CreateSimilarSoftwareDrawTarget() returns an invalid draw target, I'll take a look at that first.

Comment 7

[Lee Salzman [:lsalzman]]

Attachment: make nsImageRenderer::Draw compute luminance in device space instead of user space

Bug 1383825 did not cause this. It just aggravated due to slightly different scale calculation.

The real source of this issue is bug 1228354. It creates a temporary draw target using the user space clip, which applies an inverse transform to the clip region of the rendering context.

While the rendering context is a valid size, it doesn't guarantee that a region in user space is going to be validly sized, since the transform that gets applied in this case makes the temporary draw target exceed surface size limits.

The safest thing to do here is to allocate the temporary DT in device space, which we know is going to be below surface size limits, since the rendering context was a valid size, and the temporary DT in device space will necessarily be <= this size.

Comment 8

[Pulsebot]

Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ba805acca4e7
make nsImageRenderer::Draw compute luminance in device space instead of user space. r=mstange

Comment 9

[Pulsebot]

Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a4cba1dec3a6
follow-up - fix crashtests.list condition. r=me CLOSED TREE

Comment 10

[Pulsebot]

Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0160c57b65d9
follow-up - more fixes to crashtests.list condition. r=me

Comment 11

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/ba805acca4e7
https://hg.mozilla.org/mozilla-central/rev/a4cba1dec3a6
https://hg.mozilla.org/mozilla-central/rev/0160c57b65d9

Comment 12

[Ryan VanderMeulen [:RyanVM]]

Not seeing this signature in the wild AFAICT, so calling this wontfix for 57.