Open
Bug 1420505
Opened 7 years ago
Updated 3 years ago
UBSan: null pointer passed as argument which is declared to never be null [@ mozilla::gfx::AttributeMap::Set]
Categories
(Core :: Graphics, defect, P3)
Tracking
()
NEW
People
(Reporter: tsmith, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: csectype-undefined, testcase, Whiteboard: [gfx-noted])
Attachments
(1 file)
|
108 bytes,
text/html
|
Details |
This was found with a Firefox build built with -fsanitize=nonnull-attribute
/include/nsTArray.h:596:32: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
#0 0x7fa87b83637d in implementation<float, float, unsigned long, unsigned long> /dist/include/nsTArray.h:596:5
#1 0x7fa87b83637d in AssignRange<float> /dist/include/nsTArray.h:2037
#2 0x7fa87b83637d in float* nsTArray_Impl<float, nsTArrayInfallibleAllocator>::AppendElements<float, nsTArrayInfallibleAllocator>(float const*, unsigned long) /dist/include/nsTArray.h:2182
#3 0x7fa87b80520e in mozilla::gfx::AttributeMap::Set(mozilla::gfx::AttributeName, float const*, int) /gfx/src/FilterSupport.cpp:2176:23
#4 0x7fa87f6e50b5 in mozilla::dom::SVGComponentTransferFunctionElement::ComputeAttributes() /dom/svg/nsSVGFilters.cpp
#5 0x7fa87f615b30 in mozilla::dom::SVGFEComponentTransferElement::GetPrimitiveDescription(nsSVGFilterInstance*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<bool> const&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&) /dom/svg/SVGFEComponentTransferElement.cpp:85:69
#6 0x7fa880f50ee5 in nsSVGFilterInstance::BuildPrimitives(nsTArray<mozilla::gfx::FilterPrimitiveDescription>&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&, bool) /layout/svg/nsSVGFilterInstance.cpp:406:15
#7 0x7fa880f35ab5 in nsFilterInstance::BuildPrimitivesForFilter(nsStyleFilter const&, nsIFrame*, bool) /layout/svg/nsFilterInstance.cpp:345:30
#8 0x7fa880f352ca in nsFilterInstance::BuildPrimitives(nsTArray<nsStyleFilter> const&, nsIFrame*, bool) /layout/svg/nsFilterInstance.cpp:315:19
#9 0x7fa880f34468 in nsFilterInstance::nsFilterInstance(nsIFrame*, nsIContent*, mozilla::dom::UserSpaceMetrics const&, nsTArray<nsStyleFilter> const&, bool, nsSVGFilterPaintCallback*, mozilla::gfx::BaseMatrix<double> const&, nsRegion const*, nsRegion const*, nsRect const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const*) /layout/svg/nsFilterInstance.cpp:242:7
#10 0x7fa880f33867 in nsFilterInstance::GetPostFilterBounds(nsIFrame*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const*, nsRect const*) /layout/svg/nsFilterInstance.cpp:172:20
#11 0x7fa880f8397b in nsSVGUtils::GetPostFilterVisualOverflowRect(nsIFrame*, nsRect const&) /layout/svg/nsSVGUtils.cpp:164:10
#12 0x7fa880be8b78 in ComputeEffectsRect /layout/generic/nsFrame.cpp:7251:11
#13 0x7fa880be8b78 in nsIFrame::FinishAndStoreOverflow(nsOverflowAreas&, nsSize, nsSize*, nsStyleDisplay const*) /layout/generic/nsFrame.cpp:9504
#14 0x7fa880efa159 in mozilla::SVGGeometryFrame::ReflowSVG() /layout/svg/SVGGeometryFrame.cpp:417:3
#15 0x7fa880f19e81 in nsSVGDisplayContainerFrame::ReflowSVG() /layout/svg/nsSVGContainerFrame.cpp:350:17
#16 0x7fa880f70d60 in nsSVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/svg/nsSVGOuterSVGFrame.cpp:455:14
#17 0x7fa880ceb3e4 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /layout/generic/nsLineLayout.cpp:922:13
#18 0x7fa880b5bf35 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /layout/generic/nsBlockFrame.cpp:4173:15
#19 0x7fa880b5aa3c in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /layout/generic/nsBlockFrame.cpp:3969:5
#20 0x7fa880b52d18 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3843:9
#21 0x7fa880b4c918 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:2827:5
#22 0x7fa880b43aee in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2363:7
#23 0x7fa880b3ca8f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1236:3
#24 0x7fa880b580a7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /layout/generic/nsBlockReflowContext.cpp:306:11
#25 0x7fa880b502fe in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3474:11
#26 0x7fa880b4cc16 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:2824:5
#27 0x7fa880b43aee in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2363:7
#28 0x7fa880b3ca8f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1236:3
#29 0x7fa880b8adf0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:934:14
#30 0x7fa880b89a9c in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:757:5
#31 0x7fa880b8adf0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:934:14
#32 0x7fa880c6a3ec in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /layout/generic/nsGfxScrollFrame.cpp:552:3
#33 0x7fa880c6bf57 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:664:3
#34 0x7fa880c6f1cb in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1041:3
#35 0x7fa880b2a8c5 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:978:14
#36 0x7fa880b29cdc in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:336:7
#37 0x7fa8809061b8 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /layout/base/PresShell.cpp:9025:11
#38 0x7fa880918842 in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9198:24
#39 0x7fa88091773d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4267:11
#40 0x7fa8809eb29d in FlushPendingNotifications /dist/include/nsIPresShell.h:571:5
#41 0x7fa8809eb29d in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:980
#42 0x7fa8846a5b79 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:7869:21
#43 0x7fa8846a1de3 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:7663:7
#44 0x7fa8846a895f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
#45 0x7fa87b3f9637 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1319:3
#46 0x7fa87b3f8989 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:862:14
#47 0x7fa87b3f60c7 in nsDocLoader::DocLoaderIsEmpty(bool) /uriloader/base/nsDocLoader.cpp:751:9
#48 0x7fa87b3f7a27 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /uriloader/base/nsDocLoader.cpp:633:5
#49 0x7fa87b3f870c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /uriloader/base/nsDocLoader.cpp
#50 0x7fa8790c9436 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:629:28
#51 0x7fa87c80fb7d in nsDocument::DoUnblockOnload() /dom/base/nsDocument.cpp:9388:18
#52 0x7fa87c80f7cd in nsDocument::UnblockOnload(bool) /dom/base/nsDocument.cpp:9310:9
#53 0x7fa87c7f0692 in nsDocument::DispatchContentLoadedEvents() /dom/base/nsDocument.cpp:5677:3
#54 0x7fa87c88672e in applyImpl<nsDocument, void (nsDocument::*)()> /dist/include/nsThreadUtils.h:1142:12
#55 0x7fa87c88672e in apply<nsDocument, void (nsDocument::*)()> /dist/include/nsThreadUtils.h:1148
#56 0x7fa87c88672e in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /dist/include/nsThreadUtils.h:1192
#57 0x7fa878eada8a in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:396:25
#58 0x7fa878ee3d3f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1037:14
#59 0x7fa878f16f00 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:513:10
#60 0x7fa87a0fca78 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:97:21
#61 0x7fa879f89eb9 in RunHandler /ipc/chromium/src/base/message_loop.cc:319:3
#62 0x7fa879f89eb9 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299
#63 0x7fa8801ad485 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:159:27
#64 0x7fa8850dbc48 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:877:22
#65 0x7fa879f89eb9 in RunHandler /ipc/chromium/src/base/message_loop.cc:319:3
#66 0x7fa879f89eb9 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299
#67 0x7fa8850db21e in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:703:34
#68 0x516a18 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#69 0x516a18 in main /browser/app/nsBrowserApp.cpp:280
#70 0x7fa8a83ed1c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
#71 0x41efc9 in _start (/dist/bin/firefox+0x41efc9)
Flags: in-testsuite?
|
||
Updated•7 years ago
|
Flags: needinfo?(milan)
Whiteboard: [gfx-noted]
|
||
Updated•7 years ago
|
Flags: needinfo?(milan)
Priority: -- → P3
|
Reporter | |
Updated•7 years ago
|
status-firefox60:
--- → affected
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•