Closed Bug 1463948 Opened 6 years ago Closed 6 years ago

crash at null in [@ ssse3_fetch_bilinear_cover]

Categories

(Core :: Graphics, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1452375
Tracking Status
firefox61 --- affected
firefox62 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: gfx-noted)

Crash Data

Attachments

(1 file)

Attached file testcase.html
I can only consistently reproduce this issue via the attached testcase under Xvfb for some reason.

==35055==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fcac617df36 bp 0x7fca605d06e0 sp 0x7fca605d0640 T64)
==35055==The signal is caused by a WRITE memory access.
==35055==Hint: address points to the zero page.
    #0 0x7fcac617df35 in ssse3_fetch_bilinear_cover src/gfx/2d/ssse3-scaler.c:312:28
    #1 0x7fcac617df35 in ssse3_scale_data src/gfx/2d/ssse3-scaler.c:556
    #2 0x7fcac6890ed8 in mozilla::layers::AttemptVideoScale(mozilla::layers::TextureSourceBasic*, mozilla::gfx::SourceSurface const*, float, mozilla::gfx::CompositionOp, mozilla::layers::TexturedEffect const*, mozilla::gfx::BaseMatrix<float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawTarget*, mozilla::gfx::DrawTarget const*) src/gfx/layers/basic/BasicCompositor.cpp:560:5
    #3 0x7fcac685da50 in void mozilla::layers::BasicCompositor::DrawGeometry<mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> >(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, bool) src/gfx/layers/basic/BasicCompositor.cpp:773:13
    #4 0x7fcac685c2ce in mozilla::layers::BasicCompositor::DrawQuad(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&) src/gfx/layers/basic/BasicCompositor.cpp:644:3
    #5 0x7fcac6592398 in mozilla::layers::Compositor::DrawGeometry(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/Compositor.cpp:227:5
    #6 0x7fcac697144d in DrawGeometry src/obj-firefox/dist/include/mozilla/layers/Compositor.h:340:5
    #7 0x7fcac697144d in mozilla::layers::ImageHost::Composite(mozilla::layers::Compositor*, mozilla::layers::LayerComposite*, mozilla::layers::EffectChain&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SamplingFilter, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ImageHost.cpp:298
    #8 0x7fcac69bb7d6 in mozilla::layers::ImageLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&)::$_0::operator()(mozilla::layers::EffectChain&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) const src/gfx/layers/composite/ImageLayerComposite.cpp:106:17
    #9 0x7fcac697590e in RenderWithAllMasks<(lambda at src/gfx/layers/composite/ImageLayerComposite.cpp:104:22)> src/gfx/layers/composite/LayerManagerComposite.h:744:5
    #10 0x7fcac697590e in mozilla::layers::ImageLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ImageLayerComposite.cpp:103
    #11 0x7fcac695e336 in void mozilla::layers::RenderLayers<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ContainerLayerComposite.cpp:443:22
    #12 0x7fcac6929bbc in void mozilla::layers::ContainerRender<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ContainerLayerComposite.cpp:609:5
    #13 0x7fcac695e336 in void mozilla::layers::RenderLayers<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ContainerLayerComposite.cpp:443:22
    #14 0x7fcac6929bbc in void mozilla::layers::ContainerRender<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ContainerLayerComposite.cpp:609:5
    #15 0x7fcac69869ac in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) src/gfx/layers/composite/LayerManagerComposite.cpp:954:18
    #16 0x7fcac69844e4 in mozilla::layers::LayerManagerComposite::UpdateAndRender() src/gfx/layers/composite/LayerManagerComposite.cpp:534:3
    #17 0x7fcac6982dc6 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/composite/LayerManagerComposite.cpp:464:5
    #18 0x7fcac69d46ef in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) src/gfx/layers/ipc/CompositorBridgeParent.cpp:1062:18
    #19 0x7fcac69eb0f5 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:243:27
    #20 0x7fcac6a1ed10 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> src/obj-firefox/dist/include/nsThreadUtils.h:1165:12
    #21 0x7fcac6a1ed10 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> src/obj-firefox/dist/include/nsThreadUtils.h:1171
    #22 0x7fcac6a1ed10 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::TimeStamp>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1216
    #23 0x7fcac50829c3 in RunTask src/ipc/chromium/src/base/message_loop.cc:452:9
    #24 0x7fcac50829c3 in DeferOrRunPendingTask src/ipc/chromium/src/base/message_loop.cc:460
    #25 0x7fcac50829c3 in MessageLoop::DoWork() src/ipc/chromium/src/base/message_loop.cc:535
    #26 0x7fcac5084978 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) src/ipc/chromium/src/base/message_pump_default.cc:36:31
    #27 0x7fcac507ffd9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #28 0x7fcac507ffd9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #29 0x7fcac507ffd9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #30 0x7fcac509dfef in base::Thread::ThreadMain() src/ipc/chromium/src/base/thread.cc:181:16
    #31 0x7fcac5090ccc in ThreadFunc(void*) src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #32 0x7fcae4b216b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #33 0x7fcae3baa41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Flags: in-testsuite?
We assert in ssse3_fetch_bilinear_cover that the y offset is not negative. Looking at ssse3_bilinear_cover_iter_init where y is initialized it seems to only be possible if:
- the y offset provided to ssse3_scale_data is negative, which would mean that clipping fillRect against the clip rect BasicCompositor::AttemptVideoScale yields a fill rect with an origin that is right of dstRect. Maybe dstRect should be clipped as well in that branch?
- overflow happening in ssse3_bilinear_cover_iter_init, maybe?

Jeff, what do you think (you authored this code)?
Flags: needinfo?(jmuizelaar)
Whiteboard: gfx-noted
Group: core-security
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jmuizelaar)
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: