Closed Bug 1476952 Opened 2 years ago Closed 2 years ago

AddressSanitizer: heap-use-after-free src/gfx/cairo/cairo/src/cairo-array.c:455:15 in _cairo_user_data_array_get_data

Categories

(Core :: Graphics: Text, defect, critical)

59 Branch
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Found while fuzzing mozilla-central rev 5a8107262015 (2018-07-18).  I don't currently have a testcase but will update this bug if/when one becomes available.

==25302==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030004f14d0 at pc 0x7fc802199809 bp 0x7fc7e0c8b310 sp 0x7fc7e0c8b308
READ of size 8 at 0x6030004f14d0 thread T31 (PaintWorker #3)
    #0 0x7fc802199808 in _cairo_user_data_array_get_data src/gfx/cairo/cairo/src/cairo-array.c:455:15
    #1 0x7fc8028f8257 in SkCreateTypefaceFromCairoFTFontWithFontconfig(_cairo_scaled_font*, _FcPattern*) src/gfx/skia/skia/src/ports/SkFontHost_cairo.cpp:311:58
    #2 0x7fc7f909eceb in mozilla::gfx::ScaledFontFontconfig::GetSkTypeface() src/gfx/2d/ScaledFontFontconfig.cpp:49:17
    #3 0x7fc7f9012dd1 in mozilla::gfx::DrawTargetSkia::DrawGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const*, mozilla::gfx::DrawOptions const&) src/gfx/2d/DrawTargetSkia.cpp:1389:36
    #4 0x7fc7f918af81 in mozilla::gfx::FillGlyphsCommand::ExecuteOnDT(mozilla::gfx::DrawTarget*, mozilla::gfx::BaseMatrix<float> const*) const src/gfx/2d/DrawCommands.h:632:10
    #5 0x7fc7f90c2f21 in mozilla::gfx::DrawTargetCaptureImpl::ReplayToDrawTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::BaseMatrix<float> const&) src/gfx/2d/DrawTargetCapture.cpp:351:10
    #6 0x7fc7f90c2cd9 in mozilla::gfx::DrawTarget::DrawCapturedDT(mozilla::gfx::DrawTargetCapture*, mozilla::gfx::BaseMatrix<float> const&) src/gfx/2d/DrawTarget.cpp:187:52
    #7 0x7fc7f95b4236 in Paint src/gfx/layers/PaintThread.cpp:126:12
    #8 0x7fc7f95b4236 in mozilla::layers::PaintThread::AsyncPaintTiledContents(mozilla::layers::CompositorBridgeChild*, mozilla::layers::CapturedTiledPaintState*) src/gfx/layers/PaintThread.cpp:457
    #9 0x7fc7f9609b0a in mozilla::detail::RunnableFunction<mozilla::layers::PaintThread::PaintTiledContents(mozilla::layers::CapturedTiledPaintState*)::$_9>::Run() src/gfx/layers/PaintThread.cpp:437:11
    #10 0x7fc7f6711182 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:231:14
    #11 0x7fc7f6711e24 in non-virtual thunk to nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp
    #12 0x7fc7f6703f38 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1051:14
    #13 0x7fc7f670c755 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #14 0x7fc7f78d41df in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:334:20
    #15 0x7fc7f77d829c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #16 0x7fc7f77d829c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #17 0x7fc7f77d829c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #18 0x7fc7f66fcf61 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:423:11
    #19 0x7fc817790dc8 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #20 0x7fc81ad8a6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #21 0x7fc819e1341c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x6030004f14d0 is located 0 bytes inside of 24-byte region [0x6030004f14d0,0x6030004f14e8)
freed by thread T29 (PaintWorker #1) here:
    #0 0x4c5442 in realloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107:3
    #1 0x7fc8021989b0 in _cairo_array_grow_by src/gfx/cairo/cairo/src/cairo-array.c:159:20
    #2 0x7fc802199af7 in _cairo_array_allocate src/gfx/cairo/cairo/src/cairo-array.c:335:14
    #3 0x7fc802199af7 in _cairo_array_append_multiple src/gfx/cairo/cairo/src/cairo-array.c:301
    #4 0x7fc802199af7 in _cairo_array_append src/gfx/cairo/cairo/src/cairo-array.c:276
    #5 0x7fc802199af7 in _cairo_user_data_array_set_data src/gfx/cairo/cairo/src/cairo-array.c:521
    #6 0x7fc8028f847e in SkCairoFTTypeface src/gfx/skia/skia/src/ports/SkFontHost_cairo.cpp:282:9
    #7 0x7fc8028f847e in SkCairoFTTypeface::CreateTypeface(_cairo_font_face*, FT_FaceRec_*, _FcPattern*) src/gfx/skia/skia/src/ports/SkFontHost_cairo.cpp:188
    #8 0x7fc8028f8298 in SkCreateTypefaceFromCairoFTFontWithFontconfig(_cairo_scaled_font*, _FcPattern*) src/gfx/skia/skia/src/ports/SkFontHost_cairo.cpp:317:24
    #9 0x7fc7f909eceb in mozilla::gfx::ScaledFontFontconfig::GetSkTypeface() src/gfx/2d/ScaledFontFontconfig.cpp:49:17
    #10 0x7fc7f9012dd1 in mozilla::gfx::DrawTargetSkia::DrawGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const*, mozilla::gfx::DrawOptions const&) src/gfx/2d/DrawTargetSkia.cpp:1389:36
    #11 0x7fc7f918af81 in mozilla::gfx::FillGlyphsCommand::ExecuteOnDT(mozilla::gfx::DrawTarget*, mozilla::gfx::BaseMatrix<float> const*) const src/gfx/2d/DrawCommands.h:632:10
    #12 0x7fc7f90c2f21 in mozilla::gfx::DrawTargetCaptureImpl::ReplayToDrawTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::BaseMatrix<float> const&) src/gfx/2d/DrawTargetCapture.cpp:351:10
    #13 0x7fc7f90c2cd9 in mozilla::gfx::DrawTarget::DrawCapturedDT(mozilla::gfx::DrawTargetCapture*, mozilla::gfx::BaseMatrix<float> const&) src/gfx/2d/DrawTarget.cpp:187:52
    #14 0x7fc7f95b4236 in Paint src/gfx/layers/PaintThread.cpp:126:12
    #15 0x7fc7f95b4236 in mozilla::layers::PaintThread::AsyncPaintTiledContents(mozilla::layers::CompositorBridgeChild*, mozilla::layers::CapturedTiledPaintState*) src/gfx/layers/PaintThread.cpp:457
    #16 0x7fc7f9609b0a in mozilla::detail::RunnableFunction<mozilla::layers::PaintThread::PaintTiledContents(mozilla::layers::CapturedTiledPaintState*)::$_9>::Run() src/gfx/layers/PaintThread.cpp:437:11
    #17 0x7fc7f6711182 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:231:14
    #18 0x7fc7f6711e24 in non-virtual thunk to nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp
    #19 0x7fc7f6703f38 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1051:14
    #20 0x7fc7f670c755 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #21 0x7fc7f78d41df in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:334:20
    #22 0x7fc7f77d829c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #23 0x7fc7f77d829c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #24 0x7fc7f77d829c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #25 0x7fc7f66fcf61 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:423:11
    #26 0x7fc817790dc8 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #27 0x7fc81ad8a6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c5442 in realloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107:3
    #1 0x7fc8021989b0 in _cairo_array_grow_by src/gfx/cairo/cairo/src/cairo-array.c:159:20
    #2 0x7fc802199af7 in _cairo_array_allocate src/gfx/cairo/cairo/src/cairo-array.c:335:14
    #3 0x7fc802199af7 in _cairo_array_append_multiple src/gfx/cairo/cairo/src/cairo-array.c:301
    #4 0x7fc802199af7 in _cairo_array_append src/gfx/cairo/cairo/src/cairo-array.c:276
    #5 0x7fc802199af7 in _cairo_user_data_array_set_data src/gfx/cairo/cairo/src/cairo-array.c:521
    #6 0x7fc7f9b83e14 in gfxFT2FontBase::GetGlyph(unsigned int) src/gfx/thebes/gfxFT2FontBase.cpp:85:13
    #7 0x7fc7f9b82617 in GetCharWidth src/gfx/thebes/gfxFT2FontBase.cpp:175:19
    #8 0x7fc7f9b82617 in gfxFT2FontBase::InitMetrics() src/gfx/thebes/gfxFT2FontBase.cpp:405
    #9 0x7fc7f9b80f9e in gfxFT2FontBase::gfxFT2FontBase(RefPtr<mozilla::gfx::UnscaledFontFreeType> const&, _cairo_scaled_font*, gfxFontEntry*, gfxFontStyle const*) src/gfx/thebes/gfxFT2FontBase.cpp:37:5
    #10 0x7fc7f9b9040d in gfxFontconfigFont src/gfx/thebes/gfxFcPlatformFontList.cpp:1447:7
    #11 0x7fc7f9b9040d in gfxFontconfigFontEntry::CreateFontInstance(gfxFontStyle const*) src/gfx/thebes/gfxFcPlatformFontList.cpp:1064
    #12 0x7fc7f9d0cebd in gfxFontEntry::FindOrMakeFont(gfxFontStyle const*, gfxCharacterMap*) src/gfx/thebes/gfxFontEntry.cpp:258:28
    #13 0x7fc7f9da5fb5 in gfxFontGroup::GetFontAt(int, unsigned int) src/gfx/thebes/gfxTextRun.cpp:1950:20
    #14 0x7fc7f9da8f04 in gfxFontGroup::GetFirstValidFont(unsigned int, mozilla::FontFamilyType*) src/gfx/thebes/gfxTextRun.cpp:2133:16
    #15 0x7fc7f92b1e1d in nsFontMetrics::GetMetrics(gfxFont::Orientation) const src/gfx/src/nsFontMetrics.cpp:169:24
    #16 0x7fc7f92b2830 in GetMetrics src/gfx/src/nsFontMetrics.h:244:14
    #17 0x7fc7f92b2830 in nsFontMetrics::ExternalLeading() src/gfx/src/nsFontMetrics.cpp:240
    #18 0x7fc800b99d3a in GetNormalLineHeight src/layout/generic/ReflowInput.cpp:2805:43
    #19 0x7fc800b99d3a in ComputeLineHeight src/layout/generic/ReflowInput.cpp:2862
    #20 0x7fc800b99d3a in mozilla::ReflowInput::CalcLineHeight(nsIContent*, mozilla::ComputedStyle*, nsPresContext*, int, float) src/layout/generic/ReflowInput.cpp:2889
    #21 0x7fc800b6540c in CalcLineHeight src/layout/generic/ReflowInput.cpp:2872:10
    #22 0x7fc800b6540c in mozilla::BlockReflowInput::BlockReflowInput(mozilla::ReflowInput const&, nsPresContext*, nsBlockFrame*, bool, bool, bool, int) src/layout/generic/BlockReflowInput.cpp:142
    #23 0x7fc800bf3292 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1186:20
    #24 0x7fc800c7303b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
    #25 0x7fc800c70927 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:792:5
    #26 0x7fc800c7303b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
    #27 0x7fc800da591b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) src/layout/generic/nsGfxScrollFrame.cpp:580:3
    #28 0x7fc800da7484 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:703:3
    #29 0x7fc800dac67b in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1080:3
    #30 0x7fc800bceb98 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:995:14
    #31 0x7fc800bcd454 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:330:7
    #32 0x7fc800929ccc in mozilla::PresShell::DoReflow(nsIFrame*, bool) src/layout/base/PresShell.cpp:8993:11
    #33 0x7fc8009447b8 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9166:24
    #34 0x7fc800942985 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4340:11
    #35 0x7fc7fdd9eb59 in FlushPendingNotifications src/obj-firefox/dist/include/nsIPresShell.h:566:5
    #36 0x7fc7fdd9eb59 in FlushPendingEvents src/dom/events/EventStateManager.cpp:5515
    #37 0x7fc7fdd9eb59 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) src/dom/events/EventStateManager.cpp:690
    #38 0x7fc80097467b in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) src/layout/base/PresShell.cpp:7619:19
    #39 0x7fc80096f42a in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:7264:17
    #40 0x7fc800109641 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) src/view/nsViewManager.cpp:812:14

Thread T31 (PaintWorker #3) created by T0 (file:// Content) here:
    #0 0x4ae0cd in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7fc81778db05 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7fc81778d6ee in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7fc7f66ffe63 in nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:597:8
    #4 0x7fc7f670b229 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:471:22
    #5 0x7fc7f670f94a in NS_NewNamedThread src/xpcom/threads/nsThreadUtils.cpp:143:45
    #6 0x7fc7f670f94a in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadPool.cpp:109
    #7 0x7fc7f6712076 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadPool.cpp:280:5
    #8 0x7fc7f95b3a08 in mozilla::layers::PaintThread::PaintTiledContents(mozilla::layers::CapturedTiledPaintState*) src/gfx/layers/PaintThread.cpp:441:18
    #9 0x7fc7f994f43e in mozilla::layers::ClientMultiTiledLayerBuffer::Update(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::TilePaintFlags) src/gfx/layers/client/MultiTiledContentClient.cpp:242:31
    #10 0x7fc7f994c3ce in mozilla::layers::ClientMultiTiledLayerBuffer::PaintThebes(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::TilePaintFlags) src/gfx/layers/client/MultiTiledContentClient.cpp:129:3
    #11 0x7fc7f99299d8 in mozilla::layers::ClientTiledPaintedLayer::RenderHighPrecision(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/client/ClientTiledPaintedLayer.cpp:354:37
    #12 0x7fc7f99307f3 in mozilla::layers::ClientTiledPaintedLayer::RenderLayer() src/gfx/layers/client/ClientTiledPaintedLayer.cpp:556:31
    #13 0x7fc7f9976b5c in mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29
    #14 0x7fc7f99146f3 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:375:13
    #15 0x7fc7f9915836 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:433:3
    #16 0x7fc80154e176 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2757:19
    #17 0x7fc800ab8266 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3843:12
    #18 0x7fc80096277d in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6320:5
    #19 0x7fc80010ec07 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19
    #20 0x7fc80010da3c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33
    #21 0x7fc800113046 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5
    #22 0x7fc8008b858b in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2042:11
    #23 0x7fc8008c8762 in TickDriver src/layout/base/nsRefreshDriver.cpp:324:13
    #24 0x7fc8008c8762 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:299
    #25 0x7fc8008c8291 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:317:5
    #26 0x7fc8008cb8b1 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:755:5
    #27 0x7fc8008cb8b1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:671
    #28 0x7fc8008cb38b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:571:9
    #29 0x7fc8013734f6 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
    #30 0x7fc7f82bbd9d in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #31 0x7fc7f8085330 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2214:28
    #32 0x7fc7f78c885e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2134:25
    #33 0x7fc7f78c418e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2064:17
    #34 0x7fc7f78c65ed in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1910:5
    #35 0x7fc7f78c7347 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1943:15
    #36 0x7fc7f6703f38 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1051:14
    #37 0x7fc7f670c755 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #38 0x7fc7f78d2b4e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #39 0x7fc7f77d829c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #40 0x7fc7f77d829c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #41 0x7fc7f77d829c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #42 0x7fc8001f74a6 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #43 0x7fc8044f497e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:921:22
    #44 0x7fc7f77d829c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #45 0x7fc7f77d829c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #46 0x7fc7f77d829c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #47 0x7fc8044f3b3c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:747:34
    #48 0x4f5511 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #49 0x4f5511 in main src/browser/app/nsBrowserApp.cpp:287
    #50 0x7fc819d2c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

Thread T29 (PaintWorker #1) created by T0 (file:// Content) here:
    #0 0x4ae0cd in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7fc81778db05 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7fc81778d6ee in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7fc7f66ffe63 in nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:597:8
    #4 0x7fc7f670b229 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:471:22
    #5 0x7fc7f670f94a in NS_NewNamedThread src/xpcom/threads/nsThreadUtils.cpp:143:45
    #6 0x7fc7f670f94a in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadPool.cpp:109
    #7 0x7fc7f6712076 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadPool.cpp:280:5
    #8 0x7fc7f95b3a08 in mozilla::layers::PaintThread::PaintTiledContents(mozilla::layers::CapturedTiledPaintState*) src/gfx/layers/PaintThread.cpp:441:18
    #9 0x7fc7f994f43e in mozilla::layers::ClientMultiTiledLayerBuffer::Update(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::TilePaintFlags) src/gfx/layers/client/MultiTiledContentClient.cpp:242:31
    #10 0x7fc7f994c3ce in mozilla::layers::ClientMultiTiledLayerBuffer::PaintThebes(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::TilePaintFlags) src/gfx/layers/client/MultiTiledContentClient.cpp:129:3
    #11 0x7fc7f99299d8 in mozilla::layers::ClientTiledPaintedLayer::RenderHighPrecision(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/client/ClientTiledPaintedLayer.cpp:354:37
    #12 0x7fc7f99307f3 in mozilla::layers::ClientTiledPaintedLayer::RenderLayer() src/gfx/layers/client/ClientTiledPaintedLayer.cpp:556:31
    #13 0x7fc7f9976b5c in mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29
    #14 0x7fc7f99146f3 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:375:13
    #15 0x7fc7f9915836 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:433:3
    #16 0x7fc80154e176 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2757:19
    #17 0x7fc800ab8266 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3843:12
    #18 0x7fc80096277d in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6320:5
    #19 0x7fc80010ec07 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19
    #20 0x7fc80010da3c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33
    #21 0x7fc800113046 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5
    #22 0x7fc8008b858b in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2042:11
    #23 0x7fc8008c8762 in TickDriver src/layout/base/nsRefreshDriver.cpp:324:13
    #24 0x7fc8008c8762 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:299
    #25 0x7fc8008c8291 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:317:5
    #26 0x7fc8008cb8b1 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:755:5
    #27 0x7fc8008cb8b1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:671
    #28 0x7fc8008cb38b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:571:9
    #29 0x7fc8013734f6 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
    #30 0x7fc7f82bbd9d in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #31 0x7fc7f8085330 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2214:28
    #32 0x7fc7f78c885e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2134:25
    #33 0x7fc7f78c418e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2064:17
    #34 0x7fc7f78c65ed in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1910:5
    #35 0x7fc7f78c7347 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1943:15
    #36 0x7fc7f6703f38 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1051:14
    #37 0x7fc7f670c755 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #38 0x7fc7f78d2b4e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #39 0x7fc7f77d829c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #40 0x7fc7f77d829c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #41 0x7fc7f77d829c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #42 0x7fc8001f74a6 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #43 0x7fc8044f497e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:921:22
    #44 0x7fc7f77d829c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #45 0x7fc7f77d829c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #46 0x7fc7f77d829c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #47 0x7fc8044f3b3c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:747:34
    #48 0x4f5511 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #49 0x4f5511 in main src/browser/app/nsBrowserApp.cpp:287
    #50 0x7fc819d2c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free src/gfx/cairo/cairo/src/cairo-array.c:455:15 in _cairo_user_data_array_get_data
Shadow bytes around the buggy address:
  0x0c0680096240: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c0680096250: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c0680096260: 00 00 fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c0680096270: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c0680096280: fa fa fd fd fd fd fa fa fd fd fd fa fa fa 00 00
=>0x0c0680096290: 00 00 fa fa 00 00 00 fa fa fa[fd]fd fd fa fa fa
  0x0c06800962a0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c06800962b0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c06800962c0: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c06800962d0: 00 00 00 00 fa fa 00 00 00 fa fa fa fd fd fd fd
  0x0c06800962e0: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25302==ABORTING
This may be a Skia font problem rather than a cairo one. Maybe a race? It was freed and accessed on different threads.

Jonathan: please move the bug and CC other folks if this isn't yours
Component: Graphics → Graphics: Text
Flags: needinfo?(jfkthame)
It looks like CreateTypeface -> SkCairoFTTypeface mutates the cairo_font_face_t (appending to an array and resizing it), so if that was shared across multiple threads it'd produce this behavior.
I'm not all that familiar with the Skia world; this feels more like Lee's area. Redirecting needinfo....
Flags: needinfo?(jfkthame) → needinfo?(lsalzman)
Group: core-security → gfx-core-security
Duplicate of this bug: 1477324
See Also: → 1478577
I think this is fixed by bug 1478084.
Flags: needinfo?(lsalzman)
Jason, can you still reproduce this?
Flags: needinfo?(jkratzer)
(In reply to Jeff Muizelaar [:jrmuizel] from comment #6)
> Jason, can you still reproduce this?

I don't have a testcase to verify but I also haven't seen this crash since July 27th.
Flags: needinfo?(jkratzer)
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.