Closed
Bug 1493447
Opened 6 years ago
Closed 6 years ago
InvalidArrayIndex_CRASH at mozilla::dom::SVGComponentTransferFunctionElement::ComputeAttributes
Categories
(Core :: SVG, defect, P1)
Core
SVG
Tracking
()
RESOLVED
FIXED
mozilla64
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox62 | --- | unaffected |
| firefox63 | --- | unaffected |
| firefox64 | --- | fixed |
People
(Reporter: attekett, Assigned: alexical)
References
Details
(Keywords: crash, regression, testcase)
Attachments
(3 files)
crash-repro.svg
No description provided.
|
Reporter | |
Comment 1•6 years ago
|
||
Accidentally pressed enter when adding attachment. Crash details.
Tested on:
OS: Ubuntu 18.04
Firefox: 64.0a1 Build ID: 20180922093710
ASAN report:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==68794==ERROR: AddressSanitizer: ILL on unknown address 0x55e7729c2b1f (pc 0x55e7729c2b1f bp 0x7ffe651f8f50 sp 0x7ffe651f8de0 T0)
#0 0x55e7729c2b1e in MOZ_CrashPrintf /builds/worker/workspace/build/src/mfbt/Assertions.cpp
#1 0x7fc5db431662 in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/workspace/build/src/xpcom/ds/nsTArray.cpp:26:3
#2 0x7fc5e45c6f2a in mozilla::dom::SVGComponentTransferFunctionElement::ComputeAttributes(int, mozilla::gfx::ComponentTransferAttributes&) /builds/worker/workspace/build/src/dom/svg/nsSVGFilters.cpp
#3 0x7fc5e44cc617 in mozilla::dom::SVGFEComponentTransferElement::GetPrimitiveDescription(nsSVGFilterInstance*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<bool> const&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&) /builds/worker/workspace/build/src/dom/svg/SVGFEComponentTransferElement.cpp:78:27
#4 0x7fc5e6367ad6 in nsSVGFilterInstance::BuildPrimitives(nsTArray<mozilla::gfx::FilterPrimitiveDescription>&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&, bool) /builds/worker/workspace/build/src/layout/svg/nsSVGFilterInstance.cpp:418:15
#5 0x7fc5e634d5ab in nsFilterInstance::BuildPrimitivesForFilter(nsStyleFilter const&, nsIFrame*, bool, nsTArray<mozilla::gfx::FilterPrimitiveDescription>&) /builds/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:347:30
#6 0x7fc5e634bca2 in nsFilterInstance::BuildPrimitives(nsTArray<nsStyleFilter> const&, nsIFrame*, bool) /builds/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:315:19
#7 0x7fc5e634ac21 in nsFilterInstance::nsFilterInstance(nsIFrame*, nsIContent*, mozilla::dom::UserSpaceMetrics const&, nsTArray<nsStyleFilter> const&, bool, nsSVGFilterPaintCallback*, mozilla::gfx::BaseMatrix<double> const&, nsRegion const*, nsRegion const*, nsRect const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const*) /builds/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:243:7
#8 0x7fc5e6349184 in nsFilterInstance::GetPostFilterBounds(nsIFrame*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const*, nsRect const*) /builds/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:173:20
#9 0x7fc5e63a6fcb in nsSVGUtils::GetPostFilterVisualOverflowRect(nsIFrame*, nsRect const&) /builds/worker/workspace/build/src/layout/svg/nsSVGUtils.cpp:157:10
#10 0x7fc5e5ed144d in ComputeEffectsRect /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7308:11
#11 0x7fc5e5ed144d in nsIFrame::FinishAndStoreOverflow(nsOverflowAreas&, nsSize, nsSize*, nsStyleDisplay const*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:9526
#12 0x7fc5e637a19c in nsSVGImageFrame::ReflowSVG() /builds/worker/workspace/build/src/layout/svg/nsSVGImageFrame.cpp:462:3
#13 0x7fc5e63229b9 in nsSVGDisplayContainerFrame::ReflowSVG() /builds/worker/workspace/build/src/layout/svg/nsSVGContainerFrame.cpp:349:17
#14 0x7fc5e6390f88 in nsSVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/svg/nsSVGOuterSVGFrame.cpp:460:14
#15 0x7fc5e5e1b7eb in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
#16 0x7fc5e5e18fee in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:803:5
#17 0x7fc5e5e1b7eb in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
#18 0x7fc5e5f539bb in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:606:3
#19 0x7fc5e5f55529 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:730:3
#20 0x7fc5e5f5aab0 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1120:3
#21 0x7fc5e5d773f8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:995:14
#22 0x7fc5e5d75b1b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:338:7
#23 0x7fc5e5acb80b in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9016:11
#24 0x7fc5e5ae65e8 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9189:24
#25 0x7fc5e5ae470c in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4342:11
#26 0x7fc5e5a5aae7 in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:577:5
#27 0x7fc5e5a5aae7 in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1930
#28 0x7fc5e5a6c7e1 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:325:13
#29 0x7fc5e5a6c7e1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:300
#30 0x7fc5e5a6c301 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:318:5
#31 0x7fc5e5a6f5e1 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:756:5
#32 0x7fc5e5a6f5e1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:672
#33 0x7fc5e5a6ed38 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:572:9
#34 0x7fc5e6536108 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:78:16
#35 0x7fc5dd223acb in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
#36 0x7fc5dcf9a8a0 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
#37 0x7fc5dc7855d5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2248:25
#38 0x7fc5dc781309 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2175:17
#39 0x7fc5dc78344d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5
#40 0x7fc5dc784177 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15
#41 0x7fc5db57c897 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1166:14
#42 0x7fc5db585415 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#43 0x7fc5dc78ec53 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#44 0x7fc5dc69168c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#45 0x7fc5dc69168c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#46 0x7fc5dc69168c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#47 0x7fc5e537c593 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#48 0x7fc5e9840e3e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
#49 0x7fc5dc69168c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#50 0x7fc5dc69168c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#51 0x7fc5dc69168c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#52 0x7fc5e983ff63 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34
#53 0x55e77294fb91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#54 0x55e77294fb91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
#55 0x7fc5fd73db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#56 0x55e77287ef3c in _start (/dev/shm/firefox/firefox+0x2cf3c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ILL /builds/worker/workspace/build/src/mfbt/Assertions.cpp in MOZ_CrashPrintf
==68794==ABORTING|
|
Reporter | |
Updated•6 years ago
|
Group: core-security
|
||
Comment 2•6 years ago
|
||
I think this was caused by bug 1417699. Doug, can you take a look?
Flags: needinfo?(dothayer)
|
|
||
Updated•6 years ago
|
Priority: -- → P1
|
||
Updated•6 years ago
|
Group: core-security → layout-core-security
|
|
||
Comment 3•6 years ago
|
||
Is the release assert saving us from a security vulnerability, or is the state so messed up that we'll keep using a dead object or bogus offsets after this point and still get into trouble?
status-firefox63:
--- → unaffected
status-firefox64:
--- → affected
status-firefox-esr60:
--- → unaffected
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → dothayer
Status: NEW → ASSIGNED
Flags: needinfo?(dothayer)
|
|
Assignee | |
Comment 4•6 years ago
|
||
We're just trying to get a pointer to the first element of a zero length nsTArray. If we didn't hit the assertion we would just do nothing with that pointer, since we're only using it to copy over its 0 elements. (It was just a bad translation of this: https://searchfox.org/mozilla-central/diff/e79792a58ab25a66ae70f4135fea3e9558da9213/dom/svg/nsSVGFilters.cpp#341)
|
||
Comment 5•6 years ago
|
||
Comment on attachment 9011509 [details] Bug 1493447 - Check for 0 length before copying table values r=mstange Markus Stange [:mstange] has approved the revision.
Attachment #9011509 -
Flags: review+
|
|
Assignee | |
Updated•6 years ago
|
Keywords: checkin-needed
|
||
Comment 6•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a9a1d4e6193e13aac52503c3b256bbff69e6cf87
status-firefox62:
--- → unaffected
Keywords: checkin-needed
|
|
||
Comment 8•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a9a1d4e6193e Can we land this testcase as a crashtest?
Group: layout-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(dothayer)
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
|
|
Assignee | |
Comment 9•6 years ago
|
||
Adds a crashtest for an empty component transfer filter.
|
|
Assignee | |
Updated•6 years ago
|
Flags: needinfo?(dothayer)
|
|
Assignee | |
Comment 10•6 years ago
|
||
(Adding checkin-needed for the crashtest patch.)
Keywords: checkin-needed
|
|
||
Comment 11•6 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/19bab79602bd40e59b6c92f1f500e2779b88c0f3
Flags: in-testsuite? → in-testsuite+
Keywords: checkin-needed
|
|
||
Comment 13•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/067542f72422
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•