Closed Bug 1505426 Opened 10 months ago Closed 10 months ago

/builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkWriteBuffer.cpp:238: fatal error: "assert(name)"

Categories

(Core :: Canvas: 2D, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox65 --- fixed

People

(Reporter: jkratzer, Assigned: lsalzman)

References

(Blocks 1 open bug)

Details

Attachments

(3 files)

Attached file testcase.html
Testcase found while fuzzing mozilla-central rev 957a743c4ca2.

/builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkWriteBuffer.cpp:238: fatal error: "assert(name)"

rax = 0x0000000000000000   rdx = 0x0000000000000000
rcx = 0x0000000000000000   rbx = 0x00007fff4678c990
rsi = 0x0000000000000000   rdi = 0x00007fa3b221cb88
rbp = 0x00007fff4678c950   rsp = 0x00007fff4678c8f0
r8 = 0x0000000000000000    r9 = 0x0000000000000008
r10 = 0xfffffffffffff768   r11 = 0x0000000000000000
r12 = 0x00007fa398cf60c0   r13 = 0x00007fff4678c900
r14 = 0x0000000000000000   r15 = 0x0000000000000000
rip = 0x00007fa3add2f04b
OS|Linux|0.0.0 Linux 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|SkBinaryWriteBuffer::writeFlattenable(SkFlattenable const*)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkWriteBuffer.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|252|0x0
0|1|libxul.so|calculate_size_and_flatten|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkScalerContext.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|1135|0x13
0|2|libxul.so|SkScalerContext::AutoDescriptorGivenRecAndEffects(SkScalerContextRec const&, SkScalerContextEffects const&, SkAutoDescriptor*)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkScalerContext.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|1166|0xb
0|3|libxul.so|SkScalerContext::CreateDescriptorAndEffectsUsingPaint(SkPaint const&, SkSurfaceProps const*, SkScalerContextFlags, SkMatrix const*, SkAutoDescriptor*, SkScalerContextEffects*)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkScalerContext.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|1124|0xe
0|4|libxul.so|GrTextBlob::setupCache(int, SkSurfaceProps const&, SkScalerContextFlags, SkPaint const&, SkMatrix const*)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/gpu/text/GrTextBlob.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|73|0xc
0|5|libxul.so|GrTextContext::regenerateGlyphRunList(GrTextBlob*, GrGlyphCache*, GrShaderCaps const&, SkPaint const&, unsigned int, SkScalerContextFlags, SkMatrix const&, SkSurfaceProps const&, SkGlyphRunList const&, SkGlyphRunListPainter*)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkGlyphRunPainter.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|526|0x2d
0|6|libxul.so|GrTextContext::drawGlyphRunList(GrContext*, GrTextTarget*, GrClip const&, SkMatrix const&, SkSurfaceProps const&, SkGlyphRunList const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkGlyphRunPainter.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|422|0x39
0|7|libxul.so|GrRenderTargetContext::drawGlyphRunList(GrClip const&, SkMatrix const&, SkGlyphRunList const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/gpu/GrRenderTargetContext.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|242|0x22
0|8|libxul.so|SkGpuDevice::drawGlyphRunList(SkGlyphRunList const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/gpu/SkGpuDevice.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|1627|0x6
0|9|libxul.so|SkCanvas::onDrawPosText(void const*, unsigned long, SkPoint const*, SkPaint const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkCanvas.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|2447|0x17
0|10|libxul.so|SkCanvas::drawPosText(void const*, unsigned long, SkPoint const*, SkPaint const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkCanvas.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|2531|0x1b
0|11|libxul.so|mozilla::gfx::DrawTargetSkia::DrawGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const*, mozilla::gfx::DrawOptions const&)|hg:hg.mozilla.org/mozilla-central:gfx/2d/DrawTargetSkia.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|1476|0x40
0|12|libxul.so|GlyphBufferAzure::FlushGlyphs()|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxFont.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|1829|0x6
0|13|libxul.so|gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, TextRunDrawParams const&, mozilla::gfx::ShapedTextFlags)|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxFont.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|1710|0xe
0|14|libxul.so|gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, gfxTextRun::PropertyProvider*, gfxTextRun::Range, TextRunDrawParams&, mozilla::gfx::ShapedTextFlags) const|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxTextRun.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|440|0xd
0|15|libxul.so|gfxTextRun::Draw(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>, gfxTextRun::DrawParams const&) const|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxTextRun.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|688|0x31
0|16|libxul.so|mozilla::dom::CanvasBidiProcessor::DrawText(int, int)|hg:hg.mozilla.org/mozilla-central:dom/canvas/CanvasRenderingContext2D.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|4199|0x8
0|17|libxul.so|nsBidiPresUtils::ProcessText(char16_t const*, int, unsigned char, nsPresContext*, nsBidiPresUtils::BidiProcessor&, nsBidiPresUtils::Mode, nsBidiPositionResolve*, int, int*, nsBidi*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsBidiPresUtils.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|2183|0xf
0|18|libxul.so|mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsTSubstring<char16_t> const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, float*)|hg:hg.mozilla.org/mozilla-central:dom/canvas/CanvasRenderingContext2D.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|4478|0x2a
0|19|libxul.so|mozilla::dom::CanvasRenderingContext2D::FillText(nsTSubstring<char16_t> const&, double, double, mozilla::dom::Optional<double> const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/canvas/CanvasRenderingContext2D.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|3847|0x5
0|20|libxul.so|mozilla::dom::CanvasRenderingContext2D_Binding::fillText|s3:gecko-generated-sources:b6530fdf8b8b275a72e169fd413dc410b2835bb894bb397cdc6ffd2088383526bb9691448ef99e5d9b7c39767ece3df5a26623006aad0d328ef10ae9d8d791f9/dom/bindings/CanvasRenderingContext2DBinding.cpp:|6157|0x2d
0|21|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|3320|0x9
0|22|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|468|0x3
0|23|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|560|0xf
0|24|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|614|0xd
0|25|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|620|0xf
0|26|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|447|0xb
0|27|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|587|0xf
0|28|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|614|0xd
0|29|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|633|0x5
0|30|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|2975|0x1c
0|31|libxul.so|mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)|s3:gecko-generated-sources:8608c2289a1d9871b163cf64eb28fe0535b7c0d76562f972c9fc16519592354acf8928f3a87d7291ad2787d69def3a71373afde07f5a14adfa582e642eb71bd4/dom/bindings/FunctionBinding.cpp:|41|0x5
0|32|libxul.so|nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*)|s3:gecko-generated-sources:22d0e043233e792b3171635349a7c96c260b02daf1d3a3863f1117e8ce67835c880f3e1615498f0338066a4757ac95face8a6a3a49bfe840d14f59c75432afce/dist/include/mozilla/dom/FunctionBinding.h:|73|0x23
0|33|libxul.so|mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&)|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutManager.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|837|0xc
0|34|libxul.so|mozilla::dom::TimeoutExecutor::MaybeExecute()|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutExecutor.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|168|0xf
0|35|libxul.so|mozilla::dom::TimeoutExecutor::Run()|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutExecutor.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|225|0x5
0|36|libxul.so|mozilla::ThrottledEventQueue::Inner::ExecuteRunnable()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/ThrottledEventQueue.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|249|0x11
0|37|libxul.so|mozilla::ThrottledEventQueue::Inner::Executor::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/ThrottledEventQueue.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|84|0xd
0|38|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|337|0x15
0|39|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|1246|0x15
0|40|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|530|0x11
0|41|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|97|0xa
0|42|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:957a743c4ca2907d8e357fce43fbcd9f619f1122|325|0x17
0|43|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:957a743c4ca2907d8e357fce43fbcd9f619f1122|318|0x8
0|44|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|158|0xd
0|45|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|939|0x11
0|46|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|269|0x5
0|47|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:957a743c4ca2907d8e357fce43fbcd9f619f1122|325|0x17
0|48|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:957a743c4ca2907d8e357fce43fbcd9f619f1122|318|0x8
0|49|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|765|0x8
0|50|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|50|0x14
0|51|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:957a743c4ca2907d8e357fce43fbcd9f619f1122|301|0x11
0|52|libc-2.27.so||||0x21b97
0|53|firefox-bin|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:957a743c4ca2907d8e357fce43fbcd9f619f1122|164|0x5
Flags: in-testsuite?
Attached file prefs.js
Component: Graphics → Canvas: 2D
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Attachment #9025533 - Flags: review?(rhunt)
Attachment #9025533 - Flags: review?(rhunt) → review+
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/01aa0dc6d098
initialize SkMaskFilter flattenables. r=rhunt
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7b8ac6916321
initialize SkMaskFilter flattenables. r=rhunt
(In reply to Andrei Ciure[:andrei_ciure_] from comment #4)
> Backed out changeset 01aa0dc6d098 (bug 1505426) for skia bustages
> 
> push that caused the backout:
> https://treeherder.mozilla.org/#/jobs?repo=mozilla-
> inbound&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassi
> fied&group_state=expanded&selectedJob=212792717&revision=01aa0dc6d0987a55fcfa
> c93ae45624d84107f547
> 
> failure:
> https://treeherder.mozilla.org/#/jobs?repo=mozilla-
> inbound&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassi
> fied&group_state=expanded&fromchange=d32110a492f5eece3697fd039d53dba247f9f202
> &selectedJob=212792717&searchStr=windows%2C2012%2Cx64%2Copt%2Cbuild-win64-
> msvc%2Fopt%2C%28bmsvc%29
> 
> backout:
> https://hg.mozilla.org/integration/mozilla-inbound/rev/
> fa29f8f43d2dde8d9cfaf6044053ad72fa7bbc01

Fixed.
Flags: needinfo?(lsalzman)
https://hg.mozilla.org/mozilla-central/rev/7b8ac6916321
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
You need to log in before you can comment on or make changes to this bug.