1513111 - skia: abort triggered from [@ SkEdgeBuilder::buildPoly]

Status: RESOLVED WONTFIX

(Core :: Graphics: Canvas2D, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

#0 gsignal /build/glibc-Cl5G7W/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54
#1 abort /build/glibc-Cl5G7W/glibc-2.23/stdlib/abort.c:89
#2 AssertRelease src/gfx/skia/skia/include/private/SkArenaAlloc.h:140:57
#3 makeArrayDefault<SkEdge> src/gfx/skia/skia/include/private/SkArenaAlloc.h:103
#4 SkEdgeBuilder::buildPoly(SkPath const&, SkIRect const*, int, bool) src/gfx/skia/skia/src/core/SkEdgeBuilder.cpp:288
#5 SkEdgeBuilder::build(SkPath const&, SkIRect const*, int, bool, SkEdgeBuilder::EdgeType) src/gfx/skia/skia/src/core/SkEdgeBuilder.cpp:368:22
#6 SkEdgeBuilder::build_edges(SkPath const&, SkIRect const*, int, bool, SkEdgeBuilder::EdgeType) src/gfx/skia/skia/src/core/SkEdgeBuilder.cpp:471:23
#7 sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) src/gfx/skia/skia/src/core/SkScan_Path.cpp:410:25
#8 SkScan::SAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) src/gfx/skia/skia/src/core/SkScan_AntiPath.cpp:724:9
#9 SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) src/gfx/skia/skia/src/core/SkScan_AntiPath.cpp:836:9
#10 SkScan::AntiFillPath(SkPath const&, SkRasterClip const&, SkBlitter*, SkDAARecord*) src/gfx/skia/skia/src/core/SkScan_AntiPath.cpp:873:9
#11 SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const src/gfx/skia/skia/src/core/SkDraw.cpp:1023:5
#12 SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const src/gfx/skia/skia/src/core/SkDraw.cpp:1114:11
#13 drawPath src/gfx/skia/skia/src/core/SkDraw.h:56:15
#14 SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:417
#15 SkCanvas::onDrawPath(SkPath const&, SkPaint const&) src/gfx/skia/skia/src/core/SkCanvas.cpp:2135:23
#16 SkCanvas::drawPath(SkPath const&, SkPaint const&) src/gfx/skia/skia/src/core/SkCanvas.cpp:1697:11
#17 mozilla::gfx::DrawTargetSkia::Fill(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&) src/gfx/2d/DrawTargetSkia.cpp:921:12
#18 mozilla::dom::CanvasRenderingContext2D::Fill(mozilla::dom::CanvasPath const&, mozilla::dom::CanvasWindingRule const&) src/dom/canvas/CanvasRenderingContext2D.cpp:3005:11
#19 mozilla::dom::CanvasRenderingContext2D_Binding::fill(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:2953:13
#20 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3063:13
#21 0x146c094e0f9f  (<unknown module>)

Comment 1

[Ryan Hunt [:rhunt]]

Lee, I'm able to reproduce this. Do you want to take a look at it?

Comment 2

[Lee Salzman [:lsalzman]]

There's nothing we can really do here. That's an explicit release assert guarding against a previously existing security bug to prevent the allocator from overflowing. The code is too deep in the bowels of Skia to make fallible. As far as the security bug was concerned, we deemed it fair to merely hit the assert in that case, and Skia upstream made the similar fix observed here.