Closed Bug 1547786 Opened 5 years ago Closed 5 years ago

AddressSanitizer: ABRT /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/nptl-signals.h:80 in __libc_signal_restore_set

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox68 --- affected

People

(Reporter: jkratzer, Assigned: lsalzman)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase)

Attachments

(1 file)

testcase.html
720 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 420e18a75314. Testcase takes a few seconds to trigger.

==23966==ERROR: AddressSanitizer: ABRT on unknown address 0x03e800005d9e (pc 0x7fdeee1f4e97 bp 0x7ffdb996c850 sp 0x7ffdb996c5e0 T0)
#0 0x7fdeee1f4e96 in __libc_signal_restore_set /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/nptl-signals.h:80
#1 0x7fdeee1f4e96 in gsignal /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:48
#2 0x7fdeee1f6800 in abort /build/glibc-OTsEL5/glibc-2.27/stdlib/abort.c:79
#3 0x7fded7783cf6 in makeArrayDefault<SkAnalyticEdge> /builds/worker/workspace/build/src/gfx/skia/skia/include/private/SkArenaAlloc.h
#4 0x7fded7783cf6 in SkAnalyticEdgeBuilder::allocEdges(unsigned long, unsigned long*) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkEdgeBuilder.cpp:248
#5 0x7fded7783fdd in SkEdgeBuilder::buildPoly(SkPath const&, SkIRect const*, bool) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkEdgeBuilder.cpp:274:24
#6 0x7fded789a841 in aaa_fill_path /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AAAPath.cpp:1598:25
#7 0x7fded789a841 in SkScan::AAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AAAPath.cpp:1720
#8 0x7fded74c4581 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AntiPath.cpp:844:9
#9 0x7fded74c5c75 in SkScan::AntiFillPath(SkPath const&, SkRasterClip const&, SkBlitter*, SkDAARecord*) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AntiPath.cpp:883:9
#10 0x7fded776dfc5 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:885:5
#11 0x7fded776ecd7 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:976:11
#12 0x7fded759024b in drawPath /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.h:56:15
#13 0x7fded759024b in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:391
#14 0x7fded75c566c in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2231:23
#15 0x7fded75ba735 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:1763:11
#16 0x7fdeccf25193 in mozilla::gfx::DrawTargetSkia::Stroke(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const&, mozilla::gfx::DrawOptions const&) /builds/worker/workspace/build/src/gfx/2d/DrawTargetSkia.cpp:790:12
#17 0x7fded1b124fe in mozilla::dom::CanvasRenderingContext2D::Stroke(mozilla::dom::CanvasPath const&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:2762:11
#18 0x7fded010a74a in mozilla::dom::CanvasRenderingContext2D_Binding::stroke(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:3051:13
#19 0x7fded19c5e62 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3153:13
#20 0x7fded929a460 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:443:13
#21 0x7fded929a460 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
#22 0x7fded927abc4 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:594:10
#23 0x7fded927abc4 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3080
#24 0x7fded9264698 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
#25 0x7fded929add3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:563:13
#26 0x7fded929ca52 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:606:8
#27 0x7fded9f0fca8 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2636:10
#28 0x7fded0fbf740 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#29 0x7fded2298b92 in HandleEvent<mozilla::dom::EventTarget > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#30 0x7fded2298b92 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1039
#31 0x7fded229ac4e in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1240:17
#32 0x7fded227b481 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:355:5
#33 0x7fded227b481 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
#34 0x7fded22796b6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
#35 0x7fded22803ee in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1046:11
#36 0x7fded22880eb in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
#37 0x7fdece955c14 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1024:17
#38 0x7fdece1f4426 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4055:28
#39 0x7fdece1f419e in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4025:10
#40 0x7fdece58f4f2 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:4997:3
#41 0x7fdece69abbb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#42 0x7fdece69abbb in apply<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#43 0x7fdece69abbb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#44 0x7fdeca09f341 in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#45 0x7fdeca0a6f64 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#46 0x7fdecb40d07f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#47 0x7fdecb2e5dfe in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#48 0x7fdecb2e5dfe in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#49 0x7fdecb2e5dfe in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#50 0x7fded49aaad3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#51 0x7fded8c715e0 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:270:30
#52 0x7fded8fad337 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4578:22
#53 0x7fded8fafd54 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4716:8
#54 0x7fded8fb15a9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4797:21
#55 0x5566c926a3da in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:212:22
#56 0x5566c926a3da in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:291
#57 0x7fdeee1d7b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?

Lee, how bad is this?

Flags: needinfo?(lsalzman)

This just triggers a release assert that exists to prevent security bugs like buffer overflows of which we probably have several on file for, but for which the assert is ultimately the fix. There is currently no easy alternative way to handle such security issues than just explicitly assert before we get to them, so upstream long ago decided to go that route. This is not a bug and is explicit behavior that is unfortunately not going to get changed. Therefor, I am going to mark this as a wontfix for now.

Assignee: nobody → lsalzman
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(lsalzman)
Resolution: --- → WONTFIX
Keywords: assertion
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: