Closed Bug 1558268 Opened 10 months ago Closed 9 months ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp in mozilla::dom::CanvasRenderingContext2D::GetSurfaceSnapshot(gfxAlphaType*)

Categories

(Core :: Canvas: 2D, defect, P3, critical)

defect

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- fixed

People

(Reporter: jkratzer, Assigned: bobowen)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker])

Attachments

(1 file)

Attached file testcase.html

Found while fuzzing mozilla-central rev 7a44faddc33d.

==2316==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f29bd05a7db bp 0x7ffea1591890 sp 0x7ffea1591850 T0)
==2316==The signal is caused by a READ memory access.
==2316==Hint: address points to the zero page.
    #0 0x7f29bd05a7da in mozilla::dom::CanvasRenderingContext2D::GetSurfaceSnapshot(gfxAlphaType*) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp
    #1 0x7f29bd061836 in mozilla::dom::CanvasRenderingContext2D::CreatePattern(mozilla::dom::HTMLImageElementOrSVGImageElementOrHTMLCanvasElementOrHTMLVideoElementOrImageBitmap const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:2046:50
    #2 0x7f29bb60a972 in mozilla::dom::CanvasRenderingContext2D_Binding::createPattern(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:3969:80
    #3 0x7f29bcf2a482 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3171:13
    #4 0x7f29c4808777 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
    #5 0x7f29c4808777 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
    #6 0x7f29c47e8f12 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:599:10
    #7 0x7f29c47e8f12 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3087
    #8 0x7f29c47d29e8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
    #9 0x7f29c480927f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:568:13
    #10 0x7f29c480b4a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
    #11 0x7f29c548cb78 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2667:10
    #12 0x7f29bc510429 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #13 0x7f29bd7b3642 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #14 0x7f29bd7b3642 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1022
    #15 0x7f29bd7b5297 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1220:17
    #16 0x7f29bd796001 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #17 0x7f29bd796001 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #18 0x7f29bd794236 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #19 0x7f29bd79afa4 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
    #20 0x7f29bd7a2ceb in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #21 0x7f29b9db7354 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1029:17
    #22 0x7f29b960ea76 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3945:28
    #23 0x7f29b960e7ee in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3915:10
    #24 0x7f29b99d5392 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:6410:3
    #25 0x7f29b9aebaeb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #26 0x7f29b9aebaeb in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130
    #27 0x7f29b9aebaeb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176
    #28 0x7f29b54bb905 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #29 0x7f29b54fbe77 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14
    #30 0x7f29b5503ab4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #31 0x7f29b68cf31f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #32 0x7f29b67a65be in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #33 0x7f29b67a65be in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #34 0x7f29b67a65be in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #35 0x7f29bfeed5f3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #36 0x7f29c452f91e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:918:20
    #37 0x7f29b67a65be in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #38 0x7f29b67a65be in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #39 0x7f29b67a65be in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #40 0x7f29c452e454 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:753:34
    #41 0x5613e276feb3 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #42 0x5613e276feb3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
    #43 0x7f29da13db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?
Priority: -- → P3

Testcase bisects to the following range:

Start: 0c2b0dd884cce2c67fc713867efd194163bc70e6 (20190607161754)
End: bee3a910397d6ccdc5b7420c65508fead0bf1741 (20190607162031)

https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0c2b0dd884cce2c67fc713867efd194163bc70e6&tochange=bee3a910397d6ccdc5b7420c65508fead0bf1741

This bug along with bug 1558281 and bug 1558283 have been triggered over 3000 times since 6/7/19. We will likely have to disable all Canvas2D fuzzing until this is fixed.

:jbonisteel, any idea when this might be addressed?

Flags: needinfo?(jbonisteel)

Possibly the remoting work from Bob Owen?

Flags: needinfo?(jbonisteel) → needinfo?(bobowencode)

Sorry didn't realise this was causing such a problem for fuzzing, the crashes in Nightly didn't look too frequent.
I've put up a patch on bug 1558009 that will hopefully fix this.

Depends on: 1558009
Flags: needinfo?(bobowencode)

It would be really useful to know if the patch on bug 1558009, fixes this issue for the fuzzing.

Flags: needinfo?(jkratzer)

(In reply to Bob Owen (:bobowen) from comment #5)

It would be really useful to know if the patch on bug 1558009, fixes this issue for the fuzzing.

:bobowen, I can confirm that this issue no longer reproduces using the patch from bug 1558009. Thanks!

Flags: needinfo?(jkratzer)

Calling this fixed by bug 1558009 then.

Assignee: nobody → bobowencode
Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
You need to log in before you can comment on or make changes to this bug.