AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp in mozilla::dom::CanvasRenderingContext2D::GetSurfaceSnapshot(gfxAlphaType*)
Categories
(Core :: Graphics: Canvas2D, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox-esr68 | --- | unaffected |
firefox67 | --- | unaffected |
firefox68 | --- | unaffected |
firefox69 | --- | fixed |
People
(Reporter: jkratzer, Assigned: bobowen)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker])
Attachments
(1 file)
461 bytes,
text/html
|
Details |
Found while fuzzing mozilla-central rev 7a44faddc33d.
==2316==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f29bd05a7db bp 0x7ffea1591890 sp 0x7ffea1591850 T0)
==2316==The signal is caused by a READ memory access.
==2316==Hint: address points to the zero page.
#0 0x7f29bd05a7da in mozilla::dom::CanvasRenderingContext2D::GetSurfaceSnapshot(gfxAlphaType*) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp
#1 0x7f29bd061836 in mozilla::dom::CanvasRenderingContext2D::CreatePattern(mozilla::dom::HTMLImageElementOrSVGImageElementOrHTMLCanvasElementOrHTMLVideoElementOrImageBitmap const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:2046:50
#2 0x7f29bb60a972 in mozilla::dom::CanvasRenderingContext2D_Binding::createPattern(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:3969:80
#3 0x7f29bcf2a482 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3171:13
#4 0x7f29c4808777 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
#5 0x7f29c4808777 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
#6 0x7f29c47e8f12 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:599:10
#7 0x7f29c47e8f12 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3087
#8 0x7f29c47d29e8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
#9 0x7f29c480927f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:568:13
#10 0x7f29c480b4a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
#11 0x7f29c548cb78 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2667:10
#12 0x7f29bc510429 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#13 0x7f29bd7b3642 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#14 0x7f29bd7b3642 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1022
#15 0x7f29bd7b5297 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1220:17
#16 0x7f29bd796001 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
#17 0x7f29bd796001 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
#18 0x7f29bd794236 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
#19 0x7f29bd79afa4 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
#20 0x7f29bd7a2ceb in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
#21 0x7f29b9db7354 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1029:17
#22 0x7f29b960ea76 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3945:28
#23 0x7f29b960e7ee in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3915:10
#24 0x7f29b99d5392 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:6410:3
#25 0x7f29b9aebaeb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
#26 0x7f29b9aebaeb in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130
#27 0x7f29b9aebaeb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176
#28 0x7f29b54bb905 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#29 0x7f29b54fbe77 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14
#30 0x7f29b5503ab4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#31 0x7f29b68cf31f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#32 0x7f29b67a65be in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#33 0x7f29b67a65be in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#34 0x7f29b67a65be in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#35 0x7f29bfeed5f3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#36 0x7f29c452f91e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:918:20
#37 0x7f29b67a65be in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#38 0x7f29b67a65be in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#39 0x7f29b67a65be in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#40 0x7f29c452e454 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:753:34
#41 0x5613e276feb3 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#42 0x5613e276feb3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
#43 0x7f29da13db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Updated•5 years ago
|
Updated•5 years ago
|
Reporter | ||
Comment 1•5 years ago
|
||
Testcase bisects to the following range:
Start: 0c2b0dd884cce2c67fc713867efd194163bc70e6 (20190607161754)
End: bee3a910397d6ccdc5b7420c65508fead0bf1741 (20190607162031)
Reporter | ||
Comment 2•5 years ago
•
|
||
This bug along with bug 1558281 and bug 1558283 have been triggered over 3000 times since 6/7/19. We will likely have to disable all Canvas2D fuzzing until this is fixed.
:jbonisteel, any idea when this might be addressed?
Comment 3•5 years ago
|
||
Possibly the remoting work from Bob Owen?
Assignee | ||
Comment 4•5 years ago
|
||
Sorry didn't realise this was causing such a problem for fuzzing, the crashes in Nightly didn't look too frequent.
I've put up a patch on bug 1558009 that will hopefully fix this.
Assignee | ||
Comment 5•5 years ago
|
||
It would be really useful to know if the patch on bug 1558009, fixes this issue for the fuzzing.
Reporter | ||
Comment 6•5 years ago
|
||
(In reply to Bob Owen (:bobowen) from comment #5)
It would be really useful to know if the patch on bug 1558009, fixes this issue for the fuzzing.
:bobowen, I can confirm that this issue no longer reproduces using the patch from bug 1558009. Thanks!
Comment 7•5 years ago
|
||
Calling this fixed by bug 1558009 then.
Updated•5 years ago
|
Description
•