Closed
Bug 1558281
Opened 5 years ago
Closed 4 years ago
AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp in mozilla::dom::CanvasRenderingContext2D::GetImageBuffer(int*)
Categories
(Core :: Graphics: Canvas2D, defect, P3)
Core
Graphics: Canvas2D
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox69 | --- | wontfix |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker])
Attachments
(1 file)
|
413 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 7a44faddc33d.
==12398==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8f18aa66f6 bp 0x7ffe8d35f7f0 sp 0x7ffe8d35f700 T0)
==12398==The signal is caused by a READ memory access.
==12398==Hint: address points to the zero page.
#0 0x7f8f18aa66f5 in mozilla::dom::CanvasRenderingContext2D::GetImageBuffer(int*) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp
#1 0x7f8f18aa7430 in mozilla::dom::CanvasRenderingContext2D::GetInputStream(char const*, nsTSubstring<char16_t> const&, nsIInputStream**) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:1657:38
#2 0x7f8f1554c152 in mozilla::dom::ImageEncoder::ExtractDataInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, unsigned char*, int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, bool, mozilla::layers::Image*, nsICanvasRenderingContextInternal*, mozilla::layers::AsyncCanvasRenderer*, nsIInputStream**, imgIEncoder*) /builds/worker/workspace/build/src/dom/base/ImageEncoder.cpp:325:20
#3 0x7f8f1554abcb in mozilla::dom::ImageEncoder::ExtractData(nsTSubstring<char16_t>&, nsTSubstring<char16_t> const&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, bool, nsICanvasRenderingContextInternal*, mozilla::layers::AsyncCanvasRenderer*, nsIInputStream**) /builds/worker/workspace/build/src/dom/base/ImageEncoder.cpp:229:10
#4 0x7f8f194a9731 in ExtractData /builds/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:723:10
#5 0x7f8f194a9731 in mozilla::dom::HTMLCanvasElement::ToDataURLImpl(JSContext*, nsIPrincipal&, nsTSubstring<char16_t> const&, JS::Value const&, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:752
#6 0x7f8f194a8eb4 in mozilla::dom::HTMLCanvasElement::ToDataURL(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, nsTSubstring<char16_t>&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:604:9
#7 0x7f8f183afa30 in mozilla::dom::HTMLCanvasElement_Binding::toDataURL(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:357:24
#8 0x7f8f18977482 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3171:13
#9 0x7f8f20255777 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
#10 0x7f8f20255777 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
#11 0x7f8f20235f12 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:599:10
#12 0x7f8f20235f12 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3087
#13 0x7f8f2021f9e8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
#14 0x7f8f2025627f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:568:13
#15 0x7f8f202584a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
#16 0x7f8f20ed9b78 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2667:10
#17 0x7f8f17f5d429 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#18 0x7f8f19200642 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#19 0x7f8f19200642 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1022
#20 0x7f8f19202297 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1220:17
#21 0x7f8f191e3001 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
#22 0x7f8f191e3001 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
#23 0x7f8f191e1236 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
#24 0x7f8f191e7fa4 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
#25 0x7f8f1c1e91e9 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1107:7
#26 0x7f8f1f086b78 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6679:20
#27 0x7f8f1f085b52 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6479:7
#28 0x7f8f1f08b7e7 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#29 0x7f8f13b171b5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1315:3
#30 0x7f8f13b15daa in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:874:14
#31 0x7f8f13b10600 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:712:9
#32 0x7f8f13b13c65 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:600:5
#33 0x7f8f13b158f4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#34 0x7f8f112533d1 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
#35 0x7f8f15424b08 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:10072:18
#36 0x7f8f15424b08 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10004
#37 0x7f8f15423595 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:6518:3
#38 0x7f8f15538aeb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
#39 0x7f8f15538aeb in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130
#40 0x7f8f15538aeb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176
#41 0x7f8f10f08905 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#42 0x7f8f10f48e77 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14
#43 0x7f8f10f50ab4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#44 0x7f8f1231c31f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#45 0x7f8f121f35be in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#46 0x7f8f121f35be in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#47 0x7f8f121f35be in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#48 0x7f8f1b93a5f3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#49 0x7f8f1ff7c91e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:918:20
#50 0x7f8f121f35be in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#51 0x7f8f121f35be in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#52 0x7f8f121f35be in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#53 0x7f8f1ff7b454 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:753:34
#54 0x564b8fb57eb3 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#55 0x564b8fb57eb3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
#56 0x7f8f35b8ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
|
||
Updated•5 years ago
|
Priority: -- → P3
|
||
Updated•5 years ago
|
Keywords: regression
|
||
Updated•5 years ago
|
|
||
Comment 1•4 years ago
|
||
The attached test case no longer reproduces the issue and the fuzzers last hit the issue in July 2019. Assuming this has been fixed elsewhere.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
|
|
||
Updated•4 years ago
|
Resolution: FIXED → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•