/builds/worker/checkouts/gecko/gfx/skia/skia/src/core/SkCanvas.cpp:2182: fatal error: "assert(r.isSorted())"
Categories
(Core :: Graphics, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox77 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
336 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 17aa41e3cb7c (built with --enable-debug).
/builds/worker/checkouts/gecko/gfx/skia/skia/src/core/SkCanvas.cpp:2182: fatal error: "assert(r.isSorted())"
rax = 0xa9822494685a7500 rdx = 0x0000560be430ca50
rcx = 0x0000000000000003 rbx = 0x00007fb088c21688
rsi = 0x0000000000000000 rdi = 0x0000560be430ca50
rbp = 0x00007fb0717f20b8 rsp = 0x00007fb0717f2018
r8 = 0x0000000000000000 r9 = 0x0000000000000006
r10 = 0xfffffffffffff7c6 r11 = 0x0000000000000000
r12 = 0x0000000000000000 r13 = 0x0000560be4aa4b1c
r14 = 0x00007fb0717f2260 r15 = 0x0000560be489a350
rip = 0x00007fb08139f618
OS|Linux|0.0.0 Linux 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|16
16|0|libxul.so|SkCanvas::onDrawRegion(SkRegion const&, SkPaint const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkCanvas.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|2208|0x0
16|1|||||0x7fb0717f2160
16|2|libxul.so|SkCanvas::onDrawRect(SkRect const&, SkPaint const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkCanvas.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|2182|0x5
16|3|libxul.so|SkCanvas::drawRect(SkRect const&, SkPaint const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkCanvas.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|1807|0x50
16|4|libxul.so|mozilla::gfx::DrawTargetSkia::FillRect(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&)|hg:hg.mozilla.org/mozilla-central:gfx/2d/DrawTargetSkia.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|808|0xf
16|5|libxul.so|mozilla::gfx::DrawTargetCaptureImpl::ReplayToDrawTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::BaseMatrix<float> const&)|hg:hg.mozilla.org/mozilla-central:gfx/2d/DrawTargetCapture.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|330|0xf
16|6|libxul.so|mozilla::gfx::DrawTarget::DrawCapturedDT(mozilla::gfx::DrawTargetCapture*, mozilla::gfx::BaseMatrix<float> const&)|hg:hg.mozilla.org/mozilla-central:gfx/2d/DrawTarget.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|168|0xe
16|7|libxul.so|mozilla::layers::PaintThread::AsyncPaintTask(mozilla::layers::CompositorBridgeChild*, mozilla::layers::PaintTask*)|hg:hg.mozilla.org/mozilla-central:gfx/layers/PaintThread.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|228|0x3e
16|8|libxul.so|mozilla::detail::RunnableFunction<mozilla::layers::PaintThread::QueuePaintTask(mozilla::UniquePtr<mozilla::layers::PaintTask, mozilla::DefaultDelete<mozilla::layers::PaintTask> >&&)::$_7>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|557|0x19
16|9|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|1200|0x11
16|10|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|481|0xc
16|11|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|332|0x13
16|12|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|315|0x17
16|13|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|290|0x8
16|14|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|444|0x8
16|15|libnspr4.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|201|0x7
16|16|libpthread.so.0||||0x76db
16|17|libc.so.6||||0x12188f
Updated•5 years ago
|
Comment 1•5 years ago
|
||
Does this crash at all when the MOZ_SKIA_DISABLE_ASSERTS=1 environment var is set?
Updated•5 years ago
|
Reporter | ||
Comment 2•5 years ago
|
||
Yes. All fuzzing tests use MOZ_SKIA_DISABLE_ASSERTS=1. See also bug 1593135.
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Comment 3•5 years ago
|
||
Comment 4•5 years ago
|
||
Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3
(Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3
(normal.)
Comment 5•3 years ago
|
||
Bugmon Analysis
Unable to reproduce bug 1633523 using build mozilla-central 20200813092915-32ec11f12a62. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Reporter | ||
Comment 6•3 years ago
|
||
I am unable to reproduce this bug on either mozilla-central 20210812-610ae1bbeff8 (tip) or mozilla-central 20200813-32ec11f12a62 (the oldest build available on Taskcluster). I think we can safely close this for now.
Description
•