Closed Bug 1633523 Opened 5 years ago Closed 3 years ago

/builds/worker/checkouts/gecko/gfx/skia/skia/src/core/SkCanvas.cpp:2182: fatal error: "assert(r.isSorted())"

Categories

(Core :: Graphics, defect, P3)

defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox77 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 17aa41e3cb7c (built with --enable-debug).

/builds/worker/checkouts/gecko/gfx/skia/skia/src/core/SkCanvas.cpp:2182: fatal error: "assert(r.isSorted())"

rax = 0xa9822494685a7500   rdx = 0x0000560be430ca50
rcx = 0x0000000000000003   rbx = 0x00007fb088c21688
rsi = 0x0000000000000000   rdi = 0x0000560be430ca50
rbp = 0x00007fb0717f20b8   rsp = 0x00007fb0717f2018
r8 = 0x0000000000000000    r9 = 0x0000000000000006
r10 = 0xfffffffffffff7c6   r11 = 0x0000000000000000
r12 = 0x0000000000000000   r13 = 0x0000560be4aa4b1c
r14 = 0x00007fb0717f2260   r15 = 0x0000560be489a350
rip = 0x00007fb08139f618
OS|Linux|0.0.0 Linux 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|16
16|0|libxul.so|SkCanvas::onDrawRegion(SkRegion const&, SkPaint const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkCanvas.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|2208|0x0
16|1|||||0x7fb0717f2160
16|2|libxul.so|SkCanvas::onDrawRect(SkRect const&, SkPaint const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkCanvas.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|2182|0x5
16|3|libxul.so|SkCanvas::drawRect(SkRect const&, SkPaint const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkCanvas.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|1807|0x50
16|4|libxul.so|mozilla::gfx::DrawTargetSkia::FillRect(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&)|hg:hg.mozilla.org/mozilla-central:gfx/2d/DrawTargetSkia.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|808|0xf
16|5|libxul.so|mozilla::gfx::DrawTargetCaptureImpl::ReplayToDrawTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::BaseMatrix<float> const&)|hg:hg.mozilla.org/mozilla-central:gfx/2d/DrawTargetCapture.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|330|0xf
16|6|libxul.so|mozilla::gfx::DrawTarget::DrawCapturedDT(mozilla::gfx::DrawTargetCapture*, mozilla::gfx::BaseMatrix<float> const&)|hg:hg.mozilla.org/mozilla-central:gfx/2d/DrawTarget.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|168|0xe
16|7|libxul.so|mozilla::layers::PaintThread::AsyncPaintTask(mozilla::layers::CompositorBridgeChild*, mozilla::layers::PaintTask*)|hg:hg.mozilla.org/mozilla-central:gfx/layers/PaintThread.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|228|0x3e
16|8|libxul.so|mozilla::detail::RunnableFunction<mozilla::layers::PaintThread::QueuePaintTask(mozilla::UniquePtr<mozilla::layers::PaintTask, mozilla::DefaultDelete<mozilla::layers::PaintTask> >&&)::$_7>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|557|0x19
16|9|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|1200|0x11
16|10|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|481|0xc
16|11|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|332|0x13
16|12|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|315|0x17
16|13|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|290|0x8
16|14|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|444|0x8
16|15|libnspr4.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|201|0x7
16|16|libpthread.so.0||||0x76db
16|17|libc.so.6||||0x12188f
Flags: in-testsuite?
Flags: needinfo?(lsalzman)

Does this crash at all when the MOZ_SKIA_DISABLE_ASSERTS=1 environment var is set?

Flags: needinfo?(lsalzman) → needinfo?(jkratzer)
Priority: -- → P3

Yes. All fuzzing tests use MOZ_SKIA_DISABLE_ASSERTS=1. See also bug 1593135.

Flags: needinfo?(jkratzer)
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200428100141-a99c73301874. The bug appears to have been introduced in the following build range: > Start: 58bb9946f9ec43c3ffa7931a69b333a67ee6e904 (20191030221038) > End: 5fe1e03dbfbca52dbaec0dc096ca1884a851203d (20191031095309) > Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=58bb9946f9ec43c3ffa7931a69b333a67ee6e904&tochange=5fe1e03dbfbca52dbaec0dc096ca1884a851203d

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3 (Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3 (normal.)

Severity: normal → S3

Bugmon Analysis
Unable to reproduce bug 1633523 using build mozilla-central 20200813092915-32ec11f12a62. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

I am unable to reproduce this bug on either mozilla-central 20210812-610ae1bbeff8 (tip) or mozilla-central 20200813-32ec11f12a62 (the oldest build available on Taskcluster). I think we can safely close this for now.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: