Closed
Bug 1640247
Opened 4 years ago
Closed 4 years ago
null pointer passed as argument 1, which is declared to never be null in gfx/2d/InlineTranslator.cpp:31
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
FIXED
mozilla78
| Tracking | Status | |
|---|---|---|
| firefox78 | --- | fixed |
People
(Reporter: tsmith, Assigned: lsalzman)
References
(Blocks 2 open bugs)
Details
Attachments
(1 file)
To enable this check add the following to your mozconfig:
ac_add_options --enable-undefined-sanitizer="nonnull-attribute"
This can reproduced by running the test suite at https://www.antutu.com/html5/
src/gfx/2d/InlineTranslator.cpp:31:16: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
#0 0x7f5f1e3b0b8f in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader::read(char*, long) src/gfx/2d/InlineTranslator.cpp:31:9
#1 0x7f5f1e3ac60b in mozilla::gfx::RecordedUnscaledFontCreation::RecordedUnscaledFontCreation<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader&) src/gfx/2d/RecordedEventImpl.h:3552:11
#2 0x7f5f1e3ac60b in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) src/gfx/2d/RecordedEventImpl.h:3875:5
#3 0x7f5f1e3a8576 in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) src/gfx/2d/InlineTranslator.cpp:72:20
#4 0x7f5f1ed89317 in mozilla::gfx::CrossProcessPaint::ResolveInternal(mozilla::dom::IdType<mozilla::dom::BrowserParent>, nsRefPtrHashtable<nsUint64HashKey, mozilla::gfx::SourceSurface>*) src/gfx/ipc/CrossProcessPaint.cpp:399:21
#5 0x7f5f1ed88868 in mozilla::gfx::CrossProcessPaint::MaybeResolve() src/gfx/ipc/CrossProcessPaint.cpp:335:19
#6 0x7f5f1ed87fb0 in mozilla::gfx::CrossProcessPaint::ReceiveFragment(mozilla::dom::WindowGlobalParent*, mozilla::gfx::PaintFragment&&) src/gfx/ipc/CrossProcessPaint.cpp:287:3
#7 0x7f5f22c8863c in std::enable_if<TakesArgument<void (mozilla::dom::WindowGlobalParent::DrawSnapshotInternal(mozilla::gfx::CrossProcessPaint*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, unsigned int)::$_4::*)(mozilla::gfx::PaintFragment&&) const>::value, mozilla::detail::MethodTrait<void (mozilla::dom::WindowGlobalParent::DrawSnapshotInternal(mozilla::gfx::CrossProcessPaint*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, unsigned int)::$_4::*)(mozilla::gfx::PaintFragment&&) const>::ReturnType>::type mozilla::MozPromise<mozilla::gfx::PaintFragment, mozilla::ipc::ResponseRejectReason, true>::InvokeMethod<mozilla::dom::WindowGlobalParent::DrawSnapshotInternal(mozilla::gfx::CrossProcessPaint*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, unsigned int)::$_4, void (mozilla::dom::WindowGlobalParent::DrawSnapshotInternal(mozilla::gfx::CrossProcessPaint*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, unsigned int)::$_4::*)(mozilla::gfx::PaintFragment&&) const, mozilla::gfx::PaintFragment>(mozilla::dom::WindowGlobalParent::DrawSnapshotInternal(mozilla::gfx::CrossProcessPaint*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, unsigned int)::$_4*, void (mozilla::dom::WindowGlobalParent::DrawSnapshotInternal(mozilla::gfx::CrossProcessPaint*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, unsigned int)::$_4::*)(mozilla::gfx::PaintFragment&&) const, mozilla::gfx::PaintFragment&&) src/objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:555:12
#8 0x7f5f22c8863c in std::enable_if<!(false), void>::type mozilla::MozPromise<mozilla::gfx::PaintFragment, mozilla::ipc::ResponseRejectReason, true>::InvokeCallbackMethod<false, mozilla::dom::WindowGlobalParent::DrawSnapshotInternal(mozilla::gfx::CrossProcessPaint*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, unsigned int)::$_4, void (mozilla::dom::WindowGlobalParent::DrawSnapshotInternal(mozilla::gfx::CrossProcessPaint*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, unsigned int)::$_4::*)(mozilla::gfx::PaintFragment&&) const, mozilla::gfx::PaintFragment, RefPtr<mozilla::MozPromise<mozilla::gfx::PaintFragment, mozilla::ipc::ResponseRejectReason, true>::Private> >(mozilla::dom::WindowGlobalParent::DrawSnapshotInternal(mozilla::gfx::CrossProcessPaint*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, unsigned int)::$_4*, void (mozilla::dom::WindowGlobalParent::DrawSnapshotInternal(mozilla::gfx::CrossProcessPaint*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, unsigned int)::$_4::*)(mozilla::gfx::PaintFragment&&) const, mozilla::gfx::PaintFragment&&, RefPtr<mozilla::MozPromise<mozilla::gfx::PaintFragment, mozilla::ipc::ResponseRejectReason, true>::Private>&&) src/objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:586:5
#9 0x7f5f22c8863c in mozilla::MozPromise<mozilla::gfx::PaintFragment, mozilla::ipc::ResponseRejectReason, true>::ThenValue<mozilla::dom::WindowGlobalParent::DrawSnapshotInternal(mozilla::gfx::CrossProcessPaint*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, unsigned int)::$_4, mozilla::dom::WindowGlobalParent::DrawSnapshotInternal(mozilla::gfx::CrossProcessPaint*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, unsigned int)::$_5>::DoResolveOrRejectInternal(mozilla::MozPromise<mozilla::gfx::PaintFragment, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue&) src/objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:771:9
#10 0x7f5f1d9c990e in mozilla::MozPromise<mozilla::gfx::PaintFragment, mozilla::ipc::ResponseRejectReason, true>::ThenValueBase::ResolveOrRejectRunnable::Run() src/objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:410:21
#11 0x7f5f1bebc4bb in mozilla::AutoTaskDispatcher::DrainDirectTasks() src/objdir-ff-ubsan/dist/include/mozilla/TaskDispatcher.h:99:10
#12 0x7f5f1beb5d02 in mozilla::XPCOMThreadWrapper::MaybeFireTailDispatcher() src/xpcom/threads/AbstractThread.cpp:134:29
#13 0x7f5f1bea5f1c in mozilla::XPCOMThreadWrapper::AfterProcessNextEvent(nsIThreadInternal*, bool) src/xpcom/threads/AbstractThread.cpp:338:3
#14 0x7f5f1bea5f1c in non-virtual thunk to mozilla::XPCOMThreadWrapper::AfterProcessNextEvent(nsIThreadInternal*, bool) src/xpcom/threads/AbstractThread.cpp
#15 0x7f5f1bedfc43 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1230:3
#16 0x7f5f1bee7c2c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:501:10
#17 0x7f5f1d194249 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:109:5
#18 0x7f5f1d0556d7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#19 0x7f5f1d0556d7 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:308:3
#20 0x7f5f1d0556d7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#21 0x7f5f234004e8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#22 0x7f5f26ecf4cb in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:271:30
#23 0x7f5f270f4e70 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4629:22
#24 0x7f5f270f6ace in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4771:8
#25 0x7f5f270f73e3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4825:21
#26 0x55d2b8e54b18 in do_main(int, char**, char**) src/browser/app/nsBrowserApp.cpp:217:22
#27 0x55d2b8e54b18 in main src/browser/app/nsBrowserApp.cpp:331:16
|
||
Comment 1•4 years ago
|
||
We don't want any surprises to happen because of this ubsan issue, and it should be trivial to fix (e.g. by checking the pointer).
Severity: -- → S2
|
||
Comment 2•4 years ago
|
||
S1 or S2 bugs need an assignee - could you find someone for this bug?
Flags: needinfo?(jbonisteel)
|
||
Comment 3•4 years ago
|
||
Lee, can you jump on this?
Flags: needinfo?(jbonisteel) → needinfo?(lsalzman)
|
Assignee | |
Comment 4•4 years ago
|
||
|
||
Updated•4 years ago
|
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•4 years ago
|
Flags: needinfo?(lsalzman)
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7c170b6be51a
silence UBSan recorded font warnings. r=aosmond
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
You need to log in
before you can comment on or make changes to this bug.
Description
•