Closed Bug 1645123 Opened 5 years ago Closed 5 years ago

Skia debug asserts SIGILL after transition to clang

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox-esr78 --- wontfix
firefox77 --- wontfix
firefox78 --- wontfix
firefox79 --- wontfix
firefox80 --- fixed

People

(Reporter: tsmith, Assigned: lsalzman)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

testcase.html
361 bytes, text/html
Details
Bug 1645123 - avoid trapping instructions on Skia debug asserts. r?jrmuizel
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

This test case only triggers the bug with debug builds on MacOS and Windows.

rax = 0x000001f4454481c9   rdx = 0x00000099a59f7ad0
rcx = 0x00000000ffffffff   rbx = 0x00000000000002b1
rsi = 0x0000000002b0961b   rdi = 0x0000000000033a4a
rbp = 0x0000000000000000   rsp = 0x00000099a59f7d10
r8 = 0x00000099a59f7ad0    r9 = 0x0000000000000000
r10 = 0x0000000000000000   r11 = 0x00000099a59f7c40
r12 = 0x000001f44dd7f578   r13 = 0x0000000000002000
r14 = 0x00000099a59f7fd0   r15 = 0x0000000001aa8000
rip = 0x00007ffe955b4872
OS|Windows NT|10.0.18363 
CPU|amd64|family 6 model 70 stepping 1|8
GPU|||
Crash|EXCEPTION_ILLEGAL_INSTRUCTION|0x7ffe955b4872|0
0|0|xul.dll|static SkScan::AAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkScan_AAAPath.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|0|0x6d
0|1|xul.dll|static SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkScan_AntiPath.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|792|0x1b
0|2|xul.dll|SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkDraw.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|885|0xd
0|3|xul.dll|SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkDraw.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|975|0x17
0|4|xul.dll|SkDraw::paintPaths(SkDrawableGlyphBuffer*, float, SkPaint const&) const|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkDraw_text.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|120|0x28
0|5|xul.dll|SkGlyphRunListPainter::drawForBitmapDevice(SkGlyphRunList const&, SkMatrix const&, SkGlyphRunListPainter::BitmapDevicePainter const*)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkGlyphRunPainter.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|156|0xc
0|6|xul.dll|SkBitmapDevice::drawGlyphRunList(SkGlyphRunList const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkBitmapDevice.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|551|0xe
0|7|xul.dll|SkGlyphRunBuilder::drawTextBlob(SkPaint const&, SkTextBlob const&, SkPoint, SkBaseDevice*)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkGlyphRun.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|202|0xd
0|8|xul.dll|SkCanvas::onDrawTextBlob(SkTextBlob const*, float, float, SkPaint const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkCanvas.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|2676|0x10
0|9|xul.dll|SkCanvas::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&)|hg:hg.mozilla.org/mozilla-central:gfx/skia/skia/src/core/SkCanvas.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|2697|0x22
0|10|xul.dll|mozilla::gfx::DrawTargetSkia::DrawGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const*, mozilla::gfx::DrawOptions const&)|hg:hg.mozilla.org/mozilla-central:gfx/2d/DrawTargetSkia.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|1367|0x21
0|11|xul.dll|GlyphBufferAzure::DrawStroke(gfxContext::AzureState const&, mozilla::gfx::GlyphBuffer&)|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxFont.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|1698|0x58
0|12|xul.dll|GlyphBufferAzure::FlushGlyphs()|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxFont.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|1676|0x10
0|13|xul.dll|gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits,float>*, TextRunDrawParams const&, mozilla::gfx::ShapedTextFlags)|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxFont.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|2287|0x17
0|14|xul.dll|gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits,float>*, gfxTextRun::PropertyProvider*, gfxTextRun::Range, TextRunDrawParams&, mozilla::gfx::ShapedTextFlags) const|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxTextRun.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|433|0x28
0|15|xul.dll|gfxTextRun::Draw(const gfxTextRun::Range, const mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits,float>, gfxTextRun::DrawParams const&) const|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxTextRun.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|680|0x3e
0|16|xul.dll|mozilla::dom::CanvasBidiProcessor::DrawText(int, int)|hg:hg.mozilla.org/mozilla-central:dom/canvas/CanvasRenderingContext2D.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|3694|0x5
0|17|xul.dll|static nsBidiPresUtils::ProcessText(char16_t const*, int, unsigned char, nsPresContext*, nsBidiPresUtils::BidiProcessor&, nsBidiPresUtils::Mode, nsBidiPositionResolve*, int, int*, nsBidi*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsBidiPresUtils.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|2234|0x14
0|18|xul.dll|mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsTSubstring<char16_t> const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/canvas/CanvasRenderingContext2D.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|4003|0x36
0|19|xul.dll|mozilla::dom::CanvasRenderingContext2D::StrokeText(nsTSubstring<char16_t> const&, double, double, mozilla::dom::Optional<double> const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/canvas/CanvasRenderingContext2D.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|3373|0x1c
0|20|xul.dll|mozilla::dom::CanvasRenderingContext2D_Binding::strokeText(JSContext*, JS::Handle<JSObject *>, void*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:0eaf1915f6e7365f7155ae3be4072850d2d73a7629da634fd02bedb87c40510231446d2f998ec583b9e8852bb77c3d25d6d99cbf3d748c220fc8762bf23c2b2f/dom/bindings/CanvasRenderingContext2DBinding.cpp:|6516|0x28
0|21|xul.dll|mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|3219|0xf
0|22|xul.dll|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|486|0x6
0|23|xul.dll|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|578|0xe
0|24|xul.dll|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|641|0x11
0|25|xul.dll|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|3300|0x13
0|26|xul.dll|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|458|0xb
0|27|xul.dll|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|613|0xd
0|28|xul.dll|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|641|0x11
0|29|xul.dll|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|658|0xb
0|30|xul.dll|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|2842|0x2c
0|31|xul.dll|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:2563ad09677feb8ddf64827a409899848ef6a80bfacaa11f581c512536a6fb0c779d8b29517ba6358a054c6d475f770bf7bac2913a941d0394881c5649b08603/dom/bindings/EventListenerBinding.cpp:|55|0x1a
0|32|xul.dll|mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget *>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x13
0|33|xul.dll|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|1082|0x35
0|34|xul.dll|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|1279|0x1e
0|35|xul.dll|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|356|0x18
0|36|xul.dll|static mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|558|0x10
0|37|xul.dll|static mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget *>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|1055|0x25
0|38|xul.dll|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|1148|0x25
0|39|xul.dll|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|5709|0x9
0|40|xul.dll|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|5451|0xb
0|41|xul.dll|nsDocLoader::DoFireOnStateChange(nsIWebProgress* const, nsIRequest* const, int&, const nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|1377|0x1f
0|42|xul.dll|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|937|0x13
0|43|xul.dll|nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|757|0x8
0|44|xul.dll|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|640|0x8
0|45|xul.dll|mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|615|0xc
0|46|xul.dll|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|522|0xe
0|47|xul.dll|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|10722|0xf
0|48|xul.dll|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|7288|0xa
0|49|xul.dll|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document *,void (mozilla::dom::Document::*)(),1,mozilla::RunnableKind::Standard>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|1237|0xa
0|50|xul.dll|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|146|0x6
0|51|xul.dll|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|1236|0x6
0|52|xul.dll|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|501|0xd
0|53|xul.dll|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|87|0xa
0|54|xul.dll|MessageLoop::RunHandler()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|308|0x8
0|55|xul.dll|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|290|0x5
0|56|xul.dll|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|137|0xd
0|57|xul.dll|nsAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/windows/nsAppShell.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|430|0x8
0|58|xul.dll|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|913|0x6
0|59|xul.dll|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|237|0x5
0|60|xul.dll|MessageLoop::RunHandler()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|308|0x8
0|61|xul.dll|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|290|0x5
0|62|xul.dll|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|744|0xd
0|63|firefox.exe|NS_internal_main(int, char**, char**)|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|303|0x91
0|64|firefox.exe|wmain(int, wchar_t**)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsWindowsWMain.cpp:590d76562067863dd840c9ff7cf85d5e8e2d6b4d|131|0x15
0|65|firefox.exe|__scrt_common_main_seh()|f:/dd/vctools/crt/vcstartup/src/startup/exe_common.inl|288|0x22
0|66|kernel32.dll|BaseThreadInitThunk|||0x14
0|67|ntdll.dll|AslpFileGet16BitDescription|||0x91
Flags: in-testsuite?
Crash Signature: [@ SkScan::AAAFillPath]
status-firefox77: --- → wontfix
status-firefox-esr68: --- → affected
status-firefox-esr78: --- → affected

We're probably behind on our Skia update, and I've seen upstream appears to have fixed a few security issues. Don't know if this is one of them though.

Since I don't expect Skia to be executing user code an "illegal instruction" is worrying -- have we corrupted the stack?

Flags: needinfo?(lsalzman)
Keywords: sec-high

The illegal instruction is a result of a debug assert triggering in Skia. We have an environment variable in Skia that is supposed to disallow asserts for fuzzing that normally would allow these Skia debug asserts to be ignored. However, it seems that the assert macro has a call to __builtin_unreachable() inside it at the end. When we used to build with MSVC, this didn't really do anything and was ignored. On clang, it seems this generates a trapping instruction, so that in debug builds when we run across the __builtin_unreachable() intrinsic, it generates the result we see here. However, once that is commented out, this no longer crashes or triggers any other problem that I can see. In release builds which do not compile in the debug assert at all, the testcase causes no issues.

I don't believe this represents any high priority security issue as such, and I am not sure it represents a security issue at all . What I probably need to do however is fix our support for disabling Skia's debug assertions again, as that has somehow broken. The intention is that unless a Skia bug actually triggers a real crash or problem that an analyzer finds, that we just ignore debug asserts, since the upstream Skia team seems to like to leave the code noisy with triggering these asserts than we would like, which isn't very tenable to address in any other fashion.

I can create a new bug to address the fact that our Skia debug assert silencing support has somehow broken since the clang transition.

Flags: needinfo?(lsalzman) → needinfo?(dveditz)

Since this crash isn't something specific in our code we're going to fix, you can use this bug for silencing the asserts.

Group: gfx-core-security
Flags: needinfo?(dveditz)
Keywords: sec-high
Summary: SIGILL in [@ SkScan::AAAFillPath] → Skia debug asserts SIGILL after transition to clang
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Pushed by lsalzman@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ab2f42930fb0 avoid trapping instructions on Skia debug asserts. r=jrmuizel

https://hg.mozilla.org/mozilla-central/rev/ab2f42930fb0

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox80: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Blocks: 1593127
Blocks: 1593135
Blocks: 1623940
Blocks: 1618692
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: