Open Bug 1706792 Opened 4 years ago Updated 2 years ago

[@ NS_ABORT_OOM | @ mozilla::nsCSSGradientRenderer::Paint]

Categories

(Core :: Web Painting, defect, P3)

Product:
Core
Component:
Web Painting
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox90 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.html
266 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 6531d095b2a7 (built with --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 6531d095b2a7 --asan --fuzzing -n build
$ python -m grizzly.replay --xvfb ./build/firefox ./testcase.html

    #0 0x7fce52e62f0f in NS_ABORT_OOM(unsigned long) /builds/worker/checkouts/gecko/xpcom/base/nsDebugImpl.cpp:618:3
    #1 0x7fce52e11304 in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:154:5
    #2 0x7fce5b6b7273 in mozilla::ColorStop* nsTArray_Impl<mozilla::ColorStop, nsTArrayInfallibleAllocator>::InsertElementAtInternal<nsTArrayInfallibleAllocator, mozilla::ColorStop&>(unsigned long, mozilla::ColorStop&) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2600:47
    #3 0x7fce5b63d3b7 in InsertElementAt<mozilla::ColorStop &> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2873:24
    #4 0x7fce5b63d3b7 in ResolvePremultipliedAlpha /builds/worker/checkouts/gecko/layout/painting/nsCSSRenderingGradients.cpp:471:16
    #5 0x7fce5b63d3b7 in mozilla::nsCSSGradientRenderer::Paint(gfxContext&, nsRect const&, nsRect const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, nsRect const&, float) /builds/worker/checkouts/gecko/layout/painting/nsCSSRenderingGradients.cpp:992:3
    #6 0x7fce5b6e72fe in mozilla::nsImageRenderer::Draw(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, nsRect const&, nsPoint const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, float) /builds/worker/checkouts/gecko/layout/painting/nsImageRenderer.cpp:495:16
    #7 0x7fce5b6ea691 in mozilla::nsImageRenderer::DrawLayer(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, nsPoint const&, nsRect const&, nsSize const&, float) /builds/worker/checkouts/gecko/layout/painting/nsImageRenderer.cpp:740:10
    #8 0x7fce5b6088ef in nsCSSRendering::PaintStyleImageLayerWithSC(nsCSSRendering::PaintBGParams const&, gfxContext&, mozilla::ComputedStyle*, nsStyleBorder const&) /builds/worker/checkouts/gecko/layout/painting/nsCSSRendering.cpp:2584:38
    #9 0x7fce5b3fde6b in mozilla::PaintMaskSurface(mozilla::SVGIntegrationUtils::PaintFramesParams const&, mozilla::gfx::DrawTarget*, float, mozilla::ComputedStyle*, nsTArray<mozilla::SVGMaskFrame*> const&, mozilla::gfx::BaseMatrix<float> const&, nsPoint const&) /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:503:35
    #10 0x7fce5b3fc0da in mozilla::SVGIntegrationUtils::PaintMask(mozilla::SVGIntegrationUtils::PaintFramesParams const&, bool&) /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:831:26
    #11 0x7fce5b5c98fa in nsDisplayMasksAndClipPaths::PaintMask(nsDisplayListBuilder*, gfxContext*, bool*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9285:18
    #12 0x7fce558a0ebe in mozilla::layers::WebRenderCommandBuilder::BuildWrMaskImage(nsDisplayMasksAndClipPaths*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2559:20
    #13 0x7fce5b6959a1 in CreateWRClipPathAndMasks /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9563:58
    #14 0x7fce5b6959a1 in nsDisplayMasksAndClipPaths::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:9593:30
    #15 0x7fce5589581b in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1673:41
    #16 0x7fce55893ad1 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1796:7
    #17 0x7fce5b673cd3 in nsDisplayWrapList::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5601:30
    #18 0x7fce5b67a403 in nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6355:22
    #19 0x7fce5589581b in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1673:41
    #20 0x7fce55893ad1 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1796:7
    #21 0x7fce55892280 in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, nsDisplayList*, nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1593:5
    #22 0x7fce558acc3b in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(nsDisplayList*, nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:372:30
    #23 0x7fce5b652ae2 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2464:18
    #24 0x7fce5af6a9a6 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3490:45
    #25 0x7fce5ae7fff1 in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6392:5
    #26 0x7fce5a870d35 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:459:18
    #27 0x7fce5a87044f in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:394:22
    #28 0x7fce5a87234c in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:972:5
    #29 0x7fce5adffa32 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2364:11
    #30 0x7fce5ae0a3c5 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:13
    #31 0x7fce5ae0a3c5 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:324:7
    #32 0x7fce5ae0a12d in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:340:5
    #33 0x7fce5ae09631 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:773:5
    #34 0x7fce5ae09631 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:702:16
    #35 0x7fce5ae08bed in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:615:7
    #36 0x7fce5ae08371 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:536:9
    #37 0x7fce5a0686d7 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
    #38 0x7fce54b9878c in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
    #39 0x7fce54825122 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6008:32
    #40 0x7fce542bdeba in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2154:25
    #41 0x7fce542ba56e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2078:9
    #42 0x7fce542bbf28 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1926:3
    #43 0x7fce542bca8b in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1957:13
    #44 0x7fce530a38ca in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:473:16
    #45 0x7fce5306fe30 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:757:26
    #46 0x7fce5306d967 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:612:15
    #47 0x7fce5306ddbd in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:396:36
    #48 0x7fce530accc1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
    #49 0x7fce530accc1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
    #50 0x7fce5308aaa3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #51 0x7fce53095a2c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #52 0x7fce542c57ef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #53 0x7fce541d0041 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #54 0x7fce541d0041 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #55 0x7fce541d0041 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #56 0x7fce5a92e5f7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #57 0x7fce5e44015f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:906:20
    #58 0x7fce541d0041 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #59 0x7fce541d0041 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #60 0x7fce541d0041 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #61 0x7fce5e43f9ef in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:34
    #62 0x55a563ea020d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #63 0x55a563ea0631 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #64 0x7fce71a140b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210421212740-683c2a81d1a3.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 47426d145e246fa1924fbda83a8ecb0d25a6f606 (20200423095248)
End: 3df0f92987d1bba705cbdf8c5fe366b9d3071bc4 (20210421031109)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
No longer blocks: domino
Depends on: domino
Blocks: domino
No longer depends on: domino

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210421114451-6531d095b2a7) but not with tip (mozilla-central 20220114220151-25ebce40c654.)
The bug appears to have been fixed in the following build range:

Start: b0febb3c6ba1f3bb9837d11f8b529839f8083068 (20210721014505)
End: d716918916ac1a4993a616f07d501f9b64be467d (20210721044843)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b0febb3c6ba1f3bb9837d11f8b529839f8083068&tochange=d716918916ac1a4993a616f07d501f9b64be467d
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Severity: -- → S3
Priority: -- → P3
Crash Signature: [@ OOM | large | NS_ABORT_OOM | nsTArray_base<T>::EnsureCapacity<T> | nsTArray_Impl<T>::InsertElementAtInternal<T> | nsTArray<T>::InsertElementAt | ResolvePremultipliedAlpha ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: