Closed Bug 1709441 Opened 3 years ago Closed 3 years ago

UndefinedBehaviorSanitizer: /gecko/gfx/cairo/cairo/src/cairo-image-surface.c:1255:50: runtime error: applying zero offset to null pointer

Categories

(Core :: Graphics, defect)

defect

Tracking

()

VERIFIED FIXED
90 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox88 --- unaffected
firefox89 --- unaffected
firefox90 --- verified

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 3 open bugs, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20210501-cd81489560e4 (--enable-address-sanitizer --enable-fuzzing)

/gecko/gfx/cairo/cairo/src/cairo-image-surface.c:1255:50: runtime error: applying zero offset to null pointer
    #0 0x7fbb17d5a981 in _cairo_image_compute_color /gecko/gfx/cairo/cairo/src/cairo-image-surface.c:1255:50
    #1 0x7fbb17c9fbc8 in _cairo_pdf_surface_emit_image /gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:2718:13
    #2 0x7fbb17c9697b in _cairo_pdf_surface_emit_surface /gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:3518:11
    #3 0x7fbb17c94019 in _cairo_pdf_surface_write_patterns_and_smask_groups /gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:6841:15
    #4 0x7fbb17c8a8ea in _cairo_pdf_surface_write_page /gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:6986:14
    #5 0x7fbb17c8a8ea in _cairo_pdf_surface_show_page /gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:5091:14
    #6 0x7fbb17dd48f3 in _moz_cairo_surface_show_page /gecko/gfx/cairo/cairo/src/cairo-surface.c:2555:40
    #7 0x7fbb17d78e64 in _cairo_paginated_surface_show_page /gecko/gfx/cairo/cairo/src/cairo-paginated-surface.c:587:5
    #8 0x7fbb17dd48f3 in _moz_cairo_surface_show_page /gecko/gfx/cairo/cairo/src/cairo-surface.c:2555:40
    #9 0x7fbb10ffa5af in mozilla::gfx::PrintTargetPDF::EndPage() /gecko/gfx/thebes/PrintTargetPDF.cpp:63:3
    #10 0x7fbb1094cb6d in nsDeviceContext::EndPage() /gecko/gfx/src/nsDeviceContext.cpp:582:31
    #11 0x7fbb16ae02c3 in mozilla::layout::RemotePrintJobParent::PrintPage(mozilla::layout::PRFileDescStream&, nsRefCountedHashtable<nsUint64HashKey, RefPtr<mozilla::gfx::RecordedDependentSurface> >*) /gecko/layout/printing/ipc/RemotePrintJobParent.cpp:171:29
    #12 0x7fbb16ae01cb in mozilla::layout::RemotePrintJobParent::FinishProcessingPage(nsRefCountedHashtable<nsUint64HashKey, RefPtr<mozilla::gfx::RecordedDependentSurface> >*) /gecko/layout/printing/ipc/RemotePrintJobParent.cpp:146:17
    #13 0x7fbb16ae004b in mozilla::layout::RemotePrintJobParent::RecvProcessPage(nsTArray<unsigned long>&&) /gecko/layout/printing/ipc/RemotePrintJobParent.cpp:121:5
    #14 0x7fbb0fda483b in mozilla::layout::PRemotePrintJobParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemotePrintJobParent.cpp:301:28
    #15 0x7fbb0f939b43 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6629:32
    #16 0x7fbb0f66135a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2152:25
    #17 0x7fbb0f65da88 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2076:9
    #18 0x7fbb0f65f3e5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1924:3
    #19 0x7fbb0f65ff4b in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1955:13
    #20 0x7fbb0e465462 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:482:16
    #21 0x7fbb0e431e30 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:766:26
    #22 0x7fbb0e42f937 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:621:15
    #23 0x7fbb0e42fd8d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:405:36
    #24 0x7fbb0e46ee11 in operator() /gecko/xpcom/threads/TaskController.cpp:138:37
    #25 0x7fbb0e46ee11 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #26 0x7fbb0e44c758 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1159:16
    #27 0x7fbb0e45750c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #28 0x7fbb0f668adf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #29 0x7fbb0f573561 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #30 0x7fbb0f573561 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #31 0x7fbb0f573561 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #32 0x7fbb15d08e67 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #33 0x7fbb19725967 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:273:30
    #34 0x7fbb1992a467 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5364:22
    #35 0x7fbb1992c4be in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5555:8
    #36 0x7fbb1992d213 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5614:21
    #37 0x562fb1694fda in do_main /gecko/browser/app/nsBrowserApp.cpp:224:22
    #38 0x562fb1694fda in main /gecko/browser/app/nsBrowserApp.cpp:351:16
    #39 0x7fbb2ecaa0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #40 0x562fb15e58c9 in _start (/home/worker/builds/try-20210430033625-fuzzing-asan-opt/firefox+0x5b8c9)
Flags: in-testsuite?

The same test case also triggers

Assertion failure: nsLayoutUtils::IsAncestorFrameCrossDoc(mAdditionalOffsetFrame, aFrame), at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:1516

#0 0x7f4b8e4fa07c in operator() src/layout/painting/nsDisplayList.cpp:1515:7
#1 0x7f4b8e4fa07c in nsDisplayListBuilder::FindReferenceFrameFor(nsIFrame const*, nsPoint*) const src/layout/painting/nsDisplayList.cpp:1533:9
#2 0x7f4b8e28927d in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3654:21
#3 0x7f4b8e1f5db5 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4206:12
#4 0x7f4b8e1dd02d in DisplayLine(nsDisplayListBuilder*, nsLineList_iterator&, bool, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) src/layout/generic/nsBlockFrame.cpp:6906:13
#5 0x7f4b8e1dbab1 in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsBlockFrame.cpp:7064:9
#6 0x7f4b8e288123 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3410:5
#7 0x7f4b8e1f5db5 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4206:12
#8 0x7f4b8e1dd02d in DisplayLine(nsDisplayListBuilder*, nsLineList_iterator&, bool, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int, int, int&) src/layout/generic/nsBlockFrame.cpp:6906:13
#9 0x7f4b8e1dbab1 in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsBlockFrame.cpp:7064:9
#10 0x7f4b8e288123 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3410:5
#11 0x7f4b8e1f5db5 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4206:12
#12 0x7f4b8e1e6be8 in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsCanvasFrame.cpp:641:5
#13 0x7f4b8e1f6077 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4239:14
#14 0x7f4b8e1b650c in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/ViewportFrame.cpp:66:3
#15 0x7f4b8e1f6077 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, mozilla::EnumSet<nsIFrame::DisplayChildFlag, unsigned int>) src/layout/generic/nsIFrame.cpp:4239:14
#16 0x7f4b8e2edd1e in BuildPreviousPageOverflow src/layout/generic/nsPageFrame.cpp:618:19
#17 0x7f4b8e2edd1e in nsPageFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsPageFrame.cpp:669:7
#18 0x7f4b8e288123 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3410:5
#19 0x7f4b8e198464 in mozilla::PrintedSheetFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/PrintedSheetFrame.cpp:112:16
#20 0x7f4b8e288123 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsIFrame.cpp:3410:5
#21 0x7f4b8e15f3e8 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3403:17
#22 0x7f4b8e2f1f25 in nsPageSequenceFrame::PrintNextSheet() src/layout/generic/nsPageSequenceFrame.cpp:674:3
#23 0x7f4b8e548642 in nsPrintJob::PrintSheet(nsPrintObject*, bool&) src/layout/printing/nsPrintJob.cpp:2356:31
#24 0x7f4b8e5481e6 in nsPagePrintTimer::Run() src/layout/printing/nsPagePrintTimer.cpp:74:43
#25 0x7f4b897ecb62 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:143:20
#26 0x7f4b89817e2e in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:482:16
#27 0x7f4b897f5779 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:766:26
#28 0x7f4b897f46d4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:621:15
#29 0x7f4b897f4863 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:405:36
#30 0x7f4b8981b559 in operator() src/xpcom/threads/TaskController.cpp:141:37
#31 0x7f4b8981b559 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#32 0x7f4b898074ff in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1159:16
#33 0x7f4b8980e1ba in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#34 0x7f4b8b2974d0 in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_4>(nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_4&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:93:25
#35 0x7f4b8b2955aa in nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5414:5
#36 0x7f4b8b2947dd in nsGlobalWindowOuter::PrintOuter(mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5237:3
#37 0x7f4b8e13d217 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1172:43
#38 0x7f4b8f1698a5 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6501:20
#39 0x7f4b8f169391 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5891:7
#40 0x7f4b8f16a21f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#41 0x7f4b8a9b01cc in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1348:3
#42 0x7f4b8a9af78a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:954:14
#43 0x7f4b8a9adcc7 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:773:9
#44 0x7f4b8a9aecf5 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:656:5
#45 0x7f4b8f18a188 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) src/docshell/base/nsDocShell.cpp:13628:23
#46 0x7f4b8999f88a in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:625:22
#47 0x7f4b899a0d83 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:529:10
#48 0x7f4b8b37ee9d in mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:11309:18
#49 0x7f4b8b35c430 in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:11239:9
#50 0x7f4b8b36e2b1 in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7774:3
#51 0x7f4b8b3de786 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#52 0x7f4b8b3de786 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#53 0x7f4b8b3de786 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#54 0x7f4b897ecb62 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:143:20
#55 0x7f4b89817e2e in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:482:16
#56 0x7f4b897f5779 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:766:26
#57 0x7f4b897f46d4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:621:15
#58 0x7f4b897f4863 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:405:36
#59 0x7f4b8981b4e6 in operator() src/xpcom/threads/TaskController.cpp:138:37
#60 0x7f4b8981b4e6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#61 0x7f4b898074ff in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1159:16
#62 0x7f4b8980e1ba in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#63 0x7f4b8a0edd56 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#64 0x7f4b8a057da7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#65 0x7f4b8a057cc2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#66 0x7f4b8a057cc2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#67 0x7f4b8ddd8898 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#68 0x7f4b8f6b08c3 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:911:20
#69 0x7f4b8a0eec4a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#70 0x7f4b8a057da7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#71 0x7f4b8a057cc2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#72 0x7f4b8a057cc2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#73 0x7f4b8f6b04de in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:743:34
#74 0x55a040d31b36 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#75 0x55a040d31b36 in main src/browser/app/nsBrowserApp.cpp:313:18
#76 0x7f4b9e8280b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#77 0x55a040d0e93c in _start (/home/user/workspace/browsers/m-c-20210503153234-fuzzing-debug/firefox-bin+0x1593c)
Blocks: ubsan

A Pernosco session is available here: https://pernos.co/debug/dXKspE-HE75NOK1__5k6UA/index.html

(In reply to Tyson Smith [:tsmith] from comment #1)

The same test case also triggers

Assertion failure: nsLayoutUtils::IsAncestorFrameCrossDoc(mAdditionalOffsetFrame, aFrame), at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:1516

That's likely a different issue, it might be the same as bug 1697291 because that one also uses printing.

Blocks: domino
Severity: -- → S3

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210505041336-2cc060f28173.
The bug appears to have been introduced in the following build range:

Start: 3009bdef939c0786c38c376de07ba615cbca0d8b (20210427221830)
End: cd81489560e48d19e43f8438c0c939fb58023648 (20210501093251)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3009bdef939c0786c38c376de07ba615cbca0d8b&tochange=cd81489560e48d19e43f8438c0c939fb58023648

Whiteboard: [bugmon:bisected,confirmed]

Assuming bug 739096, the cairo update, from that.

Regressed by: 739096
Has Regression Range: --- → yes

Set release status flags based on info from the regressing bug 739096

This occurs because we end up with a cairo_image_surface_t that has a width of zero (thanks to an extreme transform), and _cairo_image_compute_color wants to compute a pointer to the pixel data in order to scan it. It wouldn't actually try to use that pointer, because the loops over the pixels will not execute any iterations, so in that sense it ought to be harmless, but the mere operation of computing the pointer is UB according to the standard.

So the simple fix here is to check for zero size and bail out early.

Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ce99df6759ca
Bail out early from _cairo_image_compute_color if image is zero-sized. r=jrmuizel
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210505215208-cee8c3405f2e.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.