Closed Bug 1713214 Opened 4 years ago Closed 3 years ago

crash in cairo [@ active_edges] when printing

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox90 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
377 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20210524-9635f4a632cb (--enable-address-sanitizer --enable-fuzzing)

==24989==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f032c2b71c4 bp 0x7fff5ea45650 sp 0x7fff5ea42560 T0)
==24989==The signal is caused by a READ memory access.
==24989==Hint: address points to the zero page.
    #0 0x7f032c2b71c4 in active_edges /gecko/gfx/cairo/cairo/src/cairo-polygon-intersect.c:1171:6
    #1 0x7f032c2b71c4 in intersection_sweep /gecko/gfx/cairo/cairo/src/cairo-polygon-intersect.c:1207:6
    #2 0x7f032c2b71c4 in _cairo_polygon_intersect /gecko/gfx/cairo/cairo/src/cairo-polygon-intersect.c:1406:14
    #3 0x7f032c3e77a0 in clip_and_composite_polygon /gecko/gfx/cairo/cairo/src/cairo-spans-compositor.c:946:12
    #4 0x7f032c3cf1a4 in _cairo_spans_compositor_fill /gecko/gfx/cairo/cairo/src/cairo-spans-compositor.c:1174:15
    #5 0x7f032c33ddb7 in _cairo_compositor_fill /gecko/gfx/cairo/cairo/src/cairo-compositor.c:203:11
    #6 0x7f032c36246c in _cairo_image_surface_fill /gecko/gfx/cairo/cairo/src/cairo-image-surface.c:1003:12
    #7 0x7f032c3d667f in _cairo_surface_fill /gecko/gfx/cairo/cairo/src/cairo-surface.c:2473:14
    #8 0x7f032c2da48d in _cairo_surface_wrapper_fill /gecko/gfx/cairo/cairo/src/cairo-surface-wrapper.c:384:14
    #9 0x7f032c3ac706 in _cairo_recording_surface_replay_internal /gecko/gfx/cairo/cairo/src/cairo-recording-surface.c:2006:12
    #10 0x7f032c3ad82a in _cairo_recording_surface_replay_with_clip /gecko/gfx/cairo/cairo/src/cairo-recording-surface.c:2205:12
    #11 0x7f032c3e5982 in composite_aligned_boxes /gecko/gfx/cairo/cairo/src/cairo-spans-compositor.c:614:11
    #12 0x7f032c3e5982 in clip_and_composite_boxes /gecko/gfx/cairo/cairo/src/cairo-spans-compositor.c:882:11
    #13 0x7f032c3ce8f9 in _cairo_spans_compositor_paint /gecko/gfx/cairo/cairo/src/cairo-spans-compositor.c:983:14
    #14 0x7f032c33d597 in _cairo_compositor_paint /gecko/gfx/cairo/cairo/src/cairo-compositor.c:65:11
    #15 0x7f032c3d5309 in _cairo_surface_paint /gecko/gfx/cairo/cairo/src/cairo-surface.c:2248:14
    #16 0x7f032c347e11 in _cairo_gstate_paint /gecko/gfx/cairo/cairo/src/cairo-gstate.c:1061:12
    #17 0x7f032c3f94f3 in _moz_cairo_paint /gecko/gfx/cairo/cairo/src/cairo.c:2219:14
    #18 0x7f03248dbe37 in mozilla::gfx::SourceSurfaceCairo::GetDataSurface() /gecko/gfx/2d/SourceSurfaceCairo.cpp:60:5
    #19 0x7f032483ddcc in mozilla::gfx::GetDataSurfaceInRect(mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::ConvolveMatrixEdgeMode) /gecko/gfx/2d/FilterNodeSoftware.cpp:402:33
    #20 0x7f032483fb91 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:810:7
    #21 0x7f0324843740 in mozilla::gfx::FilterNodeTransformSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:1176:7
    #22 0x7f032483da25 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:638:20
    #23 0x7f032483f88b in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:770:25
    #24 0x7f0324857323 in mozilla::gfx::FilterNodeBlurXYSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:3011:7
    #25 0x7f032483da25 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:638:20
    #26 0x7f032483f88b in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:770:25
    #27 0x7f0324857323 in mozilla::gfx::FilterNodeBlurXYSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:3011:7
    #28 0x7f032483da25 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:638:20
    #29 0x7f032483f88b in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:770:25
    #30 0x7f0324859fbb in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:3175:10
    #31 0x7f032483da25 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:638:20
    #32 0x7f032483f88b in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:770:25
    #33 0x7f032485a53e in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:3236:7
    #34 0x7f032483da25 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:638:20
    #35 0x7f032483f88b in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:770:25
    #36 0x7f0324849fc5 in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:1853:7
    #37 0x7f032483da25 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:638:20
    #38 0x7f032483f88b in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:770:25
    #39 0x7f0324859fbb in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:3175:10
    #40 0x7f032483da25 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:638:20
    #41 0x7f032483f88b in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:770:25
    #42 0x7f0324849fc5 in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:1853:7
    #43 0x7f032483da25 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:638:20
    #44 0x7f032483f88b in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:770:25
    #45 0x7f0324859fbb in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:3175:10
    #46 0x7f032483da25 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:638:20
    #47 0x7f032483f88b in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:770:25
    #48 0x7f032485a44e in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:3205:7
    #49 0x7f032483da25 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:638:20
    #50 0x7f032483cef5 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:572:14
    #51 0x7f032473896c in mozilla::gfx::RecordedDrawFilter::PlayEvent(mozilla::gfx::Translator*) const /gecko/gfx/2d/RecordedEventImpl.h:2876:7
    #52 0x7f03248c3ab1 in std::function<bool (mozilla::gfx::RecordedEvent*)>::operator()(mozilla::gfx::RecordedEvent*) const /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
    #53 0x7f0324880f0b in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::EventStream>(mozilla::gfx::EventStream&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) /gecko/gfx/2d/RecordedEventImpl.h:3989:5
    #54 0x7f032aaf075b in mozilla::layout::PrintTranslator::TranslateRecording(mozilla::layout::PRFileDescStream&) /gecko/layout/printing/PrintTranslator.cpp:50:20
    #55 0x7f032aaf3ea6 in mozilla::layout::RemotePrintJobParent::PrintPage(mozilla::layout::PRFileDescStream&, nsRefCountedHashtable<nsUint64HashKey, RefPtr<mozilla::gfx::RecordedDependentSurface> >*) /gecko/layout/printing/ipc/RemotePrintJobParent.cpp:167:26
    #56 0x7f032aaf3dcb in mozilla::layout::RemotePrintJobParent::FinishProcessingPage(nsRefCountedHashtable<nsUint64HashKey, RefPtr<mozilla::gfx::RecordedDependentSurface> >*) /gecko/layout/printing/ipc/RemotePrintJobParent.cpp:146:17
    #57 0x7f032aaf3c4b in mozilla::layout::RemotePrintJobParent::RecvProcessPage(nsTArray<unsigned long>&&) /gecko/layout/printing/ipc/RemotePrintJobParent.cpp:121:5
    #58 0x7f0323d314fb in mozilla::layout::PRemotePrintJobParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemotePrintJobParent.cpp:301:28
    #59 0x7f0323840dbc in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6622:32
    #60 0x7f032355ebda in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2155:25
    #61 0x7f032355b308 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2079:9
    #62 0x7f032355cc65 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1924:3
    #63 0x7f032355d7cb in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1955:13
    #64 0x7f03223c2ca2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:482:16
    #65 0x7f032238f6c0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:766:26
    #66 0x7f032238d1c7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:621:15
    #67 0x7f032238d61d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:405:36
    #68 0x7f03223ccd14 in operator() /gecko/xpcom/threads/TaskController.cpp:141:37
    #69 0x7f03223ccd14 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #70 0x7f03223aa018 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1159:16
    #71 0x7f03223b4dcc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #72 0x7f0323566354 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:107:5
    #73 0x7f032346e411 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #74 0x7f032346e411 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #75 0x7f032346e411 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #76 0x7f0329cf9ca7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #77 0x7f032dd34fc7 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:273:30
    #78 0x7f032df398dc in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5244:22
    #79 0x7f032df3b93e in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5442:8
    #80 0x7f032df3c693 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5501:21
    #81 0x55cf91fd415a in do_main /gecko/browser/app/nsBrowserApp.cpp:224:22
    #82 0x55cf91fd415a in main /gecko/browser/app/nsBrowserApp.cpp:351:16
    #83 0x7f0343c060b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #84 0x55cf91f24a49 in _start (/home/worker/builds/m-c-20210527031253-fuzzing-asan-opt/firefox+0x5ba49)
Severity: -- → S2
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210527212801-5d03a9d6cb8a.
The bug appears to have been introduced in the following build range:

Start: 3557d61e4136ee4e624662dc9c06f9d2cea38ea5 (20210519033212)
End: de62b7dc09b8bfba7cdb04deda52e0b70b7d3f99 (20210519044826)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=3557d61e4136ee4e624662dc9c06f9d2cea38ea5&tochange=de62b7dc09b8bfba7cdb04deda52e0b70b7d3f99

Whiteboard: [bugmon:bisected,confirmed]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210524215832-9635f4a632cb) but not with tip (mozilla-central 20210903224429-3e973cba050b.)
The bug appears to have been fixed in the following build range:

Start: 853f2714532264db652cf2a0dde3b858901d8814 (20210831185318)
End: 2c6e3c15b81af51ae336e09e250201e4cfe52ea7 (20210831205627)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=853f2714532264db652cf2a0dde3b858901d8814&tochange=2c6e3c15b81af51ae336e09e250201e4cfe52ea7
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Is it possible bug 1728246 fixed this per comment #2?

Component: Printing → Graphics
Flags: needinfo?(jmuizelaar)
Product: Toolkit → Core

It's possible but somewhat surprising.

Flags: needinfo?(jmuizelaar)

I'd guess something about the painting code may have changed just enough that this particular testcase no longer hits the bug, but the underlying issue is most likely still present. Maybe the fuzzer will eventually figure out a new path to get there.

Closing since we can't reproduce anymore.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: