crash near null [@ mozilla::SVGImageFrame::GetIntrinsicImageDimensions]
Categories
(Core :: SVG, defect)
Tracking
()
People
(Reporter: tsmith, Assigned: dholbert)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(2 files)
Found while fuzzing m-c 20210719-c75f4ae44937 (--enable-address-sanitizer --enable-fuzzing)
==29095==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000090 (pc 0x7fa300f2750d bp 0x7ffcbf4f1790 sp 0x7ffcbf4f1680 T0)
==29095==The signal is caused by a READ memory access.
==29095==Hint: address points to the zero page.
#0 0x7fa300f2750d in operator bool /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:867:45
#1 0x7fa300f2750d in mozilla::SVGImageFrame::GetIntrinsicImageDimensions(mozilla::gfx::SizeTyped<mozilla::gfx::UnknownUnits, float>&, mozilla::AspectRatio&) const /gecko/layout/svg/SVGImageFrame.cpp:242:8
#2 0x7fa2ff7fb454 in float mozilla::dom::SVGGeometryProperty::details::ResolveImpl<mozilla::dom::SVGGeometryProperty::Tags::Width>(mozilla::ComputedStyle const&, mozilla::dom::SVGElement*, mozilla::dom::SVGGeometryProperty::ResolverTypes::LengthPercentWidthHeight) /gecko/dom/svg/SVGGeometryProperty.h:137:16
#3 0x7fa2ff7fae3a in ResolveWith<mozilla::dom::SVGGeometryProperty::Tags::Width> /gecko/dom/svg/SVGGeometryProperty.h:228:10
#4 0x7fa2ff7fae3a in operator()<mozilla::ComputedStyle> /gecko/dom/svg/SVGGeometryProperty.h:258:5
#5 0x7fa2ff7fae3a in bool mozilla::dom::SVGGeometryProperty::DoForComputedStyle<bool mozilla::dom::SVGGeometryProperty::ResolveAll<mozilla::dom::SVGGeometryProperty::Tags::Width, mozilla::dom::SVGGeometryProperty::Tags::Height>(mozilla::dom::SVGElement const*, float*...)::'lambda'(auto const*)>(mozilla::dom::SVGElement const*, auto) /gecko/dom/svg/SVGGeometryProperty.h:235:5
#6 0x7fa2ff7ed6f7 in ResolveAll<mozilla::dom::SVGGeometryProperty::Tags::Width, mozilla::dom::SVGGeometryProperty::Tags::Height> /gecko/dom/svg/SVGGeometryProperty.h:257:14
#7 0x7fa2ff7ed6f7 in mozilla::dom::SVGImageElement::HasValidDimensions() const /gecko/dom/svg/SVGImageElement.cpp:298:7
#8 0x7fa300f0808d in mozilla::SVGDisplayContainerFrame::PaintSVG(gfxContext&, mozilla::gfx::BaseMatrix<double> const&, mozilla::image::imgDrawingParams&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/layout/svg/SVGContainerFrame.cpp:263:21
#9 0x7fa300f8aca7 in mozilla::SVGViewportFrame::PaintSVG(gfxContext&, mozilla::gfx::BaseMatrix<double> const&, mozilla::image::imgDrawingParams&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/layout/svg/SVGViewportFrame.cpp:53:29
#10 0x7fa300f820b1 in mozilla::SVGUtils::PaintFrameWithEffects(nsIFrame*, gfxContext&, mozilla::gfx::BaseMatrix<double> const&, mozilla::image::imgDrawingParams&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/layout/svg/SVGUtils.cpp:792:15
#11 0x7fa300f3cd85 in mozilla::SVGMaskFrame::GetMaskForMaskedFrame(mozilla::SVGMaskFrame::MaskParams&) /gecko/layout/svg/SVGMaskFrame.cpp:99:5
#12 0x7fa300f32ea3 in mozilla::PaintMaskSurface(mozilla::SVGIntegrationUtils::PaintFramesParams const&, mozilla::gfx::DrawTarget*, float, mozilla::ComputedStyle*, nsTArray<mozilla::SVGMaskFrame*> const&, mozilla::gfx::BaseMatrix<float> const&, nsPoint const&) /gecko/layout/svg/SVGIntegrationUtils.cpp:533:50
#13 0x7fa300f31cbb in mozilla::SVGIntegrationUtils::PaintMask(mozilla::SVGIntegrationUtils::PaintFramesParams const&, bool&) /gecko/layout/svg/SVGIntegrationUtils.cpp:807:26
#14 0x7fa301101479 in nsDisplayMasksAndClipPaths::PaintMask(nsDisplayListBuilder*, gfxContext*, bool*) /gecko/layout/painting/nsDisplayList.cpp:9601:18
#15 0x7fa2fb308eb2 in mozilla::layers::WebRenderCommandBuilder::BuildWrMaskImage(nsDisplayMasksAndClipPaths*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2495:20
#16 0x7fa3011d3a21 in CreateWRClipPathAndMasks /gecko/layout/painting/nsDisplayList.cpp:9891:58
#17 0x7fa3011d3a21 in nsDisplayMasksAndClipPaths::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:9921:30
#18 0x7fa2fb2fd9e6 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1670:41
#19 0x7fa2fb2fbe21 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1792:7
#20 0x7fa3011ad783 in nsDisplayWrapList::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:5689:30
#21 0x7fa3011b4fc7 in nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:6503:22
#22 0x7fa2fb2fd9e6 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1670:41
#23 0x7fa2fb2fbe21 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1792:7
#24 0x7fa2fb2fa6ed in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, nsDisplayList*, nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1590:5
#25 0x7fa2fb360a05 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(nsDisplayList*, nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /gecko/gfx/layers/wr/WebRenderLayerManager.cpp:368:30
#26 0x7fa30118a2f4 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /gecko/layout/painting/nsDisplayList.cpp:2535:18
#27 0x7fa300a98b95 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /gecko/layout/base/nsLayoutUtils.cpp:3530:45
#28 0x7fa3009a9c4f in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /gecko/layout/base/PresShell.cpp:6400:5
#29 0x7fa30037d205 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /gecko/view/nsViewManager.cpp:459:18
#30 0x7fa30037c91f in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /gecko/view/nsViewManager.cpp:394:22
#31 0x7fa30037e8dd in nsViewManager::ProcessPendingUpdates() /gecko/view/nsViewManager.cpp:972:5
#32 0x7fa30092718d in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /gecko/layout/base/nsRefreshDriver.cpp:2473:11
#33 0x7fa300931e67 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:348:13
#34 0x7fa300931e67 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /gecko/layout/base/nsRefreshDriver.cpp:326:7
#35 0x7fa300931bcd in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:342:5
#36 0x7fa300931955 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:771:5
#37 0x7fa300930f75 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:700:16
#38 0x7fa300930530 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /gecko/layout/base/nsRefreshDriver.cpp:617:7
#39 0x7fa30092fce1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /gecko/layout/base/nsRefreshDriver.cpp:538:9
#40 0x7fa2ffb7e5a7 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /gecko/dom/ipc/VsyncChild.cpp:68:15
#41 0x7fa2fa5caf1d in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#42 0x7fa2fa22b74b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6091:32
#43 0x7fa2f9c7051a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2084:25
#44 0x7fa2f9c6d208 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2011:9
#45 0x7fa2f9c6eb65 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1859:3
#46 0x7fa2f9c6f6cb in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1890:13
#47 0x7fa2f8a64252 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:502:16
#48 0x7fa2f8a30d44 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:805:26
#49 0x7fa2f8a2e598 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:641:15
#50 0x7fa2f8a2ecad in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:425:36
#51 0x7fa2f8a6e291 in operator() /gecko/xpcom/threads/TaskController.cpp:135:37
#52 0x7fa2f8a6e291 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:532:5
#53 0x7fa2f8a4b6c7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1148:16
#54 0x7fa2f8a5639c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:466:10
#55 0x7fa2f9c7918f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#56 0x7fa2f9b63e11 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#57 0x7fa2f9b63e11 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#58 0x7fa2f9b63e11 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#59 0x7fa30042e1c7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#60 0x7fa304640b3f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:910:20
#61 0x7fa2f9b63e11 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#62 0x7fa2f9b63e11 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#63 0x7fa2f9b63e11 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#64 0x7fa304640518 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
#65 0x5613c3ff50cd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#66 0x5613c3ff54fd in main /gecko/browser/app/nsBrowserApp.cpp:327:18
#67 0x7fa319a900b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#68 0x5613c3f46769 in _start (/home/worker/builds/m-c-20210719093934-fuzzing-asan-opt/firefox+0x5b769)
Reporter | ||
Comment 1•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/84ijZZAlBDv071NTuMoo_Q/index.html
Updated•3 years ago
|
Comment 2•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210804214554-a72c2fe44761.
Failed to bisect testcase (Testcase reproduces on start build!):
Start: 6e35e01646d7c465893a172a0b4fb116c2293d2a (20200806033456)
End: c75f4ae449378437bbd05fd00bfdbe1bf5e125de (20210719093934)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Assignee | ||
Comment 4•3 years ago
|
||
It looks like that pernosco session is for an opt build (not --enable-debug), which makes it hard to poke around (I can't e.g. print out the values of variables in the gdb pane).
However, I'm able to reproduce this locally with a debug build, and I get this assertion-failure (for a null-check) just before the point where the opt build crashes (on a null-deref):
Assertion failure: imgf, at /scratch/work/builds/mozilla-central/mozilla/dom/svg/SVGGeometryProperty.h:130
Assignee | ||
Comment 5•3 years ago
•
|
||
My persosco session with this failing (at the assertion from comment 4) in a debug+opt build:
https://pernos.co/debug/Xh8_Fo0mN_CT4rzypXou1Q/index.html
(more analysis/thoughts coming later on)
Comment 6•3 years ago
|
||
I think we should return 0 instead of asserting, similar to line 138.
Assignee | ||
Comment 7•3 years ago
|
||
Agreed. I'll post a patch shortly which does that.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 8•3 years ago
|
||
Pushed by dholbert@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/556581f9b280 Gracefully handle null SVG image-frame when resolving geometry properties. r=longsonr
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/30056 for changes under testing/web-platform/tests
Comment 11•3 years ago
|
||
bugherder |
Comment 12•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210817214910-659f053820bf.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Upstream PR merged by moz-wptsync-bot
Comment 14•3 years ago
|
||
The patch landed in nightly and beta is affected.
:dholbert, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 15•2 years ago
|
||
:dholbert, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 16•2 years ago
|
||
It doesn't actually contain a bisection range; bugmon says "Failed to bisect testcase (Testcase reproduces on start build!)" in comment 2.
Description
•