1741934 - Hit MOZ_CRASH(not implemented) at gfx/qcms/src/iccread.rs:1369

Status: RESOLVED WORKSFORME

(Core :: Graphics: ImageLib, defect, P2)

Description

[Tyson Smith [:tsmith]]

Found while fuzzing m-c 20211008-637557306ffe (--enable-address-sanitizer --enable-fuzzing)

Hit MOZ_CRASH(not implemented) at gfx/qcms/src/iccread.rs:1369

#0 0x7f75a6c65fc0 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
#1 0x7f75a6c65fc0 in RustMozCrash src/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f75a6c65ef6 in mozglue_static::panic_hook::h183adc4d73b027cc src/mozglue/static/rust/lib.rs:91:9
#3 0x7f75a6c65275 in core::ops::function::Fn::call::h2c49d8cefb0980e2 /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
#4 0x7f75a881e527 in std::panicking::rust_panic_with_hook::hd83d5a96a789e1d3 (/home/worker/firefox/gtest/libxul.so+0x1a8f8527)
#5 0x7f75a882b5b1 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h69184b52300e19c8 (/home/worker/firefox/gtest/libxul.so+0x1a9055b1)
#6 0x7f75a882b133 in std::sys_common::backtrace::__rust_end_short_backtrace::h60c467230d142dfd (/home/worker/firefox/gtest/libxul.so+0x1a905133)
#7 0x7f75a881e011 in rust_begin_unwind (/home/worker/firefox/gtest/libxul.so+0x1a8f8011)
#8 0x7f75931e5ba0 in core::panicking::panic_fmt::h2850d97106c8b3d9 (/home/worker/firefox/gtest/libxul.so+0x52bfba0)
#9 0x7f75931e5aec in core::panicking::panic::h0d6ee8b28f4f60d3 (/home/worker/firefox/gtest/libxul.so+0x52bfaec)
#10 0x7f75a45adce2 in _$LT$qcms..iccread..curveType$u20$as$u20$core..convert..From$LT$qcms..iccread..TransferCharacteristics$GT$$GT$::from::hc58360afe9ff23ce src/gfx/qcms/src/iccread.rs
#11 0x7f75a45af9f1 in qcms::iccread::Profile::new_cicp::h96985bc1c351201e src/gfx/qcms/src/iccread.rs:1543:21
#12 0x7f759900eef0 in mozilla::image::nsAVIFDecoder::Decode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) src/image/decoders/nsAVIFDecoder.cpp:1452:20
#13 0x7f759900c279 in mozilla::image::nsAVIFDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) src/image/decoders/nsAVIFDecoder.cpp:1149:25
#14 0x7f7598ef8dd7 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) src/image/Decoder.cpp:177:19
#15 0x7f7598f193ca in mozilla::image::AnonymousDecodingTask::Run() src/image/IDecodingTask.cpp:186:36
#16 0x7f7598f35a45 in mozilla::image::ImageOps::DecodeToSurface(mozilla::image::ImageOps::ImageBuffer*, nsTSubstring<char> const&, unsigned int, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&) src/image/ImageOps.cpp:229:9
#17 0x7f7598f353c7 in mozilla::image::ImageOps::DecodeToSurface(already_AddRefed<nsIInputStream>, nsTSubstring<char> const&, unsigned int, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&) src/image/ImageOps.cpp:201:10
#18 0x7f7594754d1e in DecodeToSurfaceRunnableFuzzing::Go() src/image/test/fuzzing/TestDecoders.cpp:55:16
#19 0x7f7594754a78 in DecodeToSurfaceRunnableFuzzing::Run() src/image/test/fuzzing/TestDecoders.cpp:50:5
#20 0x7f7595ee9eec in nsThreadSyncDispatch::Run() src/xpcom/threads/nsThreadSyncDispatch.h:35:51
#21 0x7f7595ecfacb in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1169:16
#22 0x7f7595eda3bc in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
#23 0x7f759738c8ed in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20
#24 0x7f7597214711 in RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10
#25 0x7f7597214711 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#26 0x7f7597214711 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#27 0x7f7595ec805f in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:391:10
#28 0x7f75b362f09e in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#29 0x7f75b4f57608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
#30 0x7f75b4b1f292 in clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Comment 1

[Tyson Smith [:tsmith]]

Attachment: testcase.avif

Comment 2

[Tyson Smith [:tsmith]]

https://crash-stats.mozilla.org/report/index/da95976f-cd0b-4060-9691-9abef0211118

Comment 3

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/E0hKaZaBJdVZW7pQA9aNvw/index.html

Comment 4

[Jon Bauman [:jbauman:]]

This one is a straightforward issue of a particular, exceptionally uncommon parameter value being used for specifying the transfer characteristic function in an AVIF. We should just be having a graceful error instead and I wrote that fix along with the rest of bug 1729539, but for reasons that are still mysterious to me, that fix caused test failures that seemed totally unrelated to QCMS. I'll try to land that again, and if the errors resurface, redouble the investigation efforts.

Comment 5

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Unable to reproduce bug 1741934 using build mozilla-central 20211008094833-637557306ffe. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 6

[val.zapod.vz]

This one uses SMPTE ST 428 for transfer, which is XYZ transfer, but also uses a matrix of BT.2020-nc instead of Identity (RGB) matrix, which is mandatery for XYZ. The file is invalid. Of course you can still convert YCbCr to RGB except RGB will really be XYZ, but that is not cool at all. Also, primaries BT.2020 do not make sense since XYZ does not have primaries, it is absolute color space with reserved value for primaries.

Comment 7

[Jeff Muizelaar [:jrmuizel]]

This doesn't crash for me anymore. Tyson, can you still reproduce?

Comment 8

[Tyson Smith [:tsmith]]

(In reply to Jeff Muizelaar [:jrmuizel] from comment #7)

This doesn't crash for me anymore. Tyson, can you still reproduce?

Neither can I. Looks like it was last reported by fuzzers targeting m-c 20220518-dd970ebf97df.