Hit MOZ_CRASH(not implemented) at gfx/qcms/src/iccread.rs:1369
Categories
(Core :: Graphics: ImageLib, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox96 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, crash, testcase)
Crash Data
Attachments
(1 file)
8.33 KB,
application/octet-stream
|
Details |
Found while fuzzing m-c 20211008-637557306ffe (--enable-address-sanitizer --enable-fuzzing)
Hit MOZ_CRASH(not implemented) at gfx/qcms/src/iccread.rs:1369
#0 0x7f75a6c65fc0 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
#1 0x7f75a6c65fc0 in RustMozCrash src/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f75a6c65ef6 in mozglue_static::panic_hook::h183adc4d73b027cc src/mozglue/static/rust/lib.rs:91:9
#3 0x7f75a6c65275 in core::ops::function::Fn::call::h2c49d8cefb0980e2 /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
#4 0x7f75a881e527 in std::panicking::rust_panic_with_hook::hd83d5a96a789e1d3 (/home/worker/firefox/gtest/libxul.so+0x1a8f8527)
#5 0x7f75a882b5b1 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h69184b52300e19c8 (/home/worker/firefox/gtest/libxul.so+0x1a9055b1)
#6 0x7f75a882b133 in std::sys_common::backtrace::__rust_end_short_backtrace::h60c467230d142dfd (/home/worker/firefox/gtest/libxul.so+0x1a905133)
#7 0x7f75a881e011 in rust_begin_unwind (/home/worker/firefox/gtest/libxul.so+0x1a8f8011)
#8 0x7f75931e5ba0 in core::panicking::panic_fmt::h2850d97106c8b3d9 (/home/worker/firefox/gtest/libxul.so+0x52bfba0)
#9 0x7f75931e5aec in core::panicking::panic::h0d6ee8b28f4f60d3 (/home/worker/firefox/gtest/libxul.so+0x52bfaec)
#10 0x7f75a45adce2 in _$LT$qcms..iccread..curveType$u20$as$u20$core..convert..From$LT$qcms..iccread..TransferCharacteristics$GT$$GT$::from::hc58360afe9ff23ce src/gfx/qcms/src/iccread.rs
#11 0x7f75a45af9f1 in qcms::iccread::Profile::new_cicp::h96985bc1c351201e src/gfx/qcms/src/iccread.rs:1543:21
#12 0x7f759900eef0 in mozilla::image::nsAVIFDecoder::Decode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) src/image/decoders/nsAVIFDecoder.cpp:1452:20
#13 0x7f759900c279 in mozilla::image::nsAVIFDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) src/image/decoders/nsAVIFDecoder.cpp:1149:25
#14 0x7f7598ef8dd7 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) src/image/Decoder.cpp:177:19
#15 0x7f7598f193ca in mozilla::image::AnonymousDecodingTask::Run() src/image/IDecodingTask.cpp:186:36
#16 0x7f7598f35a45 in mozilla::image::ImageOps::DecodeToSurface(mozilla::image::ImageOps::ImageBuffer*, nsTSubstring<char> const&, unsigned int, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&) src/image/ImageOps.cpp:229:9
#17 0x7f7598f353c7 in mozilla::image::ImageOps::DecodeToSurface(already_AddRefed<nsIInputStream>, nsTSubstring<char> const&, unsigned int, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&) src/image/ImageOps.cpp:201:10
#18 0x7f7594754d1e in DecodeToSurfaceRunnableFuzzing::Go() src/image/test/fuzzing/TestDecoders.cpp:55:16
#19 0x7f7594754a78 in DecodeToSurfaceRunnableFuzzing::Run() src/image/test/fuzzing/TestDecoders.cpp:50:5
#20 0x7f7595ee9eec in nsThreadSyncDispatch::Run() src/xpcom/threads/nsThreadSyncDispatch.h:35:51
#21 0x7f7595ecfacb in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1169:16
#22 0x7f7595eda3bc in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
#23 0x7f759738c8ed in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20
#24 0x7f7597214711 in RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10
#25 0x7f7597214711 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#26 0x7f7597214711 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#27 0x7f7595ec805f in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:391:10
#28 0x7f75b362f09e in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#29 0x7f75b4f57608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
#30 0x7f75b4b1f292 in clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
Reporter | ||
Comment 1•3 years ago
|
||
Reporter | ||
Comment 2•3 years ago
|
||
Reporter | ||
Comment 3•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/E0hKaZaBJdVZW7pQA9aNvw/index.html
Comment 4•3 years ago
|
||
This one is a straightforward issue of a particular, exceptionally uncommon parameter value being used for specifying the transfer characteristic function in an AVIF. We should just be having a graceful error instead and I wrote that fix along with the rest of bug 1729539, but for reasons that are still mysterious to me, that fix caused test failures that seemed totally unrelated to QCMS. I'll try to land that again, and if the errors resurface, redouble the investigation efforts.
Updated•3 years ago
|
Comment 5•3 years ago
|
||
Bugmon Analysis
Unable to reproduce bug 1741934 using build mozilla-central 20211008094833-637557306ffe. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•2 years ago
|
Comment 6•2 years ago
|
||
This one uses SMPTE ST 428 for transfer, which is XYZ transfer, but also uses a matrix of BT.2020-nc instead of Identity (RGB) matrix, which is mandatery for XYZ. The file is invalid. Of course you can still convert YCbCr to RGB except RGB will really be XYZ, but that is not cool at all. Also, primaries BT.2020 do not make sense since XYZ does not have primaries, it is absolute color space with reserved value for primaries.
Comment 7•2 years ago
|
||
This doesn't crash for me anymore. Tyson, can you still reproduce?
Reporter | ||
Comment 8•2 years ago
|
||
(In reply to Jeff Muizelaar [:jrmuizel] from comment #7)
This doesn't crash for me anymore. Tyson, can you still reproduce?
Neither can I. Looks like it was last reported by fuzzers targeting m-c 20220518-dd970ebf97df.
Description
•