Open Bug 1795054 Opened 2 years ago Updated 7 months ago

Assertion failure: r2 >= -epsilon, at /gfx/2d/BezierUtils.cpp:319

Categories

(Core :: Graphics, defect, P3)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: bugmon, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
493 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev cbbf6a7e34a3 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build cbbf6a7e34a3 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: r2 >= -epsilon, at /gfx/2d/BezierUtils.cpp:319

    ==296865==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9a3bb9e4ae bp 0x7ffe4e64a5b0 sp 0x7ffe4e64a5b0 T296865)
    ==296865==The signal is caused by a WRITE memory access.
    ==296865==Hint: address points to the zero page.
        #0 0x7f9a3bb9e4ae in mozilla::gfx::CalculateDistanceToEllipticArc(mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, float, float) /gfx/2d/BezierUtils.cpp:319:3
        #1 0x7f9a402df735 in mozilla::DottedCornerFinder::FindNext(float) /layout/painting/DottedCornerFinder.cpp:272:11
        #2 0x7f9a402df15a in GetCountAndLastOverlap /layout/painting/DottedCornerFinder.cpp:527:27
        #3 0x7f9a402df15a in mozilla::DottedCornerFinder::FindBestOverlap(float, float, float) /layout/painting/DottedCornerFinder.cpp:384:10
        #4 0x7f9a402defdc in mozilla::DottedCornerFinder::DetermineType(float, float) /layout/painting/DottedCornerFinder.cpp:145:5
        #5 0x7f9a402dec8f in mozilla::DottedCornerFinder::DottedCornerFinder(mozilla::gfx::Bezier const&, mozilla::gfx::Bezier const&, mozilla::Corner, float, float, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, float, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, float, mozilla::gfx::SizeTyped<mozilla::gfx::UnknownUnits, float> const&) /layout/painting/DottedCornerFinder.cpp:67:3
        #6 0x7f9a403007aa in nsCSSBorderRenderer::DrawDottedCornerSlow(mozilla::Side, mozilla::Corner) /layout/painting/nsCSSRenderingBorders.cpp:2348:22
        #7 0x7f9a402feba1 in nsCSSBorderRenderer::DrawDashedOrDottedCorner(mozilla::Side, mozilla::Corner) /layout/painting/nsCSSRenderingBorders.cpp:2285:7
        #8 0x7f9a402fdd20 in nsCSSBorderRenderer::DrawBorderSides(mozilla::SideBits) /layout/painting/nsCSSRenderingBorders.cpp:1269:7
        #9 0x7f9a402ec09c in nsCSSBorderRenderer::DrawBorders() /layout/painting/nsCSSRenderingBorders.cpp:3265:11
        #10 0x7f9a402e8d81 in nsCSSRendering::PaintBorderWithStyleBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, nsStyleBorder const&, mozilla::ComputedStyle*, mozilla::PaintBorderFlags, mozilla::Sides) /layout/painting/nsCSSRendering.cpp:889:6
        #11 0x7f9a402e8854 in nsCSSRendering::PaintBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, mozilla::ComputedStyle*, mozilla::PaintBorderFlags, mozilla::Sides) /layout/painting/nsCSSRendering.cpp:648:10
        #12 0x7f9a4031caf9 in mozilla::nsDisplayBorder::Paint(mozilla::nsDisplayListBuilder*, gfxContext*) /layout/painting/nsDisplayList.cpp:4250:13
        #13 0x7f9a402e7fdb in mozilla::nsDisplayList::Paint(mozilla::nsDisplayListBuilder*, gfxContext*, int) /layout/painting/nsDisplayList.cpp:2196:11
        #14 0x7f9a4032aeab in mozilla::nsDisplayTransform::Paint(mozilla::nsDisplayListBuilder*, gfxContext*, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /layout/painting/nsDisplayList.cpp:6842:20
        #15 0x7f9a4032a768 in mozilla::nsDisplayTransform::Paint(mozilla::nsDisplayListBuilder*, gfxContext*) /layout/painting/nsDisplayList.cpp:6809:3
        #16 0x7f9a402e7fdb in mozilla::nsDisplayList::Paint(mozilla::nsDisplayListBuilder*, gfxContext*, int) /layout/painting/nsDisplayList.cpp:2196:11
        #17 0x7f9a4032aeab in mozilla::nsDisplayTransform::Paint(mozilla::nsDisplayListBuilder*, gfxContext*, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /layout/painting/nsDisplayList.cpp:6842:20
        #18 0x7f9a4032a768 in mozilla::nsDisplayTransform::Paint(mozilla::nsDisplayListBuilder*, gfxContext*) /layout/painting/nsDisplayList.cpp:6809:3
        #19 0x7f9a402e7fdb in mozilla::nsDisplayList::Paint(mozilla::nsDisplayListBuilder*, gfxContext*, int) /layout/painting/nsDisplayList.cpp:2196:11
        #20 0x7f9a40310b06 in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /layout/painting/nsDisplayList.cpp:2260:5
        #21 0x7f9a3ff842db in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /layout/base/nsLayoutUtils.cpp:3472:9
        #22 0x7f9a4012b949 in nsPageSequenceFrame::PrintNextSheet() /layout/generic/nsPageSequenceFrame.cpp:692:3
        #23 0x7f9a40352647 in nsPrintJob::PrintSheet(nsPrintObject*, bool&) /layout/printing/nsPrintJob.cpp:1807:31
        #24 0x7f9a40352256 in nsPagePrintTimer::Run() /layout/printing/nsPagePrintTimer.cpp:92:43
        #25 0x7f9a3ab0df52 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
        #26 0x7f9a3ab3fe6e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
        #27 0x7f9a3ab18389 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
        #28 0x7f9a3ab16f13 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
        #29 0x7f9a3ab17183 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
        #30 0x7f9a3ab43789 in operator() /xpcom/threads/TaskController.cpp:190:37
        #31 0x7f9a3ab43789 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #32 0x7f9a3ab2cfdf in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
        #33 0x7f9a3ab335ed in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #34 0x7f9a3c42940c in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_3>(nsTSubstring<char> const&, nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_3&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
        #35 0x7f9a3c426a39 in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5306:5
        #36 0x7f9a3c425253 in nsGlobalWindowOuter::PrintOuter(mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5105:3
        #37 0x7f9a3c3dc59b in nsGlobalWindowInner::Print(mozilla::ErrorResult&) /dom/base/nsGlobalWindowInner.cpp:3890:3
        #38 0x7f9a3ff606da in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1167:16
        #39 0x7f9a415c713d in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6434:20
        #40 0x7f9a415c66a4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5827:7
        #41 0x7f9a415c8077 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
        #42 0x7f9a3ba2357c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1380:3
        #43 0x7f9a3ba22aba in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:978:14
        #44 0x7f9a3ba20d71 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:797:9
        #45 0x7f9a3ba21f58 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:680:5
        #46 0x7f9a415fb091 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13839:23
        #47 0x7f9a3ad1f4b0 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:628:22
        #48 0x7f9a3ad209e3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:532:10
        #49 0x7f9a3c59e64d in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11476:18
        #50 0x7f9a3c56995f in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11414:9
        #51 0x7f9a3c584db4 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:7950:3
        #52 0x7f9a3c63a2fb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
        #53 0x7f9a3c63a2fb in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
        #54 0x7f9a3c63a2fb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
        #55 0x7f9a3ab0df52 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
        #56 0x7f9a3ab3fe6e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
        #57 0x7f9a3ab18389 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
        #58 0x7f9a3ab16f13 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
        #59 0x7f9a3ab17183 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
        #60 0x7f9a3ab43716 in operator() /xpcom/threads/TaskController.cpp:187:37
        #61 0x7f9a3ab43716 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #62 0x7f9a3ab2cfdf in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
        #63 0x7f9a3ab335ed in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #64 0x7f9a3b71f046 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #65 0x7f9a3b643187 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #66 0x7f9a3b643092 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #67 0x7f9a3b643092 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #68 0x7f9a3fb66bc8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #69 0x7f9a41d746db in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:880:20
        #70 0x7f9a3b71ff3a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #71 0x7f9a3b643187 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #72 0x7f9a3b643092 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #73 0x7f9a3b643092 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #74 0x7f9a41d73cbe in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:739:34
        #75 0x558eb84efc19 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #76 0x558eb84efc19 in main /browser/app/nsBrowserApp.cpp:357:18
        #77 0x7f9a517b9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #78 0x7f9a517b9e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #79 0x558eb84c58dc in _start (/home/jkratzer/builds/m-c-20221012213343-fuzzing-debug/firefox-bin+0x168dc) (BuildId: 79de1d6fe4f74fe64c1836d51ad7afe42e2e9e06)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /gfx/2d/BezierUtils.cpp:319:3 in mozilla::gfx::CalculateDistanceToEllipticArc(mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, float, float)
    ==296865==ABORTING
Attached file Testcase 

    
    

    
  
Bugmon Analysis

Unable to reproduce bug 1795054 using build mozilla-central 20221012213343-cbbf6a7e34a3.  Without a baseline, bugmon is unable to analyze this bug.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon

    
    

    
  
Looks like I marked the wrong build in comment 0.  I've updated that and we'll see if bugmon can reproduce it.



    
  
Keywords: bugmon

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20221017213658-ac1330b68d3e.

The bug appears to have been introduced in the following build range:




Start: 34c1c9be027df3df4dba7911abe3b1772e0aa877 (20221010064542)

End: 80a16ffc9f4dab882f36b3cdcd14ec8196ef9248 (20221010085005)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=34c1c9be027df3df4dba7911abe3b1772e0aa877&tochange=80a16ffc9f4dab882f36b3cdcd14ec8196ef9248




Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
A pernosco session for this bug can be found here.



    
    

    
  
The severity field is not set for this bug.

:bhood, could you have a look please?


For more information, please visit auto_nag documentation.


Flags: needinfo?(bhood)
Severity: -- → S3
Flags: needinfo?(bhood)
Priority: -- → P3

    
    

    
  
Bugmon was unable reproduce this issue.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon

    
  
Keywords: bugmon

    
    

    
  
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.


See Also:  → 1855238
Duplicate of this bug: 1855238

    
  
See Also: 1855238

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: