Open Bug 1832878 Opened 1 year ago Updated 1 year ago

Hit MOZ_CRASH(GFX: sample position needs to be inside surface!) at /builds/worker/checkouts/gecko/gfx/2d/DataSurfaceHelpers.cpp:84

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox115 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.html
287 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20230312-a8939ff5236d (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(GFX: sample position needs to be inside surface!) at /builds/worker/checkouts/gecko/gfx/2d/DataSurfaceHelpers.cpp:84

#0 0x7f029c1a180e in mozilla::gfx::DataAtOffset(mozilla::gfx::DataSourceSurface*, mozilla::gfx::DataSourceSurface::MappedSurface const*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>) /builds/worker/checkouts/gecko/gfx/2d/DataSurfaceHelpers.cpp:84:5
#1 0x7f029c1d0994 in already_AddRefed<mozilla::gfx::DataSourceSurface> mozilla::gfx::FilterNodeConvolveMatrixSoftware::DoRender<int>(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, int) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:2484:7
#2 0x7f029c1d0583 in mozilla::gfx::FilterNodeConvolveMatrixSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:2386:12
#3 0x7f029c1c2279 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:634:20
#4 0x7f029c1c3244 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:765:25
#5 0x7f029c1d6e20 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:3161:10
#6 0x7f029c1c2279 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:634:20
#7 0x7f029c1c3244 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:765:25
#8 0x7f029c1d71c9 in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:3222:7
#9 0x7f029c1c2279 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:634:20
#10 0x7f029c1c3244 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:765:25
#11 0x7f029c1c8fed in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:1839:7
#12 0x7f029c1c2279 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:634:20
#13 0x7f029c1c3244 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:765:25
#14 0x7f029c1d70d9 in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:3191:7
#15 0x7f029c1c2279 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:634:20
#16 0x7f029c1a7573 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:572:14
#17 0x7f029c1af8e7 in mozilla::gfx::DrawTargetOffset::DrawFilter(mozilla::gfx::FilterNode*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /builds/worker/checkouts/gecko/gfx/2d/DrawTargetOffset.cpp:99:16
#18 0x7f029c17b125 in mozilla::gfx::RecordedDrawFilter::PlayEvent(mozilla::gfx::Translator*) const /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:2892:7
#19 0x7f029c1903cb in operator() /builds/worker/checkouts/gecko/gfx/2d/InlineTranslator.cpp:78:31
#20 0x7f029c1903cb in std::_Function_handler<bool (mozilla::gfx::RecordedEvent*), mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0>::_M_invoke(std::_Any_data const&, mozilla::gfx::RecordedEvent*&&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/std_function.h:301:9
#21 0x7f029c17fb3d in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:4053:5
#22 0x7f029c17c8ff in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) /builds/worker/checkouts/gecko/gfx/2d/InlineTranslator.cpp:68:20
#23 0x7f029c78859a in Moz2DRenderCallback /builds/worker/checkouts/gecko/gfx/webrender_bindings/Moz2DImageRenderer.cpp:427:20
#24 0x7f029c78859a in wr_moz2d_render_cb /builds/worker/checkouts/gecko/gfx/webrender_bindings/Moz2DImageRenderer.cpp:471:10
#25 0x7f02a46362d7 in webrender_bindings::moz2d_renderer::rasterize_blob::_$u7b$$u7b$closure$u7d$$u7d$::hf01279435f6bade2 /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:615:16
#26 0x7f02a46362d7 in webrender_bindings::moz2d_renderer::autoreleasepool::h9a755c912a3cd77d /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:596:9
#27 0x7f02a46362d7 in webrender_bindings::moz2d_renderer::rasterize_blob::h5dbf66353915ce7d /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:613:18
#28 0x7f02a4635e4a in core::ops::function::FnMut::call_mut::h148405a9d50c33ba /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/ops/function.rs:166:5
#29 0x7f02a4635e4a in core::iter::adapters::map::map_fold::_$u7b$$u7b$closure$u7d$$u7d$::h7509c0752749244f /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/iter/adapters/map.rs:84:28
#30 0x7f02a4635e4a in core::iter::traits::iterator::Iterator::fold::h58e324256afbecad /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/iter/traits/iterator.rs:2477:21
#31 0x7f02a4635e4a in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::fold::h75c357434f0ed31b /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/iter/adapters/map.rs:124:9
#32 0x7f02a4635e4a in core::iter::traits::iterator::Iterator::for_each::h373af56eabc6e5c0 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/iter/traits/iterator.rs:852:9
#33 0x7f02a4635e4a in alloc::vec::Vec$LT$T$C$A$GT$::extend_trusted::had4a6cf0b5da794a /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/alloc/src/vec/mod.rs:2856:17
#34 0x7f02a4635e4a in _$LT$alloc..vec..Vec$LT$T$C$A$GT$$u20$as$u20$alloc..vec..spec_extend..SpecExtend$LT$T$C$I$GT$$GT$::spec_extend::h59607039f03db0e0 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/alloc/src/vec/spec_extend.rs:26:9
#35 0x7f02a4635e4a in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter_nested..SpecFromIterNested$LT$T$C$I$GT$$GT$::from_iter::h0b6799eb3a1a11d9 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/alloc/src/vec/spec_from_iter_nested.rs:62:9
#36 0x7f02a4635e4a in alloc::vec::in_place_collect::_$LT$impl$u20$alloc..vec..spec_from_iter..SpecFromIter$LT$T$C$I$GT$$u20$for$u20$alloc..vec..Vec$LT$T$GT$$GT$::from_iter::he781ffdad10e5c63 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/alloc/src/vec/in_place_collect.rs:167:20
#37 0x7f02a4635e4a in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$core..iter..traits..collect..FromIterator$LT$T$GT$$GT$::from_iter::h70a2441649f78659 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/alloc/src/vec/mod.rs:2724:9
#38 0x7f02a4635e4a in core::iter::traits::iterator::Iterator::collect::h1ed2cdbdb2980673 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/iter/traits/iterator.rs:1891:9
#39 0x7f02a4635e4a in _$LT$webrender_bindings..moz2d_renderer..Moz2dBlobRasterizer$u20$as$u20$webrender_api..image..AsyncBlobImageRasterizer$GT$::rasterize::h76128a7924dea114 /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:582:54
#40 0x7f02a495b02f in webrender::scene_builder_thread::rasterize_blobs::hdc7626191986bc39 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/scene_builder_thread.rs:46:36
#41 0x7f02a468f5b7 in webrender::scene_builder_thread::LowPrioritySceneBuilderThread::process_transaction::h00bc05ec4c824cd0 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/scene_builder_thread.rs:787:9
#42 0x7f02a468f5b7 in webrender::scene_builder_thread::LowPrioritySceneBuilderThread::run::_$u7b$$u7b$closure$u7d$$u7d$::he2ab75337417409b /builds/worker/checkouts/gecko/gfx/wr/webrender/src/scene_builder_thread.rs:766:36
#43 0x7f02a468f5b7 in core::iter::adapters::map::map_fold::_$u7b$$u7b$closure$u7d$$u7d$::h902a5d869a88f7d8 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/iter/adapters/map.rs:84:28
#44 0x7f02a468f5b7 in core::iter::traits::iterator::Iterator::fold::h42e9af62b189038d /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/iter/traits/iterator.rs:2477:21
#45 0x7f02a468f5b7 in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::fold::h17b60858e24b1d78 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/iter/adapters/map.rs:124:9
#46 0x7f02a468f5b7 in core::iter::traits::iterator::Iterator::for_each::h690d1b57fc50bc78 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/iter/traits/iterator.rs:852:9
#47 0x7f02a468f5b7 in alloc::vec::Vec$LT$T$C$A$GT$::extend_trusted::h4c076f78ef07f220 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/alloc/src/vec/mod.rs:2856:17
#48 0x7f02a468f5b7 in _$LT$alloc..vec..Vec$LT$T$C$A$GT$$u20$as$u20$alloc..vec..spec_extend..SpecExtend$LT$T$C$I$GT$$GT$::spec_extend::hbedba27603330f1b /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/alloc/src/vec/spec_extend.rs:26:9
#49 0x7f02a468f5b7 in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter_nested..SpecFromIterNested$LT$T$C$I$GT$$GT$::from_iter::hba28c80416bfb3d1 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/alloc/src/vec/spec_from_iter_nested.rs:62:9
#50 0x7f02a468f5b7 in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter..SpecFromIter$LT$T$C$I$GT$$GT$::from_iter::h94145aedc8a43710 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/alloc/src/vec/spec_from_iter.rs:33:9
#51 0x7f02a468f5b7 in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$core..iter..traits..collect..FromIterator$LT$T$GT$$GT$::from_iter::h203a397dfd16e952 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/alloc/src/vec/mod.rs:2724:9
#52 0x7f02a468f5b7 in core::iter::traits::iterator::Iterator::collect::hc6f58652f17860d9 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/iter/traits/iterator.rs:1891:9
#53 0x7f02a468f5b7 in webrender::scene_builder_thread::LowPrioritySceneBuilderThread::run::he4cdb4aa2a506087 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/scene_builder_thread.rs:767:26
#54 0x7f02a468f5b7 in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::h4e81f3f7abce9fb8 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:614:13
#55 0x7f02a468f5b7 in std::sys_common::backtrace::__rust_begin_short_backtrace::hf736a331ef52ff93 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/std/src/sys_common/backtrace.rs:134:18
#56 0x7f02a469c68a in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hdcac36cf990b5f3f /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/std/src/thread/mod.rs:560:17
#57 0x7f02a469c68a in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h6a03d8ffd3e8e750 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/panic/unwind_safe.rs:271:9
#58 0x7f02a469c68a in std::panicking::try::do_call::hd2d7887aee7bd377 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/std/src/panicking.rs:487:40
#59 0x7f02a469c68a in std::panicking::try::hc7cef8ae65898a0c /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/std/src/panicking.rs:451:19
#60 0x7f02a469c68a in std::panic::catch_unwind::h75891f08c471d1ee /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/std/src/panic.rs:140:14
#61 0x7f02a469c68a in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::ha3f118f267ae3e18 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/std/src/thread/mod.rs:559:30
#62 0x7f02a469c68a in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hebfbf0ac55257417 /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/ops/function.rs:250:5
#63 0x7f02a5bdd2d2 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h39990b24eedef2ab /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/alloc/src/boxed.rs:1987:9
#64 0x7f02a5bdd2d2 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h01a027258444143b /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/alloc/src/boxed.rs:1987:9
#65 0x7f02a5bdd2d2 in std::sys::unix::thread::Thread::new::thread_start::ha4f1cdd9c25884ba /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/std/src/sys/unix/thread.rs:108:17
#66 0x7f02b0094b42 in start_thread nptl/pthread_create.c:442:8
#67 0x7f02b01269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

bp-d6a5cdd9-7965-422d-b4f6-006140230512

Crash Signature: [@ mozilla::gfx::DataAtOffset ]
Keywords: crash

Verified bug as reproducible on mozilla-central 20230512180301-33f0079fba2d.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 28b2e89581853eb7ff35fdd1ebeafefbc077293f (20220514040948)
End: a8939ff5236dad956af827235ceed7104e5e92c2 (20230312211644)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Severity: -- → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: