Closed Bug 1836831 Opened 2 years ago Closed 2 years ago

stack-overflow in [@ mozilla::SVGUtils::GetBBox]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
122 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- disabled
firefox114 --- unaffected
firefox115 --- disabled
firefox116 --- disabled
firefox117 --- disabled
firefox120 --- disabled
firefox121 --- disabled
firefox122 --- verified

People

(Reporter: tsmith, Assigned: longsonr)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

testcase.html
474 bytes, text/html
Details
Bug 1836831 - don't try to resolve ray with StrokeBox when non-scaling-stroke is in effect r=boris
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20230526-d49f009b89ad (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

The DOM fuzzers have been reporting this issue frequently.

==31323==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe84625d58 (pc 0x5578f3bf29fe bp 0x7ffe84626590 sp 0x7ffe84625d60 T0)
    #0 0x5578f3bf29fe in __asan_memset /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3
    #1 0x7fe9bc55c5b8 in BaseRect /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/BaseRect.h:50:22
    #2 0x7fe9bc55c5b8 in nsRect /builds/worker/workspace/obj-build/dist/include/nsRect.h:38:14
    #3 0x7fe9bc55c5b8 in ComputeSVGReferenceRect /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9467:10
    #4 0x7fe9bc55c5b8 in nsLayoutUtils::ComputeGeometryBox(nsIFrame*, mozilla::StyleGeometryBox) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9609:16
    #5 0x7fe9bc398684 in RayReferenceData /builds/worker/checkouts/gecko/layout/base/MotionPathUtils.cpp:54:7
    #6 0x7fe9bc398684 in GenerateOffsetPathData /builds/worker/checkouts/gecko/layout/base/MotionPathUtils.cpp:320:48
    #7 0x7fe9bc398684 in mozilla::MotionPathUtils::ResolveMotionPath(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&) /builds/worker/checkouts/gecko/layout/base/MotionPathUtils.cpp:342:28
    #8 0x7fe9bce23206 in mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6218:15
    #9 0x7fe9bcbd78bc in mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1526:48
    #10 0x7fe9ba192de9 in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:479:13
    #11 0x7fe9ba15cedc in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:496:22
    #12 0x7fe9ba15cd97 in mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:569:10
    #13 0x7fe9bcbd9b44 in mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1088:35
    #14 0x7fe9bcb46606 in mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int) /builds/worker/checkouts/gecko/layout/svg/SVGGeometryFrame.cpp:383:7
    #15 0x7fe9bcb4a371 in non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int) /builds/worker/checkouts/gecko/layout/svg/SVGGeometryFrame.cpp
    #16 0x7fe9bcbd17bf in mozilla::SVGUtils::GetBBox(nsIFrame*, unsigned int, mozilla::gfx::BaseMatrix<double> const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:913:12
    #17 0x7fe9bc55c6c2 in ComputeSVGReferenceRect /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9477:11
    #18 0x7fe9bc55c6c2 in nsLayoutUtils::ComputeGeometryBox(nsIFrame*, mozilla::StyleGeometryBox) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9609:16
    #19 0x7fe9bc398684 in RayReferenceData /builds/worker/checkouts/gecko/layout/base/MotionPathUtils.cpp:54:7
    #20 0x7fe9bc398684 in GenerateOffsetPathData /builds/worker/checkouts/gecko/layout/base/MotionPathUtils.cpp:320:48
    #21 0x7fe9bc398684 in mozilla::MotionPathUtils::ResolveMotionPath(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&) /builds/worker/checkouts/gecko/layout/base/MotionPathUtils.cpp:342:28
    #22 0x7fe9bce23206 in mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6218:15
    #23 0x7fe9bcbd78bc in mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1526:48
    #24 0x7fe9ba192de9 in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:479:13
    #25 0x7fe9ba15cedc in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:496:22
    #26 0x7fe9ba15cd97 in mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:569:10
    #27 0x7fe9bcbd9b44 in mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1088:35
    #28 0x7fe9bcb46606 in mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int) /builds/worker/checkouts/gecko/layout/svg/SVGGeometryFrame.cpp:383:7
    #29 0x7fe9bcb4a371 in non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int) /builds/worker/checkouts/gecko/layout/svg/SVGGeometryFrame.cpp
    #30 0x7fe9bcbd17bf in mozilla::SVGUtils::GetBBox(nsIFrame*, unsigned int, mozilla::gfx::BaseMatrix<double> const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:913:12
    #31 0x7fe9bc55c6c2 in ComputeSVGReferenceRect /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9477:11
    #32 0x7fe9bc55c6c2 in nsLayoutUtils::ComputeGeometryBox(nsIFrame*, mozilla::StyleGeometryBox) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9609:16
    #33 0x7fe9bc398684 in RayReferenceData /builds/worker/checkouts/gecko/layout/base/MotionPathUtils.cpp:54:7
    #34 0x7fe9bc398684 in GenerateOffsetPathData /builds/worker/checkouts/gecko/layout/base/MotionPathUtils.cpp:320:48
    #35 0x7fe9bc398684 in mozilla::MotionPathUtils::ResolveMotionPath(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&) /builds/worker/checkouts/gecko/layout/base/MotionPathUtils.cpp:342:28
    #36 0x7fe9bce23206 in mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6218:15
    #37 0x7fe9bcbd78bc in mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1526:48
    #38 0x7fe9ba192de9 in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:479:13
    #39 0x7fe9ba15cedc in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:496:22
    #40 0x7fe9ba15cd97 in mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:569:10
    #41 0x7fe9bcbd9b44 in mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1088:35
    #42 0x7fe9bcb46606 in mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int) /builds/worker/checkouts/gecko/layout/svg/SVGGeometryFrame.cpp:383:7
    #43 0x7fe9bcb4a371 in non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int) /builds/worker/checkouts/gecko/layout/svg/SVGGeometryFrame.cpp
    #44 0x7fe9bcbd17bf in mozilla::SVGUtils::GetBBox(nsIFrame*, unsigned int, mozilla::gfx::BaseMatrix<double> const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:913:12
    #45 0x7fe9bc55c6c2 in ComputeSVGReferenceRect /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9477:11
    ...
Flags: in-testsuite?
Blocks: motion-1

I suspect this is a regression from bug 1821450

Keywords: regressionwindow-wanted

Yes. Once I commented out the line I added, this testcase works properly without crash or other issues. I will check what happened.

S3 because this is behind a pref.

Severity: -- → S3
Keywords: bugmon
Component: SVG → Layout

Set release status flags based on info from the regressing bug 1821450

status-firefox114: --- → unaffected
status-firefox-esr102: --- → unaffected

Verified bug as reproducible on mozilla-central 20230608152955-256876c3862b.
The bug appears to have been introduced in the following build range:

Start: c49edd998af9a5b4552a4468db2eaef267147bbd (20230525223416)
End: d49f009b89ad3ae1616d96cb1d2d9234ef3f6cda (20230526005832)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c49edd998af9a5b4552a4468db2eaef267147bbd&tochange=d49f009b89ad3ae1616d96cb1d2d9234ef3f6cda

Whiteboard: [bugmon:bisected,confirmed]
Blocks: 1598151

Crash: https://crash-stats.mozilla.org/report/index/3afb757a-6afc-435d-8985-a40b80231129#tab-bugzilla

Crash Signature: [@ stackoverflow | do_QueryFrameHelper<T>::operator mozilla::ISVGDisplayableFrame* ]
No longer blocks: 1598151

I guess this is similar to https://phabricator.services.mozilla.com/D194712. We just need a special handle for aFrame->StyleSVGReset()->HasNonScalingStroke() because this test case also use vector-effect: non-scaling-stroke.

Assignee: nobody → longsonr
Status: NEW → ASSIGNED
Pushed by longsonr@gmail.com: https://hg.mozilla.org/integration/autoland/rev/9f710d42c811 don't try to resolve ray with StrokeBox when non-scaling-stroke is in effect r=boris

https://hg.mozilla.org/mozilla-central/rev/9f710d42c811

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox122: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 122 Branch
Flags: in-testsuite? → in-testsuite+

Verified bug as fixed on rev mozilla-central 20231206165851-52f516546de7.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox122: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: