Open Bug 1845384 Opened 1 year ago Updated 6 months ago

Assertion failure: CurrentState().filterSourceGraphicTainted == isWriteOnly, at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CanvasRenderingContext2D.h:907

Categories

(Core :: Graphics: Canvas2D, defect)

x86_64
Linux
defect

Tracking

()

Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox115 --- unaffected
firefox116 --- wontfix
firefox117 --- wontfix
firefox118 --- fix-optional

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: bugmon, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase found while fuzzing mozilla-central rev 45a52966f964 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 45a52966f964 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: CurrentState().filterSourceGraphicTainted == isWriteOnly, at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CanvasRenderingContext2D.h:907

    ==165881==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff309ec3f31 bp 0x7ffc8438acc0 sp 0x7ffc8438ac90 T165881)
    ==165881==The signal is caused by a WRITE memory access.
    ==165881==Hint: address points to the zero page.
        #0 0x7ff309ec3f31 in mozilla::dom::CanvasRenderingContext2D::EnsureUpdatedFilter() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CanvasRenderingContext2D.h:907:5
        #1 0x7ff309e13623 in NeedToApplyFilter /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CanvasRenderingContext2D.h:894:12
        #2 0x7ff309e13623 in NeedToCalculateBounds /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CanvasRenderingContext2D.h:912:34
        #3 0x7ff309e13623 in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsTSubstring<char16_t> const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContext2D.cpp:4503:34
        #4 0x7ff309e14baf in mozilla::dom::CanvasRenderingContext2D::StrokeText(nsTSubstring<char16_t> const&, double, double, mozilla::dom::Optional<double> const&, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContext2D.cpp:4083:37
        #5 0x7ff308d801b0 in mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::strokeText(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasRenderingContext2DBinding.cpp:3934:24
        #6 0x7ff309d06148 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3327:13
        #7 0x7ff30e54a564 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:486:13
        #8 0x7ff30e549e7d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:580:12
        #9 0x7ff30e55ebf6 in CallFromStack /js/src/vm/Interpreter.cpp:652:10
        #10 0x7ff30e55ebf6 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3395:16
        #11 0x7ff30e5493d2 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
        #12 0x7ff30e549e99 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:612:13
        #13 0x7ff30e54b33d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
        #14 0x7ff30e8c5f17 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1500:10
        #15 0x7ff30e605ae4 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:149:8
        #16 0x7ff30e824749 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2111:12
        #17 0x7ff30e824749 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2174:12
        #18 0x7ff30e54a564 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:486:13
        #19 0x7ff30e549e7d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:580:12
        #20 0x7ff30e54b33d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
        #21 0x7ff30e636644 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #22 0x7ff308e89d1c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
        #23 0x7ff3068ab035 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #24 0x7ff3068aa905 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #25 0x7ff3068aa905 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #26 0x7ff3068967f8 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:676:17
        #27 0x7ff3068977e9 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
        #28 0x7ff30784d726 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1504:28
        #29 0x7ff3069cbbd3 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1237:24
        #30 0x7ff3069d260d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #31 0x7ff307679c53 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #32 0x7ff307594b71 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #33 0x7ff307594b71 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #34 0x7ff30bfcbd18 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #35 0x7ff30e308c8b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:717:20
        #36 0x7ff30767ab86 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #37 0x7ff307594b71 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #38 0x7ff307594b71 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #39 0x7ff30e3084dc in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:652:34
        #40 0x55861300d566 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #41 0x55861300d566 in main /browser/app/nsBrowserApp.cpp:375:18
        #42 0x7ff31c691d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #43 0x7ff31c691e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #44 0x558612fe4808 in _start (/home/jkratzer/builds/m-c-20230725160236-fuzzing-debug/firefox-bin+0x58808) (BuildId: abe681e2aaf2094b1f5daf997614fcb15e2aef46)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CanvasRenderingContext2D.h:907:5 in mozilla::dom::CanvasRenderingContext2D::EnsureUpdatedFilter()
    ==165881==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20230725211415-d527a0783112.
The bug appears to have been introduced in the following build range:

Start: 7467d3da5f29eddf7cf135a00cef8cf87b5c6911 (20230609132342)
End: 439e88bdf46b8545bcf3fbf4d1cac9bf084df91d (20230609181256)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7467d3da5f29eddf7cf135a00cef8cf87b5c6911&tochange=439e88bdf46b8545bcf3fbf4d1cac9bf084df91d

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Regressed by: 1792758

Set release status flags based on info from the regressing bug 1792758

:aosmond, since you are the author of the regressor, bug 1792758, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(aosmond)

Let's ask bugmon again!

Whiteboard: [bugmon:bisected,confirmed] → [bugmon:confirm]
Severity: -- → S4

Verified bug as reproducible on mozilla-central 20240408215259-79551503d77c.
The bug appears to have been introduced in the following build range:

Start: 7467d3da5f29eddf7cf135a00cef8cf87b5c6911 (20230609132342)
End: 439e88bdf46b8545bcf3fbf4d1cac9bf084df91d (20230609181256)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7467d3da5f29eddf7cf135a00cef8cf87b5c6911&tochange=439e88bdf46b8545bcf3fbf4d1cac9bf084df91d

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: