Open
Bug 1863792
Opened 10 months ago
Updated 6 months ago
Assertion failure: [GFX1]: Failed to create DrawTarget, Type: 3 Size: Size(6692,6692), at /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Logging.h:756
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
NEW
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
282 bytes,
text/plain
|
Details |
Testcase found while fuzzing mozilla-central rev 5d6699b34edc (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5d6699b34edc --debug --fuzzing --cpu x86 -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: [GFX1]: Failed to create DrawTarget, Type: 3 Size: Size(6692,6692), at /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Logging.h:756
==170305==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x00000000 (pc 0xe5653653 bp 0xffd28af8 sp 0xffd28ae0 T170305)
==170305==The signal is caused by a WRITE memory access.
==170305==Hint: address points to the zero page.
#0 0xe5653653 in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::WriteLog(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Logging.h:757:9
#1 0xe5653560 in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::Flush() /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Logging.h:276:7
#2 0xe56881e0 in ~Log /gfx/2d/Logging.h:269:12
#3 0xe56881e0 in mozilla::gfx::Factory::CreateDrawTarget(mozilla::gfx::BackendType, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) /gfx/2d/Factory.cpp:409:5
#4 0xe5b39e0f in gfxPlatform::CreateDrawTargetForBackend(mozilla::gfx::BackendType, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) /gfx/thebes/gfxPlatform.cpp:1650:10
#5 0xe5776dff in mozilla::layers::PersistentBufferProviderBasic::Create(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::SurfaceFormat, mozilla::gfx::BackendType) /gfx/layers/PersistentBufferProvider.cpp:80:35
#6 0xea26fddf in mozilla::WindowRenderer::CreatePersistentBufferProvider(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) /layout/painting/WindowRenderer.cpp:132:22
#7 0xe5a8ee9f in mozilla::layers::WebRenderLayerManager::CreatePersistentBufferProvider(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) /gfx/layers/wr/WebRenderLayerManager.cpp:769:26
#8 0xe7750a70 in mozilla::dom::CanvasRenderingContext2D::TrySharedTarget(RefPtr<mozilla::gfx::DrawTarget>&, RefPtr<mozilla::layers::PersistentBufferProvider>&) /dom/canvas/CanvasRenderingContext2D.cpp:1687:28
#9 0xe774fe8e in mozilla::dom::CanvasRenderingContext2D::EnsureTarget(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, bool) /dom/canvas/CanvasRenderingContext2D.cpp:1520:8
#10 0xe7769cdc in mozilla::dom::CanvasRenderingContext2D::DrawImage(mozilla::dom::HTMLImageElementOrSVGImageElementOrHTMLCanvasElementOrHTMLVideoElementOrOffscreenCanvasOrImageBitmapOrVideoFrame const&, double, double, double, double, double, double, double, double, unsigned char, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContext2D.cpp:5250:3
#11 0xe7f33d25 in DrawImage /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CanvasRenderingContext2D.h:240:5
#12 0xe7f33d25 in mozilla::dom::HTMLCanvasElement::CopyInnerTo(mozilla::dom::HTMLCanvasElement*) /dom/html/HTMLCanvasElement.cpp:710:20
#13 0xe7f33a84 in mozilla::dom::HTMLCanvasElement::Clone(mozilla::dom::NodeInfo*, nsINode**) const /dom/html/HTMLCanvasElement.cpp:525:1
#14 0xe63cc422 in nsINode::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsINode*, mozilla::ErrorResult&) /dom/base/nsINode.cpp:3379:26
#15 0xe63cd4f8 in nsINode::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsINode*, mozilla::ErrorResult&) /dom/base/nsINode.cpp:3566:11
#16 0xe63cd4f8 in nsINode::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsINode*, mozilla::ErrorResult&) /dom/base/nsINode.cpp:3566:11
#17 0xe63cafd5 in Clone /dom/base/nsINode.cpp:3678:10
#18 0xe63cafd5 in nsINode::CloneNode(bool, mozilla::ErrorResult&) /dom/base/nsINode.cpp:3206:10
#19 0xe613da88 in mozilla::dom::Document::CreateStaticClone(nsIDocShell*, nsIContentViewer*, nsIPrintSettings*, bool*) /dom/base/Document.cpp:13376:34
#20 0xe5fc3ff3 in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5149:42
#21 0xe5f7d097 in nsGlobalWindowInner::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, mozilla::ErrorResult&) /dom/base/nsGlobalWindowInner.cpp:3753:3
#22 0xe711f15a in mozilla::dom::Window_Binding::printPreview(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WindowBinding.cpp:3272:59
#23 0xe764b7b9 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3330:13
#24 0xebe6dac3 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
#25 0xebe6d583 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
#26 0xebe6e6e9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:633:10
#27 0xebe6e8f7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
#28 0xebf5388f in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
#29 0xe749aeda in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./FunctionBinding.cpp:50:8
#30 0xe62dadca in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject>>(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
#31 0xe62daba5 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /dom/base/TimeoutHandler.cpp:168:29
#32 0xe5f8e377 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /dom/base/nsGlobalWindowInner.cpp:6316:38
#33 0xe62d75a8 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /dom/base/TimeoutManager.cpp:879:44
#34 0xe62d637e in mozilla::dom::TimeoutExecutor::MaybeExecute() /dom/base/TimeoutExecutor.cpp:179:11
#35 0xe62d8c5f in mozilla::dom::TimeoutExecutor::Run() /dom/base/TimeoutExecutor.cpp:234:5
#36 0xe44b5d8d in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /xpcom/threads/ThrottledEventQueue.cpp:254:22
#37 0xe44b2312 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /xpcom/threads/ThrottledEventQueue.cpp:81:15
#38 0xe4480a85 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:549:16
#39 0xe447843d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:876:26
#40 0xe4476b16 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:699:15
#41 0xe4476fd2 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:485:36
#42 0xe448499c in operator() /xpcom/threads/TaskController.cpp:211:37
#43 0xe448499c in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
#44 0xe449c7d7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1198:16
#45 0xe44a3d02 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
#46 0xe519e513 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#47 0xe50b3a5e in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:370:10
#48 0xe50b395a in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#49 0xe50b395a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#50 0xe9a460c6 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#51 0xebc42d44 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
#52 0xe519f580 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#53 0xe50b3a5e in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:370:10
#54 0xe50b395a in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#55 0xe50b395a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#56 0xebc4257d in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
#57 0xebc51d81 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/Bootstrap.cpp:67:12
#58 0x56683c9f in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#59 0x56683c9f in main /browser/app/nsBrowserApp.cpp:375:18
#60 0xf79cf518 (/lib/i386-linux-gnu/libc.so.6+0x21518) (BuildId: d6a86a013d9b1fe87908aea8bb1772e0c6cbef37)
#61 0xf79cf5f2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x215f2) (BuildId: d6a86a013d9b1fe87908aea8bb1772e0c6cbef37)
#62 0x56654b40 in _start (/home/jkratzer/builds/debug-x86/firefox-bin+0x5cb40) (BuildId: e4eb56def0976ab734d1e3db524c9428d2b79211)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Logging.h:757:9 in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::WriteLog(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&)
==170305==ABORTING
|
Reporter | |
Comment 1•10 months ago
|
||
|
||
Comment 2•10 months ago
|
||
Verified bug as reproducible on mozilla-central 20231108211203-f1fb5f0afb58.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: f7eac47f5daa86a7f28257322b36cf85ae49c7f6 (20221119085828)
End: 5d6699b34edce04ffd8886be86de9d604d88a89a (20231107214948)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 3•10 months ago
|
||
The severity field is not set for this bug.
:lsalzman, could you have a look please?
For more information, please visit BugBot documentation.
Flags: needinfo?(lsalzman)
|
||
Updated•6 months ago
|
Severity: -- → S4
Flags: needinfo?(lsalzman)
You need to log in
before you can comment on or make changes to this bug.
Description
•