1863792 - Assertion failure: [GFX1]: Failed to create DrawTarget, Type: 3 Size: Size(6692,6692), at /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Logging.h:756

Status: NEW

(Core :: Graphics: Canvas2D, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 5d6699b34edc (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5d6699b34edc --debug --fuzzing --cpu x86 -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: [GFX1]: Failed to create DrawTarget, Type: 3 Size: Size(6692,6692), at /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Logging.h:756

    ==170305==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x00000000 (pc 0xe5653653 bp 0xffd28af8 sp 0xffd28ae0 T170305)
    ==170305==The signal is caused by a WRITE memory access.
    ==170305==Hint: address points to the zero page.
        #0 0xe5653653 in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::WriteLog(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Logging.h:757:9
        #1 0xe5653560 in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::Flush() /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Logging.h:276:7
        #2 0xe56881e0 in ~Log /gfx/2d/Logging.h:269:12
        #3 0xe56881e0 in mozilla::gfx::Factory::CreateDrawTarget(mozilla::gfx::BackendType, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) /gfx/2d/Factory.cpp:409:5
        #4 0xe5b39e0f in gfxPlatform::CreateDrawTargetForBackend(mozilla::gfx::BackendType, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) /gfx/thebes/gfxPlatform.cpp:1650:10
        #5 0xe5776dff in mozilla::layers::PersistentBufferProviderBasic::Create(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::SurfaceFormat, mozilla::gfx::BackendType) /gfx/layers/PersistentBufferProvider.cpp:80:35
        #6 0xea26fddf in mozilla::WindowRenderer::CreatePersistentBufferProvider(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) /layout/painting/WindowRenderer.cpp:132:22
        #7 0xe5a8ee9f in mozilla::layers::WebRenderLayerManager::CreatePersistentBufferProvider(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) /gfx/layers/wr/WebRenderLayerManager.cpp:769:26
        #8 0xe7750a70 in mozilla::dom::CanvasRenderingContext2D::TrySharedTarget(RefPtr<mozilla::gfx::DrawTarget>&, RefPtr<mozilla::layers::PersistentBufferProvider>&) /dom/canvas/CanvasRenderingContext2D.cpp:1687:28
        #9 0xe774fe8e in mozilla::dom::CanvasRenderingContext2D::EnsureTarget(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, bool) /dom/canvas/CanvasRenderingContext2D.cpp:1520:8
        #10 0xe7769cdc in mozilla::dom::CanvasRenderingContext2D::DrawImage(mozilla::dom::HTMLImageElementOrSVGImageElementOrHTMLCanvasElementOrHTMLVideoElementOrOffscreenCanvasOrImageBitmapOrVideoFrame const&, double, double, double, double, double, double, double, double, unsigned char, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContext2D.cpp:5250:3
        #11 0xe7f33d25 in DrawImage /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CanvasRenderingContext2D.h:240:5
        #12 0xe7f33d25 in mozilla::dom::HTMLCanvasElement::CopyInnerTo(mozilla::dom::HTMLCanvasElement*) /dom/html/HTMLCanvasElement.cpp:710:20
        #13 0xe7f33a84 in mozilla::dom::HTMLCanvasElement::Clone(mozilla::dom::NodeInfo*, nsINode**) const /dom/html/HTMLCanvasElement.cpp:525:1
        #14 0xe63cc422 in nsINode::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsINode*, mozilla::ErrorResult&) /dom/base/nsINode.cpp:3379:26
        #15 0xe63cd4f8 in nsINode::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsINode*, mozilla::ErrorResult&) /dom/base/nsINode.cpp:3566:11
        #16 0xe63cd4f8 in nsINode::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsINode*, mozilla::ErrorResult&) /dom/base/nsINode.cpp:3566:11
        #17 0xe63cafd5 in Clone /dom/base/nsINode.cpp:3678:10
        #18 0xe63cafd5 in nsINode::CloneNode(bool, mozilla::ErrorResult&) /dom/base/nsINode.cpp:3206:10
        #19 0xe613da88 in mozilla::dom::Document::CreateStaticClone(nsIDocShell*, nsIContentViewer*, nsIPrintSettings*, bool*) /dom/base/Document.cpp:13376:34
        #20 0xe5fc3ff3 in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5149:42
        #21 0xe5f7d097 in nsGlobalWindowInner::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, mozilla::ErrorResult&) /dom/base/nsGlobalWindowInner.cpp:3753:3
        #22 0xe711f15a in mozilla::dom::Window_Binding::printPreview(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WindowBinding.cpp:3272:59
        #23 0xe764b7b9 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3330:13
        #24 0xebe6dac3 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
        #25 0xebe6d583 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
        #26 0xebe6e6e9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:633:10
        #27 0xebe6e8f7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
        #28 0xebf5388f in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #29 0xe749aeda in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./FunctionBinding.cpp:50:8
        #30 0xe62dadca in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject>>(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
        #31 0xe62daba5 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /dom/base/TimeoutHandler.cpp:168:29
        #32 0xe5f8e377 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /dom/base/nsGlobalWindowInner.cpp:6316:38
        #33 0xe62d75a8 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /dom/base/TimeoutManager.cpp:879:44
        #34 0xe62d637e in mozilla::dom::TimeoutExecutor::MaybeExecute() /dom/base/TimeoutExecutor.cpp:179:11
        #35 0xe62d8c5f in mozilla::dom::TimeoutExecutor::Run() /dom/base/TimeoutExecutor.cpp:234:5
        #36 0xe44b5d8d in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /xpcom/threads/ThrottledEventQueue.cpp:254:22
        #37 0xe44b2312 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /xpcom/threads/ThrottledEventQueue.cpp:81:15
        #38 0xe4480a85 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:549:16
        #39 0xe447843d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:876:26
        #40 0xe4476b16 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:699:15
        #41 0xe4476fd2 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:485:36
        #42 0xe448499c in operator() /xpcom/threads/TaskController.cpp:211:37
        #43 0xe448499c in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #44 0xe449c7d7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1198:16
        #45 0xe44a3d02 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #46 0xe519e513 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #47 0xe50b3a5e in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:370:10
        #48 0xe50b395a in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #49 0xe50b395a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #50 0xe9a460c6 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #51 0xebc42d44 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
        #52 0xe519f580 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #53 0xe50b3a5e in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:370:10
        #54 0xe50b395a in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #55 0xe50b395a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #56 0xebc4257d in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
        #57 0xebc51d81 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/Bootstrap.cpp:67:12
        #58 0x56683c9f in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #59 0x56683c9f in main /browser/app/nsBrowserApp.cpp:375:18
        #60 0xf79cf518  (/lib/i386-linux-gnu/libc.so.6+0x21518) (BuildId: d6a86a013d9b1fe87908aea8bb1772e0c6cbef37)
        #61 0xf79cf5f2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x215f2) (BuildId: d6a86a013d9b1fe87908aea8bb1772e0c6cbef37)
        #62 0x56654b40 in _start (/home/jkratzer/builds/debug-x86/firefox-bin+0x5cb40) (BuildId: e4eb56def0976ab734d1e3db524c9428d2b79211)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Logging.h:757:9 in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::WriteLog(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&)
    ==170305==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20231108211203-f1fb5f0afb58.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: f7eac47f5daa86a7f28257322b36cf85ae49c7f6 (20221119085828)
End: 5d6699b34edce04ffd8886be86de9d604d88a89a (20231107214948)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:lsalzman, could you have a look please?

For more information, please visit BugBot documentation.