1873322 - SEGV on unknown address 0x000000000000 in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect

Status: RESOLVED FIXED

(Core :: Graphics, defect)

Description

=================================================================
==9182==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe50b283fc9 bp 0x7ffd27073050 sp 0x7ffd27072da0 T0)
==9182==The signal is caused by a READ memory access.
==9182==Hint: address points to the zero page.
    #0 0x7fe50b283fc9 in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:868:18
    #1 0x7fe50b287ca6 in mozilla::gfx::FilterNodeTransformSoftware::SourceRectForOutputRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:1138:10
    #2 0x7fe50b289a0a in mozilla::gfx::FilterNodeTransformSoftware::GetOutputRectInRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:1218:21
    #3 0x7fe50b283fea in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:868:18
    #4 0x7fe50b283fea in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:868:18
    #5 0x7fe50b28e13e in mozilla::gfx::FilterNodeColorMatrixSoftware::GetOutputRectInRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:1528:10
    #6 0x7fe50b283fea in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:868:18
    #7 0x7fe50b2ad872 in mozilla::gfx::FilterNodeCropSoftware::GetOutputRectInRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:3178:10
    #8 0x7fe50b283fea in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:868:18
    #9 0x7fe50b283fea in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:868:18
    #10 0x7fe50b2abdb3 in mozilla::gfx::FilterNodeBlurXYSoftware::GetOutputRectInRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:3080:23
    #11 0x7fe50b283fea in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:868:18
    #12 0x7fe50b2ad872 in mozilla::gfx::FilterNodeCropSoftware::GetOutputRectInRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:3178:10
    #13 0x7fe50b2345eb in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:561:24
    #14 0x7fe50b19ccf9 in mozilla::gfx::RecordedDrawFilter::PlayEvent(mozilla::gfx::Translator*) const /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:3069:7
    #15 0x7fe50b1d990c in std::function<bool (mozilla::gfx::RecordedEvent*)>::operator()(mozilla::gfx::RecordedEvent*) const /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
    #16 0x7fe50b31da07 in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::EventStream>(mozilla::gfx::EventStream&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:4289:5
    #17 0x7fe5153503df in mozilla::layout::PrintTranslator::TranslateRecording(mozilla::layout::PRFileDescStream&) /builds/worker/checkouts/gecko/layout/printing/PrintTranslator.cpp:54:20
    #18 0x7fe515356d5d in mozilla::layout::RemotePrintJobParent::PrintPage(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layout::PRFileDescStream&, nsRefCountedHashtable<nsIntegralHashKey<unsigned long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface>>*) /builds/worker/checkouts/gecko/layout/printing/ipc/RemotePrintJobParent.cpp:179:26
    #19 0x7fe5153567fc in mozilla::layout::RemotePrintJobParent::FinishProcessingPage(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, nsRefCountedHashtable<nsIntegralHashKey<unsigned long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface>>*) /builds/worker/checkouts/gecko/layout/printing/ipc/RemotePrintJobParent.cpp:158:17
    #20 0x7fe515356429 in mozilla::layout::RemotePrintJobParent::RecvProcessPage(int const&, int const&, nsTArray<unsigned long>&&) /builds/worker/checkouts/gecko/layout/printing/ipc/RemotePrintJobParent.cpp:132:5
    #21 0x7fe5145fd931 in mozilla::layout::PRemotePrintJobParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemotePrintJobParent.cpp:379:52
    #22 0x7fe512f9d46a in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6764:32
    #23 0x7fe50a757495 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
    #24 0x7fe50a752e9b in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
    #25 0x7fe50a754249 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
    #26 0x7fe50a7557c3 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
    #27 0x7fe508a99f9a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:568:16
    #28 0x7fe508a7fe1b in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:895:26
    #29 0x7fe508a7c9f8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:718:15
    #30 0x7fe508a7d0f9 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:504:36
    #31 0x7fe508aa20c4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:225:37
    #32 0x7fe508aa20c4 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #33 0x7fe508aca00f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
    #34 0x7fe508ad7d4a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #35 0x7fe50a760a93 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
    #36 0x7fe50a588d9a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #37 0x7fe50a588d9a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #38 0x7fe50a588d9a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #39 0x7fe513ed32a9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #40 0x7fe5140d7ca2 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
    #41 0x7fe518c3852b in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:296:30
    #42 0x7fe518f832c4 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5709:22
    #43 0x7fe518f85434 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5918:8
    #44 0x7fe518f86651 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5974:21
    #45 0x55cf159739e2 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:227:22
    #46 0x55cf159739e2 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:445:16
    #47 0x7fe530250789  (/lib64/libc.so.6+0x23789)
    #48 0x7fe530250844 in __libc_start_main (/lib64/libc.so.6+0x23844)
    #49 0x55cf158980a8 in _start (/home/uuu/dev/FF/browsers/firefox/firefox+0xdc0a8) (BuildId: 42289c8c9b3af7d8aad6a23848d3c3ecc2537e5b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/gfx/2d/FilterNodeSoftware.cpp:868:18 in mozilla::gfx::FilterNodeSoftware::GetInputRectInRect(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)
==9182==ABORTING

Comment 1

[Ask]

Attachment: test_3432.html

Comment 2

[Ask]

firefox asan build
from with python -m fuzzfetch --asan --name firefox --fuzzing

Comment 4

[Andrew McCreight [:mccr8]]

The crash in comment 0 is a null deref, so I think this is probably not security sensitive. It looks like the crash is on this line: return filter->GetOutputRectInRect(aInRect);, so maybe filter is null. Somebody could check a debug build to see if it hits that assert a line earlier.

Comment 5

[Erich Gubler [:ErichDonGubler] (he/him)]

I'm not able to reproduce this on Windows 11 on latest Nightly, both on "normal" shipped Nightly or with the Firefox that downloads python -m fuzzfetch --asan --name firefox --fuzzing. Can anybody reproduce this?

Classifying as S3, per :mccr8's observation. There doesn't seem to be a use case that is blocked, so the impact is questionable.

WRT further triage, this seems like an intersection between the layout and WebRender teams. I suspect the next step would be to re-assign to Layout for their triage. Will escalate to gfx-triage for tomorrow's triage meeting, in case a quick glance from experienced members of the Graphics team yields a better next step.

Comment 6

[Daniel Veditz [:dveditz]]

wh0tlif3:

What version of Firefox did you test this on? If you're building your own ASAN builds, what revision of the source and what build options? If you're using one of the ASAN builds we produce then about:buildconfig should have all you need.

[Slightly off-topic: I noticed that you've filed several other "duplicate pair" bugs like this one and bug 1873321. Please figure out what you're doing if you can and try to avoid it. You're not the only person this happens to, so if you figure it out let us know. We'd be very happy if we could change bugzilla to make it less likely]

Comment 7

[Ask]

Hi,
sorry, I'm not very familiar with firefox.

I used the ASAN build you produce.

Configure options

MOZ_AUTOMATION=1 MOZBUILD_STATE_PATH=/builds/worker/.mozbuild MOZ_FETCHES_DIR=/builds/worker/fetches '--enable-optimize=-O2 -gline-tables-only' CCACHE=sccache SCCACHE_VERBOSE_STATS=1 --enable-address-sanitizer --enable-undefined-sanitizer ENABLE_CLANG_PLUGIN=1 --enable-fuzzing --disable-jemalloc --enable-valgrind 'RUSTFLAGS= -Zsanitizer=address' --enable-js-shell --disable-profiling --enable-rust-simd --disable-crashreporter --disable-install-strip

Build tools
Compiler Version Compiler flags
/builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang --sysroot /builds/worker/fetches/sysroot-x86_64-linux-gnu -std=gnu99 17.0.6 -fsanitize=bool,bounds,enum,function,integer-divide-by-zero,object-size,pointer-overflow,return,vla-bound -fno-sanitize-recover=bool,bounds,enum,function,integer-divide-by-zero,object-size,pointer-overflow,return,vla-bound -fsanitize-blacklist=/builds/worker/workspace/obj-build/ubsan_blacklist.txt -fsanitize=address -fno-sanitize-address-globals-dead-stripping -fcrash-diagnostics-dir=/builds/worker/artifacts -fPIC -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe
/builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang++ --sysroot /builds/worker/fetches/sysroot-x86_64-linux-gnu 17.0.6 -fno-sized-deallocation -fno-aligned-new -fsanitize=bool,bounds,enum,function,integer-divide-by-zero,object-size,pointer-overflow,return,vla-bound -fno-sanitize-recover=bool,bounds,enum,function,integer-divide-by-zero,object-size,pointer-overflow,return,vla-bound -fsanitize-blacklist=/builds/worker/workspace/obj-build/ubsan_blacklist.txt -fsanitize=address -fno-sanitize-address-globals-dead-stripping -fcrash-diagnostics-dir=/builds/worker/artifacts -fno-exceptions -fPIC -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -gdwarf-4 -O2 -gline-tables-only -fno-omit-frame-pointer -funwind-tables
/builds/worker/fetches/rustc/bin/rustc 1.75.0-dev -Zsanitizer=address

Comment 8

[Erich Gubler [:ErichDonGubler] (he/him)]

:wh0lif3: Can you please upload the content of about:support here, preferably as an attachment? Because this is possibly a graphics issue, it can be helpful to get its dump of your hardware profile and OS particulars.

Comment 9

[Ask]

Attachment: Troubleshooting Information.xhtml

Comment 10

[Tyson Smith [:tsmith] (PTO)]

I think this is a dup of bug 1755101 which also has a reduced test case.

Comment 11

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240110213539-1c750a173258.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 539f28c1de729aac0a9676536b9fde47fb25d79f (20230112041059)
End: ce6cf7dcf8b16c2a478f122f8bab575231c99881 (20240106093723)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 12

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 13

[Jeff Muizelaar [:jrmuizel]]

Had a quick look at the pernosco session. SetInput sets a null filter input because LookupSourceSurface fails, because Snapshotting fails because cairo_surface_status(cairo_get_group_target(mContext)) is CAIRO_STATUS_NO_MEMORY because of a CAIRO_STATUS_FREETYPE_ERROR because the scale is {xx = 19756.804750060895, yx = 0, xy = 0, yy = 7200001.609265089, x0 = 0, y0 = 0}.

I'm not sure what the best thing to do here is. It would be better if Cairo just refused to draw the very large text instead of putting the surface into an error state.

Comment 14

[Jeff Muizelaar [:jrmuizel]]

Lee, any thoughts on what a good approach might be?

Comment 15

[Lee Salzman [:lsalzman]]

(In reply to Jeff Muizelaar [:jrmuizel] from comment #14)

Lee, any thoughts on what a good approach might be?

What's wrong with just a null check and maybe a warning?

Comment 16

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20240106093723-ce6cf7dcf8b1) but not with tip (mozilla-central 20241019063152-46a2094acb5e.)

The bug appears to have been fixed in the following build range:

Start: e0a1b8bc6bd28305a0b1c293ac0176599149c1ba (20241008091832)
End: bee25281b27a7fda4e5e9ad22cdd44962f5cbebe (20241008080717)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e0a1b8bc6bd28305a0b1c293ac0176599149c1ba&tochange=bee25281b27a7fda4e5e9ad22cdd44962f5cbebe

wh0tlif3, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 17

[BugBot [:suhaib / :marco/ :calixte]]

Redirect a needinfo that is pending on an inactive user to the triage owner.
:bhood, since the bug has recent activity, could you have a look please?

For more information, please visit BugBot documentation.

Comment 18

[Lee Salzman [:lsalzman]]

Attachment: Bug 1873322 - Check for null filter. r?aosmond

Comment 19

[Pulsebot]

Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/dadfd8765908
Check for null filter. r=aosmond

Comment 20

[amarc]

https://hg.mozilla.org/mozilla-central/rev/dadfd8765908