1885209 - Assertion failure: aInFormat == gfx::SurfaceFormat::R8G8B8 || aInFormat == gfx::SurfaceFormat::R8G8B8A8 || aInFormat == gfx::SurfaceFormat::R8G8B8X8 || aInFormat == gfx::SurfaceFormat::OS_RGBA || aInFormat == gfx::SurfaceFormat::OS_RGBX, at /builds/worker

Status: RESOLVED FIXED

(Core :: Graphics: ImageLib, defect)

Description

[Tyson Smith [:tsmith]]

Found with m-c 20240313-4f7a5399c1cc (--enable-debug --enable-fuzzing)

This was found by visiting a live website with a debug build.

STR:

• Launch browser and visit site

This issue was triggered by visiting http://cosmicvariance.co.in/.

Assertion failure: aInFormat == gfx::SurfaceFormat::R8G8B8 || aInFormat == gfx::SurfaceFormat::R8G8B8A8 || aInFormat == gfx::SurfaceFormat::R8G8B8X8 || aInFormat == gfx::SurfaceFormat::OS_RGBA || aInFormat == gfx::SurfaceFormat::OS_RGBX, at /builds/worker

#0 0x7f36abd2fdaf in mozilla::image::SurfacePipeFactory::CreateSurfacePipe(mozilla::image::Decoder*, mozilla::gfx::IntSizeTyped<mozilla::OrientedPixel> const&, mozilla::gfx::IntSizeTyped<mozilla::OrientedPixel> const&, mozilla::gfx::IntRectTyped<mozilla::OrientedPixel> const&, mozilla::gfx::SurfaceFormat, mozilla::gfx::SurfaceFormat, mozilla::Maybe<mozilla::image::AnimationParams> const&, _qcms_transform*, mozilla::image::SurfacePipeFlags) /builds/worker/checkouts/gecko/image/SurfacePipeFactory.h:110:5
#1 0x7f36abd44b7c in mozilla::image::nsIconDecoder::ReadHeader(char const*) /builds/worker/checkouts/gecko/image/decoders/nsIconDecoder.cpp:85:29
#2 0x7f36abd43b7e in operator() /builds/worker/checkouts/gecko/image/decoders/nsIconDecoder.cpp:38:34
#3 0x7f36abd43b7e in BufferedRead<(lambda at /builds/worker/checkouts/gecko/image/decoders/nsIconDecoder.cpp:35:21)> /builds/worker/checkouts/gecko/image/StreamingLexer.h:605:11
#4 0x7f36abd43b7e in Lex<(lambda at /builds/worker/checkouts/gecko/image/decoders/nsIconDecoder.cpp:35:21)> /builds/worker/checkouts/gecko/image/StreamingLexer.h:470:26
#5 0x7f36abd43b7e in mozilla::image::nsIconDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsIconDecoder.cpp:34:17
#6 0x7f36abc67240 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/Decoder.cpp:177:19
#7 0x7f36abc7351f in mozilla::image::DecodedSurfaceProvider::Run() /builds/worker/checkouts/gecko/image/DecodedSurfaceProvider.cpp:125:34
#8 0x7f36abc724d6 in mozilla::image::DecodePool::SyncRunIfPossible(mozilla::image::IDecodingTask*, nsTString<char> const&) /builds/worker/checkouts/gecko/image/DecodePool.cpp:193:10
#9 0x7f36abca6fae in mozilla::image::LaunchDecodingTask(mozilla::image::IDecodingTask*, mozilla::image::RasterImage*, unsigned int, bool) /builds/worker/checkouts/gecko/image/RasterImage.cpp:1135:32
#10 0x7f36abca1a15 in mozilla::image::RasterImage::Decode(mozilla::gfx::IntSizeTyped<mozilla::OrientedPixel> const&, unsigned int, mozilla::image::PlaybackType, bool&, bool&) /builds/worker/checkouts/gecko/image/RasterImage.cpp:1247:17
#11 0x7f36abca09d8 in mozilla::image::RasterImage::LookupFrame(mozilla::gfx::IntSizeTyped<mozilla::OrientedPixel> const&, unsigned int, mozilla::image::PlaybackType, bool) /builds/worker/checkouts/gecko/image/RasterImage.cpp:385:5
#12 0x7f36abca2b75 in mozilla::image::RasterImage::GetFrameAtSize(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, unsigned int) /builds/worker/checkouts/gecko/image/RasterImage.cpp:580:25
#13 0x7f36abd0ad8b in mozilla::image::imgTools::EncodeScaledImage(imgIContainer*, nsTSubstring<char> const&, int, int, nsTSubstring<char16_t> const&, nsIInputStream**) /builds/worker/checkouts/gecko/image/imgTools.cpp:517:45
#14 0x7f36b15bcad0 in nsFaviconService::OptimizeIconSizes(mozilla::places::IconData&) /builds/worker/checkouts/gecko/toolkit/components/places/nsFaviconService.cpp:774:27
#15 0x7f36b15e39b5 in nsFaviconService::ReplaceFaviconData(nsIURI*, nsTArray<unsigned char> const&, nsTSubstring<char> const&, long) /builds/worker/checkouts/gecko/toolkit/components/places/nsFaviconService.cpp:428:8
#16 0x7f36b15e4413 in nsFaviconService::ReplaceFaviconDataFromDataURL(nsIURI*, nsTSubstring<char16_t> const&, long, nsIPrincipal*) /builds/worker/checkouts/gecko/toolkit/components/places/nsFaviconService.cpp:533:8
#17 0x7f36aa4371d5 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#18 0x7f36ab2fe4bd in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1621:10
#19 0x7f36ab2fe4bd in CallMethodHelper::Call() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1174:19
#20 0x7f36ab2fe1b7 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1120:23
#21 0x7f36ab30013f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:966:10
#22 0x7f36b1acc3f4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#23 0x7f36b1acbd4b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#24 0x7f36b1adb668 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#25 0x7f36b1adb668 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
#26 0x7f36b1acb2d2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#27 0x7f36b1acbd68 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#28 0x7f36b1acd01d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#29 0x7f36b1be9c44 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#30 0x7f36ac6e5746 in mozilla::dom::MessageListener::ReceiveMessage(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::ReceiveMessageArgument const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./MessageManagerBinding.cpp:5896:6
#31 0x7f36af3ab74e in mozilla::dom::MessageListener::ReceiveMessage(mozilla::dom::ReceiveMessageArgument const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/MessageManagerBinding.h:654:8
#32 0x7f36af3ab5ae in mozilla::dom::JSActor::CallReceiveMessage(JSContext*, mozilla::dom::JSActorMessageMeta const&, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSActor.cpp:288:22
#33 0x7f36af3ab974 in mozilla::dom::JSActor::ReceiveMessage(JSContext*, mozilla::dom::JSActorMessageMeta const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSActor.cpp:304:3
#34 0x7f36af3af019 in mozilla::dom::JSActorManager::ReceiveRawMessage(mozilla::dom::JSActorMessageMeta const&, mozilla::Maybe<mozilla::dom::ipc::StructuredCloneData>&&, mozilla::Maybe<mozilla::dom::ipc::StructuredCloneData>&&) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSActorManager.cpp:222:14
#35 0x7f36af168de9 in mozilla::dom::WindowGlobalParent::RecvRawMessage(mozilla::dom::JSActorMessageMeta const&, mozilla::Maybe<mozilla::dom::ClonedMessageData> const&, mozilla::Maybe<mozilla::dom::ClonedMessageData> const&) /builds/worker/checkouts/gecko/dom/ipc/WindowGlobalParent.cpp:573:3
#36 0x7f36af393c61 in mozilla::dom::PWindowGlobalParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWindowGlobalParent.cpp:914:86
#37 0x7f36af2b31f5 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6814:32
#38 0x7f36ab0ee18f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1812:25
#39 0x7f36ab0eaee2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1731:9
#40 0x7f36ab0ebb62 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1524:3
#41 0x7f36ab0eccaf in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1622:14
#42 0x7f36aa3ec3c7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#43 0x7f36aa3e1a46 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#44 0x7f36aa3e0227 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#45 0x7f36aa3e06a5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#46 0x7f36aa3f0366 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#47 0x7f36aa3f0366 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#48 0x7f36aa405642 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#49 0x7f36aa40c78d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#50 0x7f36ab0f40d5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#51 0x7f36ab00a471 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#52 0x7f36ab00a471 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#53 0x7f36af999f78 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#54 0x7f36afa5c9f8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#55 0x7f36b1724344 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:296:30
#56 0x7f36b1893f20 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5739:22
#57 0x7f36b18955d0 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5951:8
#58 0x7f36b1896252 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6008:21
#59 0x55ae016da3a7 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:227:22
#60 0x55ae016da3a7 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:445:16
#61 0x7f36befa3d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#62 0x7f36befa3e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#63 0x55ae016b01c8 in _start (/home/worker/build/firefox-bin+0x591c8) (BuildId: 8caf4db930bc73babfaac16bb2e5a839e82c859d)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/tX8l3V8Qjc9cgxMdbuwepg/index.html

Comment 2

[Timothy Nikkel (:tnikkel)]

Attachment: Bug 1885209. Sanity check pixel format of internal icon type images. r?aosmond,#gfx-reviewers

The page has

<link rel="shortcut icon" type="image/x-icon" href="data:image/icon;base64,png_data">

When the Favicon service tries to decode that is passes "image/icon" as the mimetype to choose the decoder type and so we try to decode it as our internal icon format (not a format used in the wild, only used internal to get pass around icon data we retrieved from the OS). This passes in an invalid format type and hits the assert. In a non-debug build we fail to create the surface pipe later when we can't find a swizzle function. We only ever create these icon files with formats R8G8B8A8, OS_RGBA, or B8G8R8A8. The favicon still gets displayed so the favicon service must be trying something more complicated if that fails.

In the normal content image loading path we prefer to sniff the content type from the image data and if that fails fall back to the specified content type. So the test had be careful not to look like png (or any other) image format so that we actually tried to decode it as an icon.

Comment 3

[Pulsebot]

Pushed by tnikkel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6919ad3b0886
Sanity check pixel format of internal icon type images. r=gfx-reviewers,nical

Comment 4

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/6919ad3b0886