Open Bug 1934284 Opened 2 months ago Updated 1 months ago

crash near null [@ GetCanvasTM]

Categories

(Core :: SVG, defect, P3)

Product:
Core
Component:
SVG
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox135 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.html
381 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing 20241126-9358b6a02a04 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==680001==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7914e8f7f68f bp 0x7ffdf2feccf0 sp 0x7ffdf2fecbe0 T0)
==680001==The signal is caused by a READ memory access.
==680001==Hint: address points to the zero page.
    #0 0x7914e8f7f68f in GetCanvasTM /builds/worker/checkouts/gecko/layout/svg/SVGGeometryFrame.cpp
    #1 0x7914e8f7f68f in mozilla::SVGMarkerFrame::GetCanvasTM() /builds/worker/checkouts/gecko/layout/svg/SVGMarkerFrame.cpp:78:38
    #2 0x7914e8fc5a94 in mozilla::SVGMarkerAnonChildFrame::GetCanvasTM() /builds/worker/checkouts/gecko/layout/svg/SVGMarkerFrame.h:158:55
    #3 0x7914e8f49714 in mozilla::SVGDisplayContainerFrame::GetCanvasTM() /builds/worker/checkouts/gecko/layout/svg/SVGContainerFrame.cpp:431:47
    #4 0x7914e8fce773 in mozilla::SVGUtils::GetCanvasTM(nsIFrame*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:342:28
    #5 0x7914e8f3b0df in mozilla::FilterInstance::GetPreFilterNeededArea(nsIFrame*, nsTArray<mozilla::SVGFilterFrame*> const&, nsRegion const&) /builds/worker/checkouts/gecko/layout/svg/FilterInstance.cpp:1482:18
    #6 0x7914e8f74cd7 in mozilla::SVGIntegrationUtils::GetRequiredSourceForInvalidArea(nsIFrame*, nsRect const&) /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:400:10
    #7 0x7914e8cdd992 in nsIFrame::BuildDisplayListForStackingContext(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, bool*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3328:9
    #8 0x7914e8a58b1f in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3167:15
    #9 0x7914e8f7d8b7 in mozilla::PaintFrameCallback::operator()(gfxContext*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::gfx::SamplingFilter, mozilla::gfx::BaseMatrix<double> const&) /builds/worker/checkouts/gecko/layout/svg/SVGIntegrationUtils.cpp:1148:3
    #10 0x7914e0bd63bb in gfxUtils::DrawPixelSnapped(gfxContext*, gfxDrawable*, mozilla::gfx::SizeTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::image::ImageRegion const&, mozilla::gfx::SurfaceFormat, mozilla::gfx::SamplingFilter, unsigned int, double, bool) /builds/worker/checkouts/gecko/gfx/thebes/gfxUtils.cpp:571:13
    #11 0x7914e1311a39 in mozilla::image::DynamicImage::Draw(gfxContext*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::image::ImageRegion const&, unsigned int, mozilla::gfx::SamplingFilter, mozilla::SVGImageContext const&, unsigned int, float) /builds/worker/checkouts/gecko/image/DynamicImage.cpp:191:5
    #12 0x7914e12fe940 in mozilla::image::ClippedImage::Draw(gfxContext*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::image::ImageRegion const&, unsigned int, mozilla::gfx::SamplingFilter, mozilla::SVGImageContext const&, unsigned int, float) /builds/worker/checkouts/gecko/image/ClippedImage.cpp:330:26
    #13 0x7914e8a703d1 in DrawImageInternal(gfxContext&, nsPresContext*, imgIContainer*, mozilla::gfx::SamplingFilter, nsRect const&, nsRect const&, nsPoint const&, nsRect const&, mozilla::SVGImageContext const&, unsigned int, mozilla::gfx::ExtendMode, float) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:6201:22
    #14 0x7914e8a70c39 in nsLayoutUtils::DrawSingleImage(gfxContext&, nsPresContext*, imgIContainer*, mozilla::gfx::SamplingFilter, nsRect const&, nsRect const&, mozilla::SVGImageContext const&, unsigned int, nsPoint const*) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:6270:10
    #15 0x7914e914983e in mozilla::nsImageRenderer::DrawBorderImageComponent(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, mozilla::StyleBorderImageRepeatKeyword, mozilla::StyleBorderImageRepeatKeyword, nsSize const&, unsigned char, mozilla::Maybe<nsSize> const&, bool) /builds/worker/checkouts/gecko/layout/painting/nsImageRenderer.cpp:939:30
    #16 0x7914e910fa7a in nsCSSBorderImageRenderer::DrawBorderImage(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&) /builds/worker/checkouts/gecko/layout/painting/nsCSSRenderingBorders.cpp:3570:32
    #17 0x7914e910abbf in nsCSSRendering::PaintBorderWithStyleBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, nsStyleBorder const&, mozilla::ComputedStyle*, mozilla::PaintBorderFlags, mozilla::Sides) /builds/worker/checkouts/gecko/layout/painting/nsCSSRendering.cpp:862:24
    #18 0x7914e910a67a in nsCSSRendering::PaintBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, mozilla::ComputedStyle*, mozilla::PaintBorderFlags, mozilla::Sides) /builds/worker/checkouts/gecko/layout/painting/nsCSSRendering.cpp:650:10
    #19 0x7914e918b219 in mozilla::nsDisplayBorder::Paint(mozilla::nsDisplayListBuilder*, gfxContext*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4230:13
    #20 0x7914e053b1d5 in mozilla::layers::PaintItemByDrawTarget(mozilla::nsDisplayItem*, mozilla::gfx::DrawTarget*, mozilla::gfx::PointTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::nsDisplayListBuilder*, mozilla::gfx::BaseScaleFactors2D<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::DeviceColor>&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2335:38
    #21 0x7914e05392d9 in mozilla::layers::WebRenderCommandBuilder::GenerateFallbackData(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float>&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2593:7
    #22 0x7914e0532a3a in mozilla::layers::WebRenderCommandBuilder::PushItemAsImage(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2882:48
    #23 0x7914e0530855 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2115:7
    #24 0x7914e9196e3a in CreateWebRenderCommandsNewClipListOption /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4608:30
    #25 0x7914e9196e3a in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4953:12
    #26 0x7914e9196e3a in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5238:22
    #27 0x7914e0532879 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1859:41
    #28 0x7914e0530855 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2115:7
    #29 0x7914e052dc45 in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1780:5
    #30 0x7914e05a56cc in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:365:30
    #31 0x7914e916d1f2 in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2297:18
    #32 0x7914e8a59343 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3231:9
    #33 0x7914e89550a0 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6567:5
    #34 0x7914e810e7b3 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:399:18
    #35 0x7914e810dc0b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:334:22
    #36 0x7914e810fec7 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:837:5
    #37 0x7914e88c694d in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2875:11
    #38 0x7914e88d9a47 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:13
    #39 0x7914e88d9a47 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:7
    #40 0x7914e88d975a in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:362:5
    #41 0x7914e88d93d1 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:948:5
    #42 0x7914e88d8437 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:858:5
    #43 0x7914e88d6fc8 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:759:5
    #44 0x7914e88d65d8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
    #45 0x7914e88d6215 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:550:9
    #46 0x7914e72b89ab in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
    #47 0x7914e775f5b4 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:235:78
    #48 0x7914df2b4bf7 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5249:32
    #49 0x7914df2027e5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1727:25
    #50 0x7914df1fea1f in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1654:9
    #51 0x7914df1ff941 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1445:3
    #52 0x7914df200e93 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1545:14
    #53 0x7914ddc099ea in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:620:16
    #54 0x7914ddbf5c0e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:947:26
    #55 0x7914ddbf3428 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770:15
    #56 0x7914ddbf3a46 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:556:36
    #57 0x7914ddc10cc1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:270:37
    #58 0x7914ddc10cc1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #59 0x7914ddc310cf in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #60 0x7914ddc3bd98 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #61 0x7914df20a77e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #62 0x7914df0efe64 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #63 0x7914df0efe64 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #64 0x7914df0efe64 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #65 0x7914e81f4419 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #66 0x7914e8395f5a in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
    #67 0x7914ea02113d in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:646:20
    #68 0x7914df0efe64 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #69 0x7914df0efe64 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #70 0x7914df0efe64 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #71 0x7914ea01f61c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:584:34
    #72 0x5e034ebc9cb9 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22
Flags: in-testsuite?

I get this crash from the testcase on the latest Nightly on Win11: https://crash-stats.mozilla.org/report/index/69a6bc55-8651-46dc-90d7-0d10d0241129

Bisection: [2019-05-19 to 2019-05-20]

Crash Signature: [@ nsIFrame::GetContent ]

What changes are in that bisection range?

Flags: needinfo?(mayankleoboy1)

(In reply to Robert Longson [:longsonr] from comment #2)

What changes are in that bisection range?

Mozregression borked on me while doing the initial bisection.
I redid a more targeted bisection now : https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4a74609752d2e77e4be401e92978c9c32a842b40&tochange=257f2c96cef502a1d674df56c8e39d76d8ed4d89
So maybe bug 1383650?

Flags: needinfo?(mayankleoboy1)

Verified bug as reproducible on mozilla-central 20241203162108-d140333670bc.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 775ade8b04da775ad41d5d135baae415863a874c (20231205090844)
End: 9358b6a02a04f62e0c9c7fcba4877700076a28f5 (20241126093610)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Whiteboard: [bugmon:bisected,confirmed]

The severity field is not set for this bug.
:emilio, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(emilio)

Needs -moz-element which probably makes it relatively low priority. But we should probably still figure out what's going on. I bet we're painting the marker without a marked frame here.

Severity: -- → S3
Flags: needinfo?(emilio)
Keywords: pernosco-wanted
Priority: -- → P3

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco

A pernosco session for this bug can be found here.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: