Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Unsupported premultiply formats), at /builds/worker/checkouts/gecko/gfx/2d/Swizzle.cpp:479
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox133 | --- | wontfix |
| firefox134 | --- | wontfix |
| firefox135 | --- | fix-optional |
People
(Reporter: tsmith, Unassigned, NeedInfo)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
252 bytes,
text/html
|
Details |
Found while fuzzing m-c 20241209-bd0c66ad43d0 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Unsupported premultiply formats), at /builds/worker/checkouts/gecko/gfx/2d/Swizzle.cpp:479
#0 0x7e37190271de in mozilla::gfx::PremultiplyRow(mozilla::gfx::SurfaceFormat, mozilla::gfx::SurfaceFormat) /builds/worker/checkouts/gecko/gfx/2d/Swizzle.cpp:479:3
#1 0x7e3719a1d99e in Configure<mozilla::image::SurfaceConfig> /builds/worker/checkouts/gecko/image/SurfaceFilters.h:71:20
#2 0x7e3719a1d99e in mozilla::Maybe<mozilla::image::SurfacePipe> mozilla::image::SurfacePipeFactory::MakePipe<mozilla::image::SwizzleConfig, mozilla::image::SurfaceConfig>(mozilla::image::SwizzleConfig const&, mozilla::image::SurfaceConfig const&) /builds/worker/checkouts/gecko/image/SurfacePipeFactory.h:713:25
#3 0x7e37199e9679 in mozilla::image::SurfacePipeFactory::CreateSurfacePipe(mozilla::image::Decoder*, mozilla::gfx::IntSizeTyped<mozilla::OrientedPixel> const&, mozilla::gfx::IntSizeTyped<mozilla::OrientedPixel> const&, mozilla::gfx::IntRectTyped<mozilla::OrientedPixel> const&, mozilla::gfx::SurfaceFormat, mozilla::gfx::SurfaceFormat, mozilla::Maybe<mozilla::image::AnimationParams> const&, _qcms_transform*, mozilla::image::SurfacePipeFlags) /builds/worker/checkouts/gecko/image/SurfacePipeFactory.h:454:22
#4 0x7e37199fdb60 in mozilla::image::nsIconDecoder::ReadHeader(char const*) /builds/worker/checkouts/gecko/image/decoders/nsIconDecoder.cpp:95:29
#5 0x7e37199fca57 in operator() /builds/worker/checkouts/gecko/image/decoders/nsIconDecoder.cpp:38:34
#6 0x7e37199fca57 in BufferedRead<(lambda at /builds/worker/checkouts/gecko/image/decoders/nsIconDecoder.cpp:35:21)> /builds/worker/checkouts/gecko/image/StreamingLexer.h:605:11
#7 0x7e37199fca57 in Lex<(lambda at /builds/worker/checkouts/gecko/image/decoders/nsIconDecoder.cpp:35:21)> /builds/worker/checkouts/gecko/image/StreamingLexer.h:470:26
#8 0x7e37199fca57 in mozilla::image::nsIconDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsIconDecoder.cpp:34:17
#9 0x7e37199141bd in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/Decoder.cpp:190:19
#10 0x7e3719965164 in mozilla::image::AnonymousDecoderTask::Run() /builds/worker/checkouts/gecko/image/ImageUtils.cpp:67:38
#11 0x7e371993712d in mozilla::image::DecodingTask::Run() /builds/worker/checkouts/gecko/image/DecodePool.cpp:153:12
#12 0x7e3717e50aa7 in mozilla::TaskController::RunPoolThread(mozilla::PoolThread*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:417:23
#13 0x7e3727ff79df in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:191:3
#14 0x7e3727c94ac2 in start_thread nptl/pthread_create.c:442:8
#15 0x7e3727d2684f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
||
Updated•1 year ago
|
|
||
Comment 1•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20241212052347-a8a3495297c3.
The bug appears to have been introduced in the following build range:
Start: e7414e1cf765844b96eeee3fec7603f5ca49fa55 (20240724030028)
End: eeaccdadb526514bef6983cc9eacbad25a09d494 (20240724061610)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e7414e1cf765844b96eeee3fec7603f5ca49fa55&tochange=eeaccdadb526514bef6983cc9eacbad25a09d494
|
||
Comment 2•1 year ago
|
||
Introduced when we landed ImageDecoder support.
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 3•1 year ago
|
||
:aosmond, since you are the author of the regressor, bug 1749048, could you take a look?
For more information, please visit BugBot documentation.
|
|
||
Comment 4•1 year ago
|
||
Testcase crashes using the initial build (mozilla-central 20241209143224-bd0c66ad43d0) but not with tip (mozilla-central 20250111091648-dbf9beb835a2.)
The bug appears to have been fixed in the following build range:
Start: 1d40063a5fe7482dd45537a1318f4bad8522c8c2 (20250109125602)
End: d34d1d9e1eed82907c04fe20479298c8d044abe5 (20250109125710)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1d40063a5fe7482dd45537a1318f4bad8522c8c2&tochange=d34d1d9e1eed82907c04fe20479298c8d044abe5
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
Reporter | |
Comment 5•1 year ago
|
||
I can confirm this is no longer reproducible. Should we still land the test case?
Description
•