Closed Bug 1982335 Opened 8 months ago Closed 8 months ago

Hit MOZ_CRASH(Content-process DrawTargetRecording can't create requested similar drawtarget) at /gfx/2d/DrawTargetRecording.cpp:829

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
143 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox-esr140 --- wontfix
firefox141 --- wontfix
firefox142 --- wontfix
firefox143 --- verified

People

(Reporter: jkratzer, Assigned: tnikkel)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase
4.55 KB, application/octet-stream
Details
Bug 1982335. Make AdjustedTargetForFilter constructor check that all of the surfaces it will require can be created. r?#gfx-reviewers
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev a8a8028addc8 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build a8a8028addc8 --asan --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Content-process DrawTargetRecording can't create requested similar drawtarget) at /gfx/2d/DrawTargetRecording.cpp:829

    =================================================================
    ==1538390==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7582119b942b bp 0x7ffd91a042d0 sp 0x7ffd91a04140 T0)
    ==1538390==The signal is caused by a WRITE memory access.
    ==1538390==Hint: address points to the zero page.
        #0 0x7582119b942b in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
        #1 0x7582119b942b in mozilla::gfx::DrawTargetRecording::CreateSimilarDrawTarget(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) const /gfx/2d/DrawTargetRecording.cpp:827:5
        #2 0x758215797b03 in mozilla::dom::AdjustedTargetForFilter::DoSourcePaint(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits>&, mozilla::dom::CanvasRenderingContext2D::Style) /dom/canvas/CanvasRenderingContext2D.cpp:508:43
        #3 0x75821579660b in mozilla::dom::AdjustedTargetForFilter::~AdjustedTargetForFilter() /dom/canvas/CanvasRenderingContext2D.cpp:553:9
        #4 0x758215667f4e in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:88:5
        #5 0x758215667f4e in reset /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/unique_ptr.h:385:4
        #6 0x758215667f4e in mozilla::dom::AdjustedTarget::~AdjustedTarget() /dom/canvas/CanvasRenderingContext2D.cpp:781:19
        #7 0x75821579c5d9 in mozilla::dom::CanvasBidiProcessor::DrawText(int) /dom/canvas/CanvasRenderingContext2D.cpp:4915:3
        #8 0x75821a9011c6 in nsBidiPresUtils::ProcessSimpleRun(char16_t const*, unsigned long, mozilla::intl::BidiEmbeddingLevel, nsPresContext*, nsBidiPresUtils::BidiProcessor&, nsBidiPresUtils::Mode, nsBidiPositionResolve*, int, int*) /layout/base/nsBidiPresUtils.cpp:2425:16
        #9 0x75821a900323 in nsBidiPresUtils::ProcessText(char16_t const*, unsigned long, mozilla::intl::BidiEmbeddingLevel, nsPresContext*, nsBidiPresUtils::BidiProcessor&, nsBidiPresUtils::Mode, nsBidiPositionResolve*, int, int*, mozilla::intl::Bidi&) /layout/base/nsBidiPresUtils.cpp:2195:5
        #10 0x75821567b21d in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsTSubstring<char16_t> const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContext2D.cpp:5269:12
        #11 0x75821567bccd in mozilla::dom::CanvasRenderingContext2D::StrokeText(nsTSubstring<char16_t> const&, double, double, mozilla::dom::Optional<double> const&, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContext2D.cpp:4597:47
        #12 0x758214e4c076 in mozilla::dom::CanvasRenderingContext2D_Binding::strokeText(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./CanvasRenderingContext2DBinding.cpp:7881:24
        #13 0x75821549be0f in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3308:13
        #14 0x75821c300987 in CallJSNative /js/src/vm/Interpreter.cpp:501:13
        #15 0x75821c300987 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:597:12
        #16 0x75821d4392d9 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1705:10
        #17 0x3f4593c519b3  ([anon:js-executable-memory]+0x29b3)
    
    ==1538390==Register values:
    rax = 0x0000000000000001  rbx = 0x00000fffb2340834  rcx = 0x000000000000033d  rdx = 0x0000000000000000  
    rdi = 0x000057f7ab4d5ed0  rsi = 0x00007ffd91a040f8  rbp = 0x00007ffd91a042d0  rsp = 0x00007ffd91a04140  
     r8 = 0x0000000000000000   r9 = 0x0000000000000000  r10 = 0xffffff0000000000  r11 = 0x4000000000000000  
    r12 = 0x000050f00002f980  r13 = 0x00000a1e00005f3c  r14 = 0x0000000000000000  r15 = 0x0000758231d3d0d0  
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3 in MOZ_CrashSequence
    ==1538390==ABORTING
Attached file Testcase
Attachment #9506365 - Attachment filename: testcase.zip.undefined → testcase.zip

Verified bug as reproducible on mozilla-central 20250811093416-507b9d6bb016.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 2d25134707f3710ac52e3b25ccb0eb710e2c5d3b (20240812092340)
End: a8a8028addc8ef776b6f2ce3ec7c88b1093ba706 (20250810210608)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Assignee: nobody → tnikkel
Severity: -- → S3
Pushed by tnikkel@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/1a4d5a2ac8d9 https://hg.mozilla.org/integration/autoland/rev/23399633a94c Make AdjustedTargetForFilter constructor check that all of the surfaces it will require can be created. r=gfx-reviewers,lsalzman

https://hg.mozilla.org/mozilla-central/rev/23399633a94c

Status: NEW → RESOLVED
Closed: 8 months ago
status-firefox143: fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → 143 Branch

Verified bug as fixed on rev mozilla-central 20250813155409-76f448acb1d5.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox143: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: