Closed Bug 593526 Opened 10 years ago Closed 7 years ago

Crash [@ pixman_multiply_overflows_int] [@ pixman_image_get_component_alpha]

Categories

(Core :: Graphics, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jruderman, Assigned: jrmuizel)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [sg:needinfo][critsmash:investigating])

Crash Data

Attachments

(2 files)

Tested on Mac OS X 10.6.4 with a 64-bit Firefox debug build from Tinderbox.
Attached file crash log
Assignee: nobody → jmuizelaar
blocking2.0: --- → final+
Whiteboard: [sg:critical?] → [sg:critical?][critsmash:investigating]
Does this happen in 3.6?
Jeff, can you try to repro in 3.6, please?  :)
This testcase does not crash for me using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10.
This doesn't crash for me in my debug build but it looks like there is still badness going on.
Running firefox-bin directly seems to have broken on 10.5 (see bug 607519). This is preventing me from trying things out with valgrind.
valgrind --trace-children=yes --smc-check=all --track-origins=yes --dsymutil=yes ./firefox -P MozillaDebug

should work
(In reply to comment #7)
> valgrind --trace-children=yes --smc-check=all --track-origins=yes
> --dsymutil=yes ./firefox -P MozillaDebug
> 
> should work

That just seems to segfault immediately
I'll just use my own build...
I haven't been able to get anything useful out of valgrind. It runs really slow, so it's hard to know if it's hitting the same problems.
OS: Mac OS X → Windows 7
OS: Windows 7 → Mac OS X
I can reproduce this crash reliably on Mac OS X 10.6.  Valgrind isn't required.

On Mac OS X 10.5, I don't get a crash, just a white page with a horizontal scrollbar.
OS: Mac OS X → Windows XP
I can't repro the crash on x86_64-Linux.  I get a white page with a
small square in the top left corner.

> On Mac OS X 10.5, I don't get a crash, just a white page with a horizontal
> scrollbar.

I get that too.  Perhaps that's the right behaviour?  It looks like the
test case is asking to draw something extremely wide.

I can't get any badness out of Valgrind memcheck or ptrcheck on either
of these platforms.

Maybe some integer overflow kind of thing?
> I can reproduce this crash reliably on Mac OS X 10.6.

Me too (10.6, 64-bit build I should add):

Invalid read of size 4
   at 0x100F660D6: pixman_image_get_component_alpha (pixman-image.c:685)
   by 0x100F2F902: _cairo_surface_clone_similar (cairo-surface.c:1549)
   by 0x100F240DE: _cairo_pattern_acquire_surface (cairo-pattern.c:2158)
   by 0x100F2550B: _cairo_pattern_acquire_surfaces (cairo-pattern.c:2411)
   by 0x100F1AE94: _cairo_image_surface_composite (cairo-image-surface.c:1128)
   by 0x100F2E001: _cairo_surface_composite (cairo-surface.c:1821)
   by 0x100F317A0: _clip_and_composite_trapezoids (cairo-surface-fallback.c:740)
   by 0x100F31EE4: _cairo_surface_fallback_fill (cairo-surface-fallback.c:1406)
   by 0x100F2EBCB: _cairo_surface_fill (cairo-surface.c:2222)
   by 0x100F17549: _cairo_gstate_fill (cairo-gstate.c:1177)
   by 0x100F0BD2E: _moz_cairo_fill_preserve (cairo.c:2338)
   by 0x100F0C3C6: _moz_cairo_fill (cairo.c:2314)
 Address 0x60 is not stack'd, malloc'd or (recently) free'd

Then it segfaults.
Breakpad sees this as [@ pixman_image_get_component_alpha]

bp-0dec65bc-8fbb-40fc-aaa6-9cbea2101119
Summary: Crash [@ pixman_multiply_overflows_int] → Crash [@ pixman_multiply_overflows_int] [@ pixman_image_get_component_alpha]
OS: Windows XP → Mac OS X
Jesse: does this crash still look sg:critical? comment 13 and 14 both look like null dereferences. The original crash stack looks a little different, but we've taken a pixman update since then.
blocking2.0: final+ → ---
Whiteboard: [sg:critical?][critsmash:investigating] → [sg:needinfo][critsmash:investigating]
WFM, not crashing for me any more.
Crash Signature: [@ pixman_multiply_overflows_int] [@ pixman_image_get_component_alpha]
WFM, in recent Nightly on Linux64, OSX 10.7 and Win7.  Also in ASan builds.

crash-stats has 3 reports for pixman_multiply_overflows_int (FF6 the latest version)
and zero reports for pixman_image_get_component_alpha.
Status: NEW → RESOLVED
Crash Signature: [@ pixman_multiply_overflows_int] [@ pixman_image_get_component_alpha] → [@ pixman_multiply_overflows_int] [@ pixman_image_get_component_alpha]
Closed: 7 years ago
Flags: in-testsuite?
Resolution: --- → WORKSFORME
Landed a couple of tests:
https://hg.mozilla.org/integration/mozilla-inbound/rev/921ef3217211
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.