Closed Bug 1364778 Opened 8 years ago Closed 8 years ago

crash near null in [@ aaa_walk_convex_edges]

Categories

(Core :: Graphics, defect, P1)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1364691

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase, Whiteboard: [gfx-noted])

Attachments

(1 file)

test_case.html
(deleted), text/html
Details
Attached file test_case.html (deleted) —
Found while fuzzing mozilla-central 20170513-73b3fc64525b ==12988==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f8463982134 bp 0x7fff9ef93430 sp 0x7fff9ef925a0 T0) ==12988==The signal is caused by a READ memory access. ==12988==Hint: address points to the zero page. #0 0x7f8463982133 in aaa_walk_convex_edges /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AAAPath.cpp:1023:21 #1 0x7f8463982133 in aaa_fill_path /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AAAPath.cpp:1676 #2 0x7f8463982133 in SkScan::AAAFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AAAPath.cpp:1813 #3 0x7f8463998b44 in SkScan::AAAFillPath(SkPath const&, SkRasterClip const&, SkBlitter*) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AAAPath.cpp:1833:9 #4 0x7f84630ed409 in SkScan::AntiFillPath(SkPath const&, SkRasterClip const&, SkBlitter*) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AntiPath.cpp:774:9 #5 0x7f84635a8acc in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1070:5 #6 0x7f84635a9485 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1163:11 #7 0x7f846329c3fc in drawPath /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.h:55:15 #8 0x7f846329c3fc in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:235 #9 0x7f84632c7434 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2227:23 #10 0x7f845cca7c09 in mozilla::gfx::DrawTargetSkia::Fill(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/DrawTargetSkia.cpp:937:12 #11 0x7f8461e94fd9 in mozilla::SVGGeometryFrame::Render(gfxContext*, unsigned int, gfxMatrix const&, unsigned int) /home/worker/workspace/build/src/layout/svg/SVGGeometryFrame.cpp:819:21 #12 0x7f8461e94272 in mozilla::SVGGeometryFrame::PaintSVG(gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*, unsigned int) /home/worker/workspace/build/src/layout/svg/SVGGeometryFrame.cpp:300:14 #13 0x7f8461e9263d in nsDisplaySVGGeometry::Paint(nsDisplayListBuilder*, nsRenderingContext*) /home/worker/workspace/build/src/layout/svg/SVGGeometryFrame.cpp:131:45 #14 0x7f84621817c9 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6036:21 #15 0x7f84621842a4 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6211:19 #16 0x7f845d100b6a in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:86:5 #17 0x7f845d1017e6 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:140:3 #18 0x7f845d1327ff in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29 #19 0x7f845d1327ff in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29 #20 0x7f845d0fc226 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:375:13 #21 0x7f845d0fca97 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:433:3 #22 0x7f84621f80d7 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2292:17 #23 0x7f84619f3bae in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3721:12 #24 0x7f84618f9986 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /home/worker/workspace/build/src/layout/base/PresShell.cpp:6498:5 #25 0x7f8461159b42 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /home/worker/workspace/build/src/view/nsViewManager.cpp:481:19 #26 0x7f8461158aa5 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:413:33 #27 0x7f846115c445 in nsViewManager::ProcessPendingUpdates() /home/worker/workspace/build/src/view/nsViewManager.cpp:1095:5 #28 0x7f846185a738 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1985:11 #29 0x7f8461865b03 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:300:7 #30 0x7f84618657d4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:322:5 #31 0x7f8461867e8b in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:753:5 #32 0x7f8461867e8b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:666 #33 0x7f84618631d7 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:512:20 #34 0x7f845b1d6a30 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1270:14 #35 0x7f845b1d3478 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:393:10 #36 0x7f845bf7c0a6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:124:5 #37 0x7f845bedade0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10 #38 0x7f845bedade0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231 #39 0x7f845bedade0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211 #40 0x7f84611d4c1f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27 #41 0x7f846484de91 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30 #42 0x7f8464a19784 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4553:22 #43 0x7f8464a1b1dc in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4733:8 #44 0x7f8464a1c3d1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4826:21 #45 0x4eb5a3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22 #46 0x4eb5a3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309 #47 0x7f847685982f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291 #48 0x41d0f8 in _start (/home/user/workspace/browsers/firefox_cnt/firefox+0x41d0f8)
Flags: in-testsuite?
Hi Vincent, Are you able to reproduce the crash with the test https://bugzilla.mozilla.org/attachment.cgi?id=8867562 ?
Flags: needinfo?(vliu)
Priority: -- → P1
Whiteboard: [gfx-noted]
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(vliu)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: