Closed
Bug 1810099
Opened 2 years ago
Closed 2 years ago
cfi-derived-cast: Invalid downcast in GetBBoxForClipPathFrame
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
FIXED
111 Branch
| Tracking | Status | |
|---|---|---|
| firefox111 | --- | fixed |
People
(Reporter: lukas.bernhard, Assigned: jfkthame)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
(deleted),
text/x-phabricator-request
|
Details |
Steps to reproduce:
When building with -fsanitize=cfi-derived-cast, the sanitizer detects some incorrect casting in SVGClipPathFrame::GetBBoxForClipPathFrame. The cast here https://searchfox.org/mozilla-central/rev/893a8f062ec6144c84403fbfb0a57234418b89cf/layout/svg/SVGClipPathFrame.cpp#441 also downcasts objects of type nsTextNode, which are not derived from SVGElement.
#0 0x00007fec22addaf1 in __GI___clock_nanosleep (clock_id=clock_id@entry=0, flags=flags@entry=0,
req=req@entry=0x7ffc7b98f6b0, rem=rem@entry=0x7ffc7b98f6b0) at ../sysdeps/unix/sysv/linux/clock_nanosleep.c:78
#1 0x00007fec22ae2827 in __GI___nanosleep (req=req@entry=0x7ffc7b98f6b0, rem=rem@entry=0x7ffc7b98f6b0)
at ../sysdeps/unix/sysv/linux/nanosleep.c:25
#2 0x00007fec22ae275e in __sleep (seconds=0) at ../sysdeps/posix/sleep.c:55
#3 0x00007fec1dd1b315 in common_crap_handler (signum=4,
aFirstFramePC=0x7fec1dce688e <nsProfileLock::FatalSignalHandler(int, siginfo_t*, void*)+430>)
at toolkit/xre/nsSigHandlers.cpp:96
#4 0x00007fec1dd1b427 in ah_crap_handler (signum=4) at toolkit/xre/nsSigHandlers.cpp:104
#5 0x00007fec1dce688e in nsProfileLock::FatalSignalHandler (signo=4, info=0x7ffc7b98f970, context=0x7ffc7b98f840)
at toolkit/profile/nsProfileLock.cpp:183
#6 0x00007fec1f206108 in WasmTrapHandler (signum=4, info=0x7ffc7b98f970, context=0x7ffc7b98f840)
at js/src/wasm/WasmSignalHandlers.cpp:783
#7 <signal handler called>
#8 0x00007fec1b449dc5 in mozilla::SVGClipPathFrame::GetBBoxForClipPathFrame (this=0x7febc778f910, aBBox=...,
aMatrix=..., aFlags=1077) at layout/svg/SVGClipPathFrame.cpp:441
#9 0x00007fec1b49aeac in mozilla::SVGUtils::GetBBox (aFrame=0x7febc778fa68, aFlags=1077, aToBoundsSpace=0x0)
at layout/svg/SVGUtils.cpp:1086
#10 0x00007fec1b2c8d67 in ComputeClipForMaskItem (aBuilder=0x7ffc7b996b10, aMaskedFrame=0x7febc778fa68)
at layout/generic/nsIFrame.cpp:2989
#11 0x00007fec1b2c7108 in nsIFrame::BuildDisplayListForStackingContext (this=0x7febc778fa68,
aBuilder=0x7ffc7b996b10, aList=0x7ffc7b991668, aCreatedContainerItem=0x7ffc7b99153f)
at layout/generic/nsIFrame.cpp:3442
#12 0x00007fec1b27cec9 in nsIFrame::BuildDisplayListForChild (this=0x7febc778f7b8, aBuilder=0x7ffc7b996b10,
aChild=0x7febc778fa68, aLists=..., aFlags=...) at layout/generic/nsIFrame.cpp:4292
#13 0x00007fec1b20b297 in nsContainerFrame::BuildDisplayListForNonBlockChildren (this=0x7febc778f7b8,
aBuilder=0x7ffc7b996b10, aLists=..., aFlags=...)
at layout/generic/nsContainerFrame.cpp:384
#14 0x00007fec1b44a9c3 in mozilla::SVGDisplayContainerFrame::BuildDisplayList (this=0x7febc778f7b8,
aBuilder=0x7ffc7b996b10, aLists=...) at layout/svg/SVGContainerFrame.cpp:143
#15 0x00007fec1b27d0ff in nsIFrame::BuildDisplayListForChild (this=0x7febc778f510, aBuilder=0x7ffc7b996b10,
aChild=0x7febc778f7b8, aLists=..., aFlags=...) at layout/generic/nsIFrame.cpp:4327
#16 0x00007fec1b20b297 in nsContainerFrame::BuildDisplayListForNonBlockChildren (this=0x7febc778f510,
aBuilder=0x7ffc7b996b10, aLists=..., aFlags=...)
at layout/generic/nsContainerFrame.cpp:384
#17 0x00007fec1b4759c0 in mozilla::SVGOuterSVGAnonChildFrame::BuildDisplayList (this=0x7febc778f510,
aBuilder=0x7ffc7b996b10, aLists=...) at layout/svg/SVGOuterSVGFrame.cpp:976
#18 0x00007fec1b2c7240 in nsIFrame::BuildDisplayListForStackingContext (this=0x7febc778f510,
aBuilder=0x7ffc7b996b10, aList=0x7ffc7b993068, aCreatedContainerItem=0x7ffc7b992f3f)
at layout/generic/nsIFrame.cpp:3464
#19 0x00007fec1b27cec9 in nsIFrame::BuildDisplayListForChild (this=0x7febc778f428, aBuilder=0x7ffc7b996b10,
aChild=0x7febc778f510, aLists=..., aFlags=...) at layout/generic/nsIFrame.cpp:4292
#20 0x00007fec1b20b297 in nsContainerFrame::BuildDisplayListForNonBlockChildren (this=0x7febc778f428,
aBuilder=0x7ffc7b996b10, aLists=..., aFlags=...)
at layout/generic/nsContainerFrame.cpp:384
#21 0x00007fec1b474d34 in mozilla::SVGOuterSVGFrame::BuildDisplayList (this=0x7febc778f428,
aBuilder=0x7ffc7b996b10, aLists=...) at layout/svg/SVGOuterSVGFrame.cpp:737
#22 0x00007fec1b27d0ff in nsIFrame::BuildDisplayListForChild (this=0x7febc778f0c8, aBuilder=0x7ffc7b996b10,
aChild=0x7febc778f428, aLists=..., aFlags=...) at layout/generic/nsIFrame.cpp:4327
#23 0x00007fec1b203bc0 in nsCanvasFrame::BuildDisplayList (this=0x7febc778f0c8, aBuilder=0x7ffc7b996b10,
aLists=...) at layout/generic/nsCanvasFrame.cpp:584
|
Reporter | |
Updated•2 years ago
|
Component: Untriaged → Graphics
Product: Firefox → Core
|
Assignee | |
Comment 1•2 years ago
|
||
Seems like the static_cast here can be avoided altogether if we just call node->AsContent()->GetPrimaryFrame() instead.
|
|
Assignee | |
Comment 2•2 years ago
|
||
|
||
Updated•2 years ago
|
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0a6ee4f004bd
Avoid unnecessary static_cast in SVGClipPathFrame::GetBBoxForClipPathFrame. r=emilio
|
||
Comment 4•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox111:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•