Closed Bug 1322286 Opened 8 years ago Closed 8 years ago

Crash near null [@nsSVGMaskFrame::GetMaskForMaskedFrame]

Categories

(Core :: SVG, defect, P1)

Product:
Core
Component:
SVG
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox50 --- unaffected
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- fixed

People

(Reporter: tsmith, Assigned: u459114)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(4 files, 1 obsolete file)

log.txt
8.39 KB, text/plain
Details
test_case.html
88 bytes, text/html
Details
Bug 1322286 - Part 2. Crash test.
58 bytes, text/x-review-board-request
mstange
: review+
Details
Bug 1322286 - Part 1. Check maskFrame pointer value before dereference.
58 bytes, text/x-review-board-request
mstange
: review+
Details
Attached file log.txt
==11767==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000a0 (pc 0x7f33e18861dc bp 0x7ffc2d1b3c10 sp 0x7ffc2d1b34e0 T0) #0 0x7f33e18861db in nsSVGMaskFrame::GetMaskForMaskedFrame(nsSVGMaskFrame::MaskParams&) /home/worker/workspace/build/src/layout/svg/nsSVGMaskFrame.cpp:209:7 #1 0x7f33e1883886 in nsSVGUtils::PaintFrameWithEffects(nsIFrame*, gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/layout/svg/nsSVGUtils.cpp:777:34 #2 0x7f33e18821e0 in nsSVGMarkerFrame::PaintMark(gfxContext&, gfxMatrix const&, nsSVGPathGeometryFrame*, nsSVGMark*, float) /home/worker/workspace/build/src/layout/svg/nsSVGMarkerFrame.cpp:157:23 #3 0x7f33e189676b in nsSVGPathGeometryFrame::PaintMarkers(gfxContext&, gfxMatrix const&) /home/worker/workspace/build/src/layout/svg/nsSVGPathGeometryFrame.cpp:909:13 #4 0x7f33e189417e in nsSVGPathGeometryFrame::PaintSVG(gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/layout/svg/nsSVGPathGeometryFrame.cpp:295:5 #5 0x7f33e1892563 in nsDisplaySVGPathGeometry::Paint(nsDisplayListBuilder*, nsRenderingContext*) /home/worker/workspace/build/src/layout/svg/nsSVGPathGeometryFrame.cpp:125:5 #6 0x7f33e1b18f52 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:5913:9 #7 0x7f33e1b1c2e1 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6088:5 #8 0x7f33dc9d9fa5 in mozilla::layers::ClientPaintedLayer::PaintThebes() /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:83:5 ... see log.txt
Flags: in-testsuite?
Attached file test_case.html
Looks like this is a regression -- I'm not able to reproduce in 50.0.2, but I can reproduce in latest Nightly (version 53). I'm guessing this might be associated with the mask changes in bug 1251161 / bug 1294660. Astley, perhaps you could take a look (or find someone to take a look)?
Flags: needinfo?(aschen)
Keywords: regression, regressionwindow-wanted
Thanks Daniel. I'll have CJ to look at this issue.
Flags: needinfo?(aschen) → needinfo?(cku)
Assignee: nobody → cku
Flags: needinfo?(cku)
Attachment #8817086 - Flags: review?(cam)
Attachment #8817087 - Flags: review?(cam)
Attachment #8817086 - Flags: review?(cam)
Attachment #8817087 - Flags: review?(cam)
Status: NEW → ASSIGNED
Priority: -- → P1
Attachment #8817086 - Flags: review?(cam)
Attachment #8817110 - Flags: review?(mstange)
Attachment #8817087 - Flags: review?(mstange)
Attachment #8817086 - Attachment is obsolete: true
Attachment #8817086 - Flags: review?(cam)
Blocks: mask-ship
A regression of bug 1319667. Impact FF 53 only
Last good revision: 8332d69f0f65b0c2612338d86fc69d58ab70c318 First bad revision: 9aef92f7911d35abc9520ffa0e802be3f4b92f5a Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8332d69f0f65b0c2612338d86fc69d58ab70c318&tochange=9aef92f7911d35abc9520ffa0e802be3f4b92f5a
Keywords: regressionwindow-wanted
Comment on attachment 8817110 [details] Bug 1322286 - Part 1. Check maskFrame pointer value before dereference. https://reviewboard.mozilla.org/r/97536/#review99522 ::: layout/svg/nsSVGUtils.cpp:775 (Diff revision 4) > RefPtr<SourceSurface> maskSurface; > > - if (maskUsage.shouldGenerateMaskLayer) { > + // maskFrame can be nullptr even if maskUsage.shouldGenerateMaskLayer is > + // true. That happens when a user gives an unresolvable mask-id, such as > + // mask:url() > + // mask:url(#id-which-is-not-exist) #id-which-does-not-exist
Attachment #8817110 - Flags: review?(mstange) → review+
Comment on attachment 8817087 [details] Bug 1322286 - Part 2. Crash test. https://reviewboard.mozilla.org/r/97512/#review99524
Attachment #8817087 - Flags: review?(mstange) → review+
Pushed by cku@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/33684d2a0338 Part 1. Check maskFrame pointer value before dereference. r=mstange https://hg.mozilla.org/integration/autoland/rev/595b31738fd0 Part 2. Crash test. r=mstange
https://hg.mozilla.org/mozilla-central/rev/33684d2a0338 https://hg.mozilla.org/mozilla-central/rev/595b31738fd0
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox53: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Setting qe-verify- since this seems to have automated coverage.
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: