Found while fuzzing m-c 20230201-b7f075124503 (--enable-debug --enable-fuzzing)

The test case is not 100% reliable it will likely require multiple reloads (press F5).

Requires pref image.avif.sequence.enabled=true

Hit MOZ_CRASH(MOZ_FALLTHROUGH_ASSERT: Unexpected DisposalMethod) at /builds/worker/checkouts/gecko/image/SurfaceFilters.h:585

#0 0x7fee989539bc in nsresult mozilla::image::BlendAnimationFilter<mozilla::image::SurfaceSink>::Configure<mozilla::image::SurfaceConfig>(mozilla::image::BlendAnimationConfig const&, mozilla::image::SurfaceConfig const&) /builds/worker/checkouts/gecko/image/SurfaceFilters.h:585:13
#1 0x7fee98945dfb in Configure<mozilla::image::BlendAnimationConfig, mozilla::image::SurfaceConfig> /builds/worker/checkouts/gecko/image/SurfaceFilters.h:140:25
#2 0x7fee98945dfb in mozilla::Maybe<mozilla::image::SurfacePipe> mozilla::image::SurfacePipeFactory::MakePipe<mozilla::image::ColorManagementConfig, mozilla::image::BlendAnimationConfig, mozilla::image::SurfaceConfig>(mozilla::image::ColorManagementConfig const&, mozilla::image::BlendAnimationConfig const&, mozilla::image::SurfaceConfig const&) /builds/worker/checkouts/gecko/image/SurfacePipeFactory.h:665:25
#3 0x7fee98917533 in mozilla::image::SurfacePipeFactory::CreateSurfacePipe(mozilla::image::Decoder*, mozilla::gfx::IntSizeTyped<mozilla::OrientedPixel> const&, mozilla::gfx::IntSizeTyped<mozilla::OrientedPixel> const&, mozilla::gfx::IntRectTyped<mozilla::OrientedPixel> const&, mozilla::gfx::SurfaceFormat, mozilla::gfx::SurfaceFormat, mozilla::Maybe<mozilla::image::AnimationParams> const&, _qcms_transform*, mozilla::image::SurfacePipeFlags) /builds/worker/checkouts/gecko/image/SurfacePipeFactory.h:497:22
#4 0x7fee9891305c in mozilla::image::nsAVIFDecoder::Decode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1711:12
#5 0x7fee98910f61 in mozilla::image::nsAVIFDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1181:25
#6 0x7fee98853057 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/Decoder.cpp:177:19
#7 0x7fee988529fb in mozilla::image::AnimationSurfaceProvider::Run() /builds/worker/checkouts/gecko/image/AnimationSurfaceProvider.cpp:232:36
#8 0x7fee9885d49f in mozilla::image::DecodePool::SyncRunIfPossible(mozilla::image::IDecodingTask*, nsTString<char> const&) /builds/worker/checkouts/gecko/image/DecodePool.cpp:193:10
#9 0x7fee98891f11 in mozilla::image::LaunchDecodingTask(mozilla::image::IDecodingTask*, mozilla::image::RasterImage*, unsigned int, bool) /builds/worker/checkouts/gecko/image/RasterImage.cpp:1135:32
#10 0x7fee9888cc9e in mozilla::image::RasterImage::Decode(mozilla::gfx::IntSizeTyped<mozilla::OrientedPixel> const&, unsigned int, mozilla::image::PlaybackType, bool&, bool&) /builds/worker/checkouts/gecko/image/RasterImage.cpp:1247:17
#11 0x7fee9888bcd0 in mozilla::image::RasterImage::LookupFrame(mozilla::gfx::IntSizeTyped<mozilla::OrientedPixel> const&, unsigned int, mozilla::image::PlaybackType, bool) /builds/worker/checkouts/gecko/image/RasterImage.cpp:380:5
#12 0x7fee9888e558 in mozilla::image::RasterImage::GetImageProvider(mozilla::WindowRenderer*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::SVGImageContext const&, mozilla::Maybe<mozilla::image::ImageIntRegion> const&, unsigned int, mozilla::image::WebRenderImageProvider**) /builds/worker/checkouts/gecko/image/RasterImage.cpp:636:25
#13 0x7fee9c8ba134 in mozilla::nsDisplayImage::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/generic/nsImageFrame.cpp:2179:15
#14 0x7fee985ff244 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1825:41
#15 0x7fee985fdcf8 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2091:7
#16 0x7fee9caf2f20 in CreateWebRenderCommandsNewClipListOption /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4636:30
#17 0x7fee9caf2f20 in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4965:12
#18 0x7fee9caf2f20 in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5275:22
#19 0x7fee985ff244 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1825:41
#20 0x7fee985fdcf8 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2091:7
#21 0x7fee985fc3fa in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1746:5
#22 0x7fee986105d2 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:362:30
#23 0x7fee9cae2263 in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2302:18
#24 0x7fee9c759656 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3413:9
#25 0x7fee9c6cba01 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6463:5
#26 0x7fee9c2b5142 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:433:18
#27 0x7fee9c2b4c3f in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:368:22
#28 0x7fee9c2b60dc in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:941:5
#29 0x7fee9c685cb4 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2804:11
#30 0x7fee9c6947d2 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1784:25
#31 0x7fee9c6947d2 in mozilla::detail::RunnableFunction<nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags)::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#32 0x7fee971b6635 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#33 0x7fee971b18ac in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#34 0x7fee971b047a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#35 0x7fee971b07d5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#36 0x7fee971ba0e6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#37 0x7fee971ba0e6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#38 0x7fee971cf7c7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
#39 0x7fee971d5bad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#40 0x7fee97dd8d13 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#41 0x7fee97cfa838 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#42 0x7fee97cfa741 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#43 0x7fee97cfa741 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#44 0x7fee9c31c1c8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#45 0x7fee9e56fa7b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
#46 0x7fee97dd9bd9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#47 0x7fee97cfa838 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#48 0x7fee97cfa741 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#49 0x7fee97cfa741 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#50 0x7fee9e56f5d8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
#51 0x556bd7de5ce0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#52 0x556bd7de5ce0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#53 0x7feeabd4a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#54 0x556bd7dbc348 in _start (/home/twsmith/workspace/browsers/m-c-20230201215112-fuzzing-debug/firefox-bin+0x5b348) (BuildId: 785d584ab07eb3cb7fbcbd4f4f8c4f4318898232)

I was not able to reproduce this with or without image.avif.sequence.enabled

This seems incredibly suspicious to me, since it's supposed to only use one DisposalMethod:

https://searchfox.org/mozilla-central/source/image/decoders/nsAVIFDecoder.cpp#1709

Has this been run with ASAN?

(In reply to Zaggy1024 from comment #2)

Has this been run with ASAN?

Running with an ASan build does not reveal any additional issues.

I also couldn't reproduce this with multiple fresh loads of the file.