1978488 - Assertion failure: IntRect(IntPoint(), aDest->GetSize()) .Contains(IntRect(aDestPoint, aSrcRect.Size())) (GFX: dest surface too small), at /builds/worker/checkouts/gecko/gfx/2d/DataSurfaceHelpers.cpp:308

Status: VERIFIED FIXED

(Core :: Graphics, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing 20250704-e9b77924bb50 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: IntRect(IntPoint(), aDest->GetSize()) .Contains(IntRect(aDestPoint, aSrcRect.Size())) (GFX: dest surface too small), at /builds/worker/checkouts/gecko/gfx/2d/DataSurfaceHelpers.cpp:308

#0 0x7fffd5e50eb0 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
#1 0x7fffd5e50eb0 in mozilla::gfx::CopyRect(mozilla::gfx::DataSourceSurface*, mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>) /gecko/gfx/2d/DataSurfaceHelpers.cpp:306:3
#2 0x7fffd5ea4d18 in mozilla::gfx::GetDataSurfaceInRect(mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::ConvolveMatrixEdgeMode) /gecko/gfx/2d/FilterNodeSoftware.cpp:431:3
#3 0x7fffd5ea6a3e in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:807:7
#4 0x7fffd5ef12f7 in DoRender<float> /gecko/gfx/2d/FilterNodeSoftware.cpp:3594:37
#5 0x7fffd5ef12f7 in mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::(anonymous namespace)::PointLightSoftware, mozilla::gfx::(anonymous namespace)::SpecularLightingSoftware>::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:3553:10
#6 0x7fffd5ea3f9b in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:634:20
#7 0x7fffd5ea695c in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:768:25
#8 0x7fffd5ec75c3 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:3172:10
#9 0x7fffd5ea3f9b in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:634:20
#10 0x7fffd5ea695c in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:768:25
#11 0x7fffd5ec7e1d in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:3233:7
#12 0x7fffd5ea3f9b in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:634:20
#13 0x7fffd5ea695c in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:768:25
#14 0x7fffd5eb3387 in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:1844:7
#15 0x7fffd5ea3f9b in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:634:20
#16 0x7fffd5ea695c in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/gfx/2d/FilterNodeSoftware.cpp:768:25
#17 0x7fffd5ec7d5d in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:3202:7
#18 0x7fffd5ea3f9b in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:634:20
#19 0x7fffd5e600c8 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /gecko/gfx/2d/FilterNodeSoftware.cpp:572:14
#20 0x7fffd5e77b0b in mozilla::gfx::DrawTargetOffset::DrawFilter(mozilla::gfx::FilterNode*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /gecko/gfx/2d/DrawTargetOffset.cpp:99:16
#21 0x7fffd5de2a9d in mozilla::gfx::RecordedDrawFilter::PlayEvent(mozilla::gfx::Translator*) const /gecko/gfx/2d/RecordedEventImpl.h:3341:7
#22 0x7fffd5e2a295 in operator() /gecko/gfx/2d/InlineTranslator.cpp:58:31
#23 0x7fffd5e2a295 in std::_Function_handler<bool (mozilla::gfx::RecordedEvent*), mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0>::_M_invoke(std::_Any_data const&, mozilla::gfx::RecordedEvent*&&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:282:9
#24 0x7fffd5e14187 in std::function<bool (mozilla::gfx::RecordedEvent*)>::operator()(mozilla::gfx::RecordedEvent*) const /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
#25 0x7fffd5dea524 in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::MemReader>(mozilla::gfx::MemReader&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) /gecko/gfx/2d/RecordedEventImpl.h:4609:5
#26 0x7fffd5de8226 in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) /gecko/gfx/2d/InlineTranslator.cpp:48:20
#27 0x7fffd6dac319 in Moz2DRenderCallback /gecko/gfx/webrender_bindings/Moz2DImageRenderer.cpp:432:20
#28 0x7fffd6dac319 in wr_moz2d_render_cb /gecko/gfx/webrender_bindings/Moz2DImageRenderer.cpp:476:10
#29 0x7fffe4f33d7e in webrender_bindings::moz2d_renderer::rasterize_blob::_$u7b$$u7b$closure$u7d$$u7d$::hc5aa993520eb6f42 /gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:598:16
#30 0x7fffe4f33d7e in webrender_bindings::moz2d_renderer::autoreleasepool::hf8fca0a6e6b2edb2 /gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:580:9
#31 0x7fffe4f33d7e in webrender_bindings::moz2d_renderer::rasterize_blob::h0f1ba96d33e86433 /gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:596:18
#32 0x7fffe4f32f5a in core::ops::function::FnMut::call_mut::hcade74fe0f5ccf56 /builds/worker/fetches/rust/library/core/src/ops/function.rs:166:5
#33 0x7fffe4f32f5a in core::iter::adapters::map::map_try_fold::_$u7b$$u7b$closure$u7d$$u7d$::hf65b1ce0f49dbc74 /builds/worker/fetches/rust/library/core/src/iter/adapters/map.rs:95:28
#34 0x7fffe4f32f5a in _$LT$alloc..vec..into_iter..IntoIter$LT$T$C$A$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::hbd785212c7a5a654 /builds/worker/fetches/rust/library/alloc/src/vec/into_iter.rs:346:25
#35 0x7fffe4f32f5a in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h34eb27013eff4270 /builds/worker/fetches/rust/library/core/src/iter/adapters/map.rs:121:9
#36 0x7fffe4f32f5a in _$LT$I$u20$as$u20$alloc..vec..in_place_collect..SpecInPlaceCollect$LT$T$C$I$GT$$GT$::collect_in_place::h3cc88eb59199f4f6 /builds/worker/fetches/rust/library/alloc/src/vec/in_place_collect.rs:378:13
#37 0x7fffe4f32f5a in alloc::vec::in_place_collect::from_iter_in_place::h0ff868c82c2db632 /builds/worker/fetches/rust/library/alloc/src/vec/in_place_collect.rs:269:9
#38 0x7fffe4f32f5a in alloc::vec::in_place_collect::_$LT$impl$u20$alloc..vec..spec_from_iter..SpecFromIter$LT$T$C$I$GT$$u20$for$u20$alloc..vec..Vec$LT$T$GT$$GT$::from_iter::h30c169a37bb7313e /builds/worker/fetches/rust/library/alloc/src/vec/in_place_collect.rs:245:9
#39 0x7fffe4f32f5a in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$core..iter..traits..collect..FromIterator$LT$T$GT$$GT$::from_iter::h7beb9658fd73383a /builds/worker/fetches/rust/library/alloc/src/vec/mod.rs:2986:9
#40 0x7fffe4f32f5a in core::iter::traits::iterator::Iterator::collect::hc1a507c89f7c0793 /builds/worker/fetches/rust/library/core/src/iter/traits/iterator.rs:2000:9
#41 0x7fffe4f32f5a in _$LT$webrender_bindings..moz2d_renderer..Moz2dBlobRasterizer$u20$as$u20$webrender_api..image..AsyncBlobImageRasterizer$GT$::rasterize::h2803404f9a341fb7 /gecko/gfx/webrender_bindings/src/moz2d_renderer.rs:564:54
#42 0x7fffe5c8f2e5 in webrender::scene_builder_thread::rasterize_blobs::h8e89e36bb6f4f84f /gecko/gfx/wr/webrender/src/scene_builder_thread.rs:47:36
#43 0x7fffe504fbf9 in webrender::scene_builder_thread::LowPrioritySceneBuilderThread::process_transaction::hc869d48428ba48b8 /gecko/gfx/wr/webrender/src/scene_builder_thread.rs:858:9
#44 0x7fffe504fbf9 in webrender::scene_builder_thread::LowPrioritySceneBuilderThread::run::_$u7b$$u7b$closure$u7d$$u7d$::hdb18e025036f0d73 /gecko/gfx/wr/webrender/src/scene_builder_thread.rs:836:36
#45 0x7fffe504fbf9 in core::iter::adapters::map::map_fold::_$u7b$$u7b$closure$u7d$$u7d$::h6dfa2793c328acc5 /builds/worker/fetches/rust/library/core/src/iter/adapters/map.rs:88:28
#46 0x7fffe504fbf9 in core::iter::traits::iterator::Iterator::fold::h30a401c64fdbf5b1 /builds/worker/fetches/rust/library/core/src/iter/traits/iterator.rs:2583:21
#47 0x7fffe504fbf9 in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::fold::h7c2dd56df79ae692 /builds/worker/fetches/rust/library/core/src/iter/adapters/map.rs:128:9
#48 0x7fffe504fbf9 in core::iter::traits::iterator::Iterator::for_each::h27012e54c2e5c0b5 /builds/worker/fetches/rust/library/core/src/iter/traits/iterator.rs:813:9
#49 0x7fffe504fbf9 in alloc::vec::Vec$LT$T$C$A$GT$::extend_trusted::h011bcba793783846 /builds/worker/fetches/rust/library/alloc/src/vec/mod.rs:3122:17
#50 0x7fffe504fbf9 in _$LT$alloc..vec..Vec$LT$T$C$A$GT$$u20$as$u20$alloc..vec..spec_extend..SpecExtend$LT$T$C$I$GT$$GT$::spec_extend::hc309ced5cc76c399 /builds/worker/fetches/rust/library/alloc/src/vec/spec_extend.rs:26:9
#51 0x7fffe504fbf9 in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter_nested..SpecFromIterNested$LT$T$C$I$GT$$GT$::from_iter::h0b64f42e2e43733c /builds/worker/fetches/rust/library/alloc/src/vec/spec_from_iter_nested.rs:60:9
#52 0x7fffe504fbf9 in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter..SpecFromIter$LT$T$C$I$GT$$GT$::from_iter::h5e3a6da96f21007b /builds/worker/fetches/rust/library/alloc/src/vec/spec_from_iter.rs:33:9
#53 0x7fffe504fbf9 in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$core..iter..traits..collect..FromIterator$LT$T$GT$$GT$::from_iter::h44e0c859fd8a243a /builds/worker/fetches/rust/library/alloc/src/vec/mod.rs:2986:9
#54 0x7fffe504fbf9 in core::iter::traits::iterator::Iterator::collect::h4408246093ba5d9d /builds/worker/fetches/rust/library/core/src/iter/traits/iterator.rs:2000:9
#55 0x7fffe504fbf9 in webrender::scene_builder_thread::LowPrioritySceneBuilderThread::run::h7137f4f83cd387d5 /gecko/gfx/wr/webrender/src/scene_builder_thread.rs:837:26
#56 0x7fffe504fbf9 in webrender::renderer::init::create_webrender_instance::_$u7b$$u7b$closure$u7d$$u7d$::h565bb21d68214ce1 /gecko/gfx/wr/webrender/src/renderer/init.rs:654:13
#57 0x7fffe504fbf9 in std::sys::backtrace::__rust_begin_short_backtrace::h79dd85fdced86797 /builds/worker/fetches/rust/library/std/src/sys/backtrace.rs:154:18
#58 0x7fffe506d76f in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1fe434797b55a5f8 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:524:17
#59 0x7fffe506d76f in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h6e2d472aa2e9ce94 /builds/worker/fetches/rust/library/core/src/panic/unwind_safe.rs:272:9
#60 0x7fffe506d76f in std::panicking::try::do_call::h961293293eca42ae /builds/worker/fetches/rust/library/std/src/panicking.rs:554:40
#61 0x7fffe506d76f in std::panicking::try::h5d7303448504694f /builds/worker/fetches/rust/library/std/src/panicking.rs:518:19
#62 0x7fffe506d76f in std::panic::catch_unwind::he6c350720c27bd9f /builds/worker/fetches/rust/library/std/src/panic.rs:345:14
#63 0x7fffe506d76f in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::hd9b489d0bb237fa5 /builds/worker/fetches/rust/library/std/src/thread/mod.rs:523:30
#64 0x7fffe506d76f in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h9610fb1331539eaa /builds/worker/fetches/rust/library/core/src/ops/function.rs:250:5
#65 0x7fffea71e65a in std::sys::pal::unix::thread::Thread::new::thread_start::h9c85cfe9cc6c3525 std.b0550a264f4b45a7-cgu.13
#66 0x5555556b57e6 in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
#67 0x7ffff7abcac2 in start_thread nptl/pthread_create.c:442:8

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20250721154325-bca22a6d0402.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 17630c12ac58fd6623fb5d6816eccd9b17933729 (20240723093447)
End: e9b77924bb503e2f75515954e550ff7cbb6a3837 (20250704212032)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Comment 2

[Mayank Bansal]

Got a crash from the testcase on nightly: https://crash-stats.mozilla.org/report/index/40340d3b-f885-4a0d-8080-175660250722

Comment 3

[Sotaro Ikeda [:sotaro]]

When the problem happened, FilterNodeLightingSoftware<LightType, LightingType>::DoRender() seemed to cause integer overflow.

Comment 4

[Sotaro Ikeda [:sotaro]]

:mstange, can you comment to this bug?

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 924102

Comment 6

[Robert Longson [:longsonr]]

Attachment: Bug 1978488 part 1 - Fix up DEBUG_DUMP_SURFACES to compile r=emilio

Comment 7

[Robert Longson [:longsonr]]

Attachment: Bug 1978488 part 2 - restrict kernelUnitLength to something sensible r=emilio

Comment 8

[Robert Longson [:longsonr]]

https://treeherder.mozilla.org/jobs?repo=try&revision=77f592005f80db60a9407ea7735e7d4a0b6a29fb

Comment 9

[Pulsebot]

Pushed by longsonr@gmail.com:
https://github.com/mozilla-firefox/firefox/commit/9974850d9e96
https://hg.mozilla.org/integration/autoland/rev/ccd9546bfd79
part 1 - Fix up DEBUG_DUMP_SURFACES to compile r=emilio
https://github.com/mozilla-firefox/firefox/commit/dc0eccca998c
https://hg.mozilla.org/integration/autoland/rev/5d6a273968a8
part 2 - restrict kernelUnitLength to something sensible r=emilio

Comment 10

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/54030 for changes under testing/web-platform/tests

Comment 11

[Markus Stange [:mstange]]

Thank you Robert for taking on all these old software filter bugs!

Comment 12

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/ccd9546bfd79
https://hg.mozilla.org/mozilla-central/rev/5d6a273968a8

Comment 13

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 14

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20250729210451-2ea6d2269b5c.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.