1982066 - Hit MOZ_CRASH(Content-process DrawTargetRecording can't create requested similar drawtarget) at /builds/worker/checkouts/gecko/gfx/2d/DrawTargetRecording.cpp:829

Status: VERIFIED FIXED

(Core :: Graphics, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing 20250608-6fca35bc5f01 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Content-process DrawTargetRecording can't create requested similar drawtarget) at /builds/worker/checkouts/gecko/gfx/2d/DrawTargetRecording.cpp:829

#0 0x761af620731b in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
#1 0x761af620731b in mozilla::gfx::DrawTargetRecording::CreateSimilarDrawTarget(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) const /builds/worker/checkouts/gecko/gfx/2d/DrawTargetRecording.cpp:827:5
#2 0x761af9ef888a in mozilla::dom::ExtractSubrect(mozilla::gfx::SourceSurface*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>*, mozilla::gfx::DrawTarget*) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:5523:45
#3 0x761af9ef67a1 in mozilla::dom::CanvasRenderingContext2D::DrawImage(mozilla::dom::HTMLImageElementOrSVGImageElementOrHTMLCanvasElementOrHTMLVideoElementOrOffscreenCanvasOrImageBitmapOrVideoFrame const&, double, double, double, double, double, double, double, double, unsigned char, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:5984:17
#4 0x761af96a7a6e in DrawImage /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CanvasRenderingContext2D.h:264:5
#5 0x761af96a7a6e in mozilla::dom::CanvasRenderingContext2D_Binding::drawImage(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./CanvasRenderingContext2DBinding.cpp:4302:28
#6 0x761af9d0f73f in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3304:13
#7 0x761b00b649a7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:501:13
#8 0x761b00b649a7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:12
#9 0x761b01c9aff9 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
#10 0x1c962bed09b3  ([anon:js-executable-memory]+0x29b3)

Comment 1

[Tyson Smith [:tsmith]]

After closing bug 1757003 this is the next most frequent report of that assertion.

Comment 2

[Timothy Nikkel (:tnikkel)]

Attachment: Bug 1982066. In CanvasRenderingContext2D::DrawImage early exit for very small doubles that will convert to 0 floats. r?#gfx-reviewers

Comment 3

[Pulsebot]

Pushed by tnikkel@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/fe993e690819
https://hg.mozilla.org/integration/autoland/rev/0473e4b5006d
In CanvasRenderingContext2D::DrawImage early exit for very small doubles that will convert to 0 floats. r=gfx-reviewers,lsalzman

Comment 4

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/0473e4b5006d

Comment 5

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20250810092610-dbc6d180b5d2.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.