Tyson Smith [:tsmith] Reporter
	Description • 6 years ago

#0 gsignal /build/glibc-Cl5G7W/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54
#1 abort /build/glibc-Cl5G7W/glibc-2.23/stdlib/abort.c:89
#2 AssertRelease src/gfx/skia/skia/include/private/SkArenaAlloc.h:140:57
#3 makeArrayDefault<SkEdge> src/gfx/skia/skia/include/private/SkArenaAlloc.h:103
#4 SkEdgeBuilder::buildPoly(SkPath const&, SkIRect const*, int, bool) src/gfx/skia/skia/src/core/SkEdgeBuilder.cpp:288
#5 SkEdgeBuilder::build(SkPath const&, SkIRect const*, int, bool, SkEdgeBuilder::EdgeType) src/gfx/skia/skia/src/core/SkEdgeBuilder.cpp:368:22
#6 SkEdgeBuilder::build_edges(SkPath const&, SkIRect const*, int, bool, SkEdgeBuilder::EdgeType) src/gfx/skia/skia/src/core/SkEdgeBuilder.cpp:471:23
#7 sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) src/gfx/skia/skia/src/core/SkScan_Path.cpp:410:25
#8 SkScan::SAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) src/gfx/skia/skia/src/core/SkScan_AntiPath.cpp:724:9
#9 SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) src/gfx/skia/skia/src/core/SkScan_AntiPath.cpp:836:9
#10 SkScan::AntiFillPath(SkPath const&, SkRasterClip const&, SkBlitter*, SkDAARecord*) src/gfx/skia/skia/src/core/SkScan_AntiPath.cpp:873:9
#11 SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const src/gfx/skia/skia/src/core/SkDraw.cpp:1023:5
#12 SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const src/gfx/skia/skia/src/core/SkDraw.cpp:1114:11
#13 drawPath src/gfx/skia/skia/src/core/SkDraw.h:56:15
#14 SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:417
#15 SkCanvas::onDrawPath(SkPath const&, SkPaint const&) src/gfx/skia/skia/src/core/SkCanvas.cpp:2135:23
#16 SkCanvas::drawPath(SkPath const&, SkPaint const&) src/gfx/skia/skia/src/core/SkCanvas.cpp:1697:11
#17 mozilla::gfx::DrawTargetSkia::Fill(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&) src/gfx/2d/DrawTargetSkia.cpp:921:12
#18 mozilla::dom::CanvasRenderingContext2D::Fill(mozilla::dom::CanvasPath const&, mozilla::dom::CanvasWindingRule const&) src/dom/canvas/CanvasRenderingContext2D.cpp:3005:11
#19 mozilla::dom::CanvasRenderingContext2D_Binding::fill(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:2953:13
#20 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3063:13
#21 0x146c094e0f9f  (<unknown module>)

	Ryan Hunt [:rhunt]
	Comment 1 • 6 years ago

Lee, I'm able to reproduce this. Do you want to take a look at it?

	Lee Salzman [:lsalzman] Assignee
	Comment 2 • 6 years ago

There's nothing we can really do here. That's an explicit release assert guarding against a previously existing security bug to prevent the allocator from overflowing. The code is too deep in the bowels of Skia to make fallible. As far as the security bug was concerned, we deemed it fair to merely hit the assert in that case, and Skia upstream made the similar fix observed here.