Found while fuzzing m-c 20210719-c75f4ae44937 (--enable-address-sanitizer --enable-fuzzing)

==29095==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000090 (pc 0x7fa300f2750d bp 0x7ffcbf4f1790 sp 0x7ffcbf4f1680 T0)
==29095==The signal is caused by a READ memory access.
==29095==Hint: address points to the zero page.
    #0 0x7fa300f2750d in operator bool /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:867:45
    #1 0x7fa300f2750d in mozilla::SVGImageFrame::GetIntrinsicImageDimensions(mozilla::gfx::SizeTyped<mozilla::gfx::UnknownUnits, float>&, mozilla::AspectRatio&) const /gecko/layout/svg/SVGImageFrame.cpp:242:8
    #2 0x7fa2ff7fb454 in float mozilla::dom::SVGGeometryProperty::details::ResolveImpl<mozilla::dom::SVGGeometryProperty::Tags::Width>(mozilla::ComputedStyle const&, mozilla::dom::SVGElement*, mozilla::dom::SVGGeometryProperty::ResolverTypes::LengthPercentWidthHeight) /gecko/dom/svg/SVGGeometryProperty.h:137:16
    #3 0x7fa2ff7fae3a in ResolveWith<mozilla::dom::SVGGeometryProperty::Tags::Width> /gecko/dom/svg/SVGGeometryProperty.h:228:10
    #4 0x7fa2ff7fae3a in operator()<mozilla::ComputedStyle> /gecko/dom/svg/SVGGeometryProperty.h:258:5
    #5 0x7fa2ff7fae3a in bool mozilla::dom::SVGGeometryProperty::DoForComputedStyle<bool mozilla::dom::SVGGeometryProperty::ResolveAll<mozilla::dom::SVGGeometryProperty::Tags::Width, mozilla::dom::SVGGeometryProperty::Tags::Height>(mozilla::dom::SVGElement const*, float*...)::'lambda'(auto const*)>(mozilla::dom::SVGElement const*, auto) /gecko/dom/svg/SVGGeometryProperty.h:235:5
    #6 0x7fa2ff7ed6f7 in ResolveAll<mozilla::dom::SVGGeometryProperty::Tags::Width, mozilla::dom::SVGGeometryProperty::Tags::Height> /gecko/dom/svg/SVGGeometryProperty.h:257:14
    #7 0x7fa2ff7ed6f7 in mozilla::dom::SVGImageElement::HasValidDimensions() const /gecko/dom/svg/SVGImageElement.cpp:298:7
    #8 0x7fa300f0808d in mozilla::SVGDisplayContainerFrame::PaintSVG(gfxContext&, mozilla::gfx::BaseMatrix<double> const&, mozilla::image::imgDrawingParams&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/layout/svg/SVGContainerFrame.cpp:263:21
    #9 0x7fa300f8aca7 in mozilla::SVGViewportFrame::PaintSVG(gfxContext&, mozilla::gfx::BaseMatrix<double> const&, mozilla::image::imgDrawingParams&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/layout/svg/SVGViewportFrame.cpp:53:29
    #10 0x7fa300f820b1 in mozilla::SVGUtils::PaintFrameWithEffects(nsIFrame*, gfxContext&, mozilla::gfx::BaseMatrix<double> const&, mozilla::image::imgDrawingParams&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gecko/layout/svg/SVGUtils.cpp:792:15
    #11 0x7fa300f3cd85 in mozilla::SVGMaskFrame::GetMaskForMaskedFrame(mozilla::SVGMaskFrame::MaskParams&) /gecko/layout/svg/SVGMaskFrame.cpp:99:5
    #12 0x7fa300f32ea3 in mozilla::PaintMaskSurface(mozilla::SVGIntegrationUtils::PaintFramesParams const&, mozilla::gfx::DrawTarget*, float, mozilla::ComputedStyle*, nsTArray<mozilla::SVGMaskFrame*> const&, mozilla::gfx::BaseMatrix<float> const&, nsPoint const&) /gecko/layout/svg/SVGIntegrationUtils.cpp:533:50
    #13 0x7fa300f31cbb in mozilla::SVGIntegrationUtils::PaintMask(mozilla::SVGIntegrationUtils::PaintFramesParams const&, bool&) /gecko/layout/svg/SVGIntegrationUtils.cpp:807:26
    #14 0x7fa301101479 in nsDisplayMasksAndClipPaths::PaintMask(nsDisplayListBuilder*, gfxContext*, bool*) /gecko/layout/painting/nsDisplayList.cpp:9601:18
    #15 0x7fa2fb308eb2 in mozilla::layers::WebRenderCommandBuilder::BuildWrMaskImage(nsDisplayMasksAndClipPaths*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2495:20
    #16 0x7fa3011d3a21 in CreateWRClipPathAndMasks /gecko/layout/painting/nsDisplayList.cpp:9891:58
    #17 0x7fa3011d3a21 in nsDisplayMasksAndClipPaths::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:9921:30
    #18 0x7fa2fb2fd9e6 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1670:41
    #19 0x7fa2fb2fbe21 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1792:7
    #20 0x7fa3011ad783 in nsDisplayWrapList::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:5689:30
    #21 0x7fa3011b4fc7 in nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) /gecko/layout/painting/nsDisplayList.cpp:6503:22
    #22 0x7fa2fb2fd9e6 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1670:41
    #23 0x7fa2fb2fbe21 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1792:7
    #24 0x7fa2fb2fa6ed in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, nsDisplayList*, nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1590:5
    #25 0x7fa2fb360a05 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(nsDisplayList*, nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /gecko/gfx/layers/wr/WebRenderLayerManager.cpp:368:30
    #26 0x7fa30118a2f4 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /gecko/layout/painting/nsDisplayList.cpp:2535:18
    #27 0x7fa300a98b95 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /gecko/layout/base/nsLayoutUtils.cpp:3530:45
    #28 0x7fa3009a9c4f in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /gecko/layout/base/PresShell.cpp:6400:5
    #29 0x7fa30037d205 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /gecko/view/nsViewManager.cpp:459:18
    #30 0x7fa30037c91f in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /gecko/view/nsViewManager.cpp:394:22
    #31 0x7fa30037e8dd in nsViewManager::ProcessPendingUpdates() /gecko/view/nsViewManager.cpp:972:5
    #32 0x7fa30092718d in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /gecko/layout/base/nsRefreshDriver.cpp:2473:11
    #33 0x7fa300931e67 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:348:13
    #34 0x7fa300931e67 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /gecko/layout/base/nsRefreshDriver.cpp:326:7
    #35 0x7fa300931bcd in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:342:5
    #36 0x7fa300931955 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:771:5
    #37 0x7fa300930f75 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:700:16
    #38 0x7fa300930530 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /gecko/layout/base/nsRefreshDriver.cpp:617:7
    #39 0x7fa30092fce1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /gecko/layout/base/nsRefreshDriver.cpp:538:9
    #40 0x7fa2ffb7e5a7 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /gecko/dom/ipc/VsyncChild.cpp:68:15
    #41 0x7fa2fa5caf1d in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
    #42 0x7fa2fa22b74b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6091:32
    #43 0x7fa2f9c7051a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2084:25
    #44 0x7fa2f9c6d208 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2011:9
    #45 0x7fa2f9c6eb65 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1859:3
    #46 0x7fa2f9c6f6cb in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1890:13
    #47 0x7fa2f8a64252 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:502:16
    #48 0x7fa2f8a30d44 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:805:26
    #49 0x7fa2f8a2e598 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:641:15
    #50 0x7fa2f8a2ecad in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:425:36
    #51 0x7fa2f8a6e291 in operator() /gecko/xpcom/threads/TaskController.cpp:135:37
    #52 0x7fa2f8a6e291 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:532:5
    #53 0x7fa2f8a4b6c7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1148:16
    #54 0x7fa2f8a5639c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:466:10
    #55 0x7fa2f9c7918f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #56 0x7fa2f9b63e11 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #57 0x7fa2f9b63e11 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #58 0x7fa2f9b63e11 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #59 0x7fa30042e1c7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #60 0x7fa304640b3f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:910:20
    #61 0x7fa2f9b63e11 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #62 0x7fa2f9b63e11 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #63 0x7fa2f9b63e11 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #64 0x7fa304640518 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
    #65 0x5613c3ff50cd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #66 0x5613c3ff54fd in main /gecko/browser/app/nsBrowserApp.cpp:327:18
    #67 0x7fa319a900b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #68 0x5613c3f46769 in _start (/home/worker/builds/m-c-20210719093934-fuzzing-asan-opt/firefox+0x5b769)

A Pernosco session is available here: https://pernos.co/debug/84ijZZAlBDv071NTuMoo_Q/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210804214554-a72c2fe44761.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 6e35e01646d7c465893a172a0b4fb116c2293d2a (20200806033456)
End: c75f4ae449378437bbd05fd00bfdbe1bf5e125de (20210719093934)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

I'll take a look here later on today.

It looks like that pernosco session is for an opt build (not --enable-debug), which makes it hard to poke around (I can't e.g. print out the values of variables in the gdb pane).

However, I'm able to reproduce this locally with a debug build, and I get this assertion-failure (for a null-check) just before the point where the opt build crashes (on a null-deref):

Assertion failure: imgf, at /scratch/work/builds/mozilla-central/mozilla/dom/svg/SVGGeometryProperty.h:130

My persosco session with this failing (at the assertion from comment 4) in a debug+opt build:
https://pernos.co/debug/Xh8_Fo0mN_CT4rzypXou1Q/index.html

(more analysis/thoughts coming later on)

I think we should return 0 instead of asserting, similar to line 138.

Agreed. I'll post a patch shortly which does that.

https://hg.mozilla.org/mozilla-central/rev/556581f9b280

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210817214910-659f053820bf.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

The patch landed in nightly and beta is affected.
:dholbert, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

:dholbert, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

It doesn't actually contain a bisection range; bugmon says "Failed to bisect testcase (Testcase reproduces on start build!)" in comment 2.