Closed Bug 1341795 Opened 8 years ago Closed 2 years ago

Assertion failure: (aA != 0 || (!IsInfinite(aB))) && ((aA != (-9223372036854775807L-1) && aA != (9223372036854775807L)) || aB != 0.0) (Multiplication of infinity by zero)

Categories

(Core :: DOM: Animation, defect, P3)

Product:
Core
Component:
DOM: Animation
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1271788
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr68 --- affected
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox72 --- wontfix
firefox73 --- affected
firefox74 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

index.html
285 bytes, text/html
Details
Attached file index.html 
Testcase found by fuzzing on debug build of mozilla-central rev 20170222-7abeac2f2d66.

Assertion failure: (aA != 0 || (!IsInfinite(aB))) && ((aA != (-9223372036854775807L-1) && aA != (9223372036854775807L)) || aB != 0.0) (Multiplication of infinity by zero), at /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StickyTimeDuration.h:174

ASAN:DEADLYSIGNAL
=================================================================
==16864==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1837a8ed8f bp 0x7ffcf372fea0 sp 0x7ffcf372fe80 T0)
    #0 0x7f1837a8ed8e in long mozilla::StickyTimeDurationValueCalculator::Multiply<double>(long, double) /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StickyTimeDuration.h:172:3
    #1 0x7f1837a8ec9b in mozilla::BaseTimeDuration<mozilla::StickyTimeDurationValueCalculator>::MultDouble(double) const /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TimeStamp.h:204:22
    #2 0x7f183ae69573 in mozilla::dom::CSSAnimation::QueueEvents(mozilla::BaseTimeDuration<mozilla::StickyTimeDurationValueCalculator>) /home/worker/workspace/build/src/layout/style/nsAnimationManager.cpp:231:7
    #3 0x7f183ae68fa2 in mozilla::dom::CSSAnimation::Tick() /home/worker/workspace/build/src/layout/style/nsAnimationManager.cpp:139:3
    #4 0x7f1837a79a30 in mozilla::dom::DocumentTimeline::WillRefresh(mozilla::TimeStamp) /home/worker/workspace/build/src/dom/animation/DocumentTimeline.cpp:176:5
    #5 0x7f183b010e5a in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1861:7
    #6 0x7f183b010e5a in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1861:7
    #7 0x7f183b016007 in nsRefreshDriver::FinishedWaitingForTransaction() /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2156:5
    #8 0x7f1837623891 in mozilla::layers::ClientLayerManager::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:495:5
    #9 0x7f18376d9ef8 in mozilla::layers::CompositorBridgeChild::RecvDidComposite(unsigned long const&, unsigned long const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeChild.cpp:584:5
    #10 0x7f1836c7ff3e in mozilla::layers::PCompositorBridgeChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorBridgeChild.cpp:1537:20
    #11 0x7f18367fc1ef in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1795:14
    #12 0x7f18367f96aa in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1730:17
    #13 0x7f18367faade in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1603:5
    #14 0x7f18367fb3cb in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1636:5
    #15 0x7f1835ce0805 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
    #16 0x7f1835cdcea0 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #17 0x7f1836802859 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #18 0x7f183676e507 in MessageLoop::RunInternal() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #19 0x7f183676e399 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211:3
    #20 0x7f183ab5d27a in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #21 0x7f183d51a9ac in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
    #22 0x7f183d660669 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4471:10
    #23 0x7f183d6621f7 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4648:8
    #24 0x7f183d663042 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4739:16
    #25 0x4e0e23 in do_main(int, char**, char**) /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:234:10
    #26 0x4e06a0 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:305:16
    #27 0x7f18516ce82f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291
    #28 0x41ccd4 in _start (/home/forb1dden/Shared/Mozilla/builds/asan-debug/firefox+0x41ccd4)
Flags: in-testsuite?
This is another variant of bug 1271788, maybe a dup.
Component: CSS Parsing and Computation → DOM: Animation
Priority: -- → P3
Still reproduces on trunk with or without Stylo enabled. The testcase fails more than a year back, which is the furthest mozregression can bisect debug builds.
Has Regression Range: --- → no
status-firefox56: --- → wontfix
status-firefox57: --- → wontfix
status-firefox58: --- → fix-optional
status-firefox-esr52: --- → wontfix
While bug 1271788 might fix this, I suspect we could just fix this by skipping the multiplication here when one operand is infinity.
QA Whiteboard: qa-not-actionable
Blocks: domino
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: