Closed Bug 1419239 Opened 2 years ago Closed 3 months ago

UBSan: division by zero [@ mozilla::gfx::FindBezierNearestPoint]

Categories

(Core :: Graphics, defect, P3)

59 Branch
defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox59 --- affected

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, testcase, Whiteboard: [gfx-noted])

Attachments

(1 file)

Attached file testcase.html
This was found with a Firefox build built with -fsanitize=float-divide-by-zero,integer-divide-by-zero

/mozilla-central/gfx/2d/BezierUtils.cpp:223:15: runtime error: division by zero
    #0 0x7fc7460e3146 in mozilla::gfx::FindBezierNearestPoint(mozilla::gfx::Bezier const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, float, float*) /mozilla-central/gfx/2d/BezierUtils.cpp:223:15
    #1 0x7fc74b79dade in mozilla::DashedCornerFinder::FindNext(float) /mozilla-central/layout/painting/DashedCornerFinder.cpp:218:14
    #2 0x7fc74b79d47b in mozilla::DashedCornerFinder::Next() /mozilla-central/layout/painting/DashedCornerFinder.cpp:164:13
    #3 0x7fc74b80dd7e in nsCSSBorderRenderer::DrawDashedCornerSlow(mozilla::Side, mozilla::Corner) /mozilla-central/layout/painting/nsCSSRenderingBorders.cpp:2553:48
    #4 0x7fc74b8073c3 in nsCSSBorderRenderer::DrawDashedOrDottedCorner(mozilla::Side, mozilla::Corner) /mozilla-central/layout/painting/nsCSSRenderingBorders.cpp:2397:7
    #5 0x7fc74b805623 in nsCSSBorderRenderer::DrawBorderSides(int) /mozilla-central/layout/painting/nsCSSRenderingBorders.cpp
    #6 0x7fc74b7e1787 in nsCSSBorderRenderer::DrawBorders() /mozilla-central/layout/painting/nsCSSRenderingBorders.cpp:3506:11
    #7 0x7fc74b7d8618 in nsCSSRendering::PaintBorderWithStyleBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, nsStyleBorder const&, nsStyleContext*, mozilla::PaintBorderFlags, mozilla::Sides) /mozilla-central/layout/painting/nsCSSRendering.cpp:973:6
    #8 0x7fc74b7d7e67 in nsCSSRendering::PaintBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, nsStyleContext*, mozilla::PaintBorderFlags, mozilla::Sides) /mozilla-central/layout/painting/nsCSSRendering.cpp:646:12
    #9 0x7fc74b846d57 in nsDisplayBorder::Paint(nsDisplayListBuilder*, gfxContext*) /mozilla-central/layout/painting/nsDisplayList.cpp:5513:5
    #10 0x7fc74b7ced18 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /mozilla-central/layout/painting/FrameLayerBuilder.cpp:6038:21
    #11 0x7fc74b7cfdc2 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /mozilla-central/layout/painting/FrameLayerBuilder.cpp:6205:19
    #12 0x7fc7467399c4 in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /mozilla-central/gfx/layers/client/ClientPaintedLayer.cpp:164:5
    #13 0x7fc74673b442 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /mozilla-central/gfx/layers/client/ClientPaintedLayer.cpp:301:3
    #14 0x7fc746770240 in mozilla::layers::ClientContainerLayer::RenderLayer() /mozilla-central/gfx/layers/client/ClientContainerLayer.h:58:29
    #15 0x7fc746770240 in mozilla::layers::ClientContainerLayer::RenderLayer() /mozilla-central/gfx/layers/client/ClientContainerLayer.h:58:29
    #16 0x7fc746734c72 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /mozilla-central/gfx/layers/client/ClientLayerManager.cpp:362:13
    #17 0x7fc746735450 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /mozilla-central/gfx/layers/client/ClientLayerManager.cpp:426:3
    #18 0x7fc74b82b153 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /mozilla-central/layout/painting/nsDisplayList.cpp:2594:17
    #19 0x7fc74b135f86 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /mozilla-central/layout/base/nsLayoutUtils.cpp:3944:12
    #20 0x7fc74b05bb92 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /mozilla-central/layout/base/PresShell.cpp:6512:5
    #21 0x7fc74a94932b in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /mozilla-central/view/nsViewManager.cpp:480:19
    #22 0x7fc74a948a1d in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /mozilla-central/view/nsViewManager.cpp:412:33
    #23 0x7fc74a94ac9b in nsViewManager::ProcessPendingUpdates() /mozilla-central/view/nsViewManager.cpp:1102:5
    #24 0x7fc74afda77e in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /mozilla-central/layout/base/nsRefreshDriver.cpp:2027:11
    #25 0x7fc74afe5003 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /mozilla-central/layout/base/nsRefreshDriver.cpp:306:7
    #26 0x7fc74afe4d4c in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /mozilla-central/layout/base/nsRefreshDriver.cpp:328:5
    #27 0x7fc74afe92ca in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /mozilla-central/layout/base/nsRefreshDriver.cpp:769:5
    #28 0x7fc74afe7d20 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /mozilla-central/layout/base/nsRefreshDriver.cpp:682:35
    #29 0x7fc74afe31dc in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /mozilla-central/layout/base/nsRefreshDriver.cpp:528:20
    #30 0x7fc743a5cdb9 in nsThread::ProcessNextEvent(bool, bool*) /mozilla-central/xpcom/threads/nsThread.cpp:1037:14
    #31 0x7fc743a95ed1 in NS_ProcessNextEvent(nsIThread*, bool) /mozilla-central/xpcom/threads/nsThreadUtils.cpp:513:10
    #32 0x7fc744bc7e31 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /mozilla-central/ipc/glue/MessagePump.cpp:97:21
    #33 0x7fc744a49d50 in MessageLoop::Run() /mozilla-central/ipc/chromium/src/base/message_loop.cc:299:3
    #34 0x7fc74a9d70a4 in nsBaseAppShell::Run() /mozilla-central/widget/nsBaseAppShell.cpp:159:27
    #35 0x7fc74f3268d9 in nsAppStartup::Run() /mozilla-central/toolkit/components/startup/nsAppStartup.cpp:288:30
    #36 0x7fc74f4edafb in XREMain::XRE_mainRun() /mozilla-central/toolkit/xre/nsAppRunner.cpp:4685:22
    #37 0x7fc74f4ef95c in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /mozilla-central/toolkit/xre/nsAppRunner.cpp:4847:8
    #38 0x7fc74f4f0651 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /mozilla-central/toolkit/xre/nsAppRunner.cpp:4942:21
    #39 0x518238 in do_main(int, char**, char**) /mozilla-central/browser/app/nsBrowserApp.cpp:231:22
    #40 0x517aba in main /mozilla-central/browser/app/nsBrowserApp.cpp:304:16
    #41 0x7fc77899d1c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
    #42 0x420589 in _start (firefox+0x420589)
Flags: in-testsuite?
Flags: needinfo?(milan)
I don't think this can actually happen, but I'll let Bas comment.
Flags: needinfo?(milan) → needinfo?(bas)
Whiteboard: [gfx-noted]
(In reply to Milan Sreckovic [:milan] from comment #1)
> I don't think this can actually happen, but I'll let Bas comment.

These (UBSan) are run time checks that show that is does happen and the attached testcase will reproduce the issue.

I am no longer able to reproduce this issue with the attached testcase.

Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.