Closed Bug 1419522 Opened 8 years ago Closed 6 years ago

UBSan: division by zero in [@ nsIFrame::ComputeBorderRadii]

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Version:
59 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1531025
Tracking Flags:
Tracking Status
firefox59 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(1 file)

testcase.html
103 bytes, text/html
Details
Attached file testcase.html
This was found with a Firefox build built with -fsanitize=float-divide-by-zero,integer-divide-by-zero /layout/generic/nsFrame.cpp:1714:45: runtime error: division by zero #0 0x7f96bf3a5b48 in nsIFrame::ComputeBorderRadii(nsStyleCorners const&, nsSize const&, nsSize const&, mozilla::Sides, int*) /layout/generic/nsFrame.cpp:1714:45 #1 0x7f96bf8e27c0 in nsCSSRendering::CreateBorderRendererForOutline(nsPresContext*, gfxContext*, nsIFrame*, nsRect const&, nsRect const&, nsStyleContext*) /layout/painting/nsCSSRendering.cpp:1095:3 #2 0x7f96bf8e341c in nsCSSRendering::PaintOutline(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, nsStyleContext*) /layout/painting/nsCSSRendering.cpp:1180:35 #3 0x7f96bf93e39d in nsDisplayOutline::Paint(nsDisplayListBuilder*, gfxContext*) /layout/painting/nsDisplayList.cpp:4766:3 #4 0x7f96bf8ced18 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /layout/painting/FrameLayerBuilder.cpp:6038:21 #5 0x7f96bf8cfdc2 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /layout/painting/FrameLayerBuilder.cpp:6205:19 #6 0x7f96ba8399c4 in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /gfx/layers/client/ClientPaintedLayer.cpp:164:5 #7 0x7f96ba83b442 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /gfx/layers/client/ClientPaintedLayer.cpp:301:3 #8 0x7f96ba870240 in mozilla::layers::ClientContainerLayer::RenderLayer() /gfx/layers/client/ClientContainerLayer.h:58:29 #9 0x7f96ba870240 in mozilla::layers::ClientContainerLayer::RenderLayer() /gfx/layers/client/ClientContainerLayer.h:58:29 #10 0x7f96ba834c72 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /gfx/layers/client/ClientLayerManager.cpp:362:13 #11 0x7f96ba835450 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /gfx/layers/client/ClientLayerManager.cpp:426:3 #12 0x7f96bf92b153 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /layout/painting/nsDisplayList.cpp:2594:17 #13 0x7f96bf235f86 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /layout/base/nsLayoutUtils.cpp:3944:12 #14 0x7f96bf15bb92 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /layout/base/PresShell.cpp:6512:5 #15 0x7f96bea4932b in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /view/nsViewManager.cpp:480:19 #16 0x7f96bea48a1d in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /view/nsViewManager.cpp:412:33 #17 0x7f96bea4ac9b in nsViewManager::ProcessPendingUpdates() /view/nsViewManager.cpp:1102:5 #18 0x7f96bf0da77e in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:2027:11 #19 0x7f96bf0e5003 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:306:7 #20 0x7f96bf0e4d4c in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:328:5 #21 0x7f96bf0e92ca in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:769:5 #22 0x7f96bf0e7d20 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:682:35 #23 0x7f96bf0e31dc in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /layout/base/nsRefreshDriver.cpp:528:20 #24 0x7f96b7b5cdb9 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1037:14 #25 0x7f96b7b95ed1 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:513:10 #26 0x7f96b8cc7e31 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:97:21 #27 0x7f96b8b49d50 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299:3 #28 0x7f96bead70a4 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:159:27 #29 0x7f96c34268d9 in nsAppStartup::Run() /toolkit/components/startup/nsAppStartup.cpp:288:30 #30 0x7f96c35edafb in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:4685:22 #31 0x7f96c35ef95c in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4847:8 #32 0x7f96c35f0651 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4942:21 #33 0x518238 in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:231:22 #34 0x517aba in main /browser/app/nsBrowserApp.cpp:304:16 #35 0x7f96eca441c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308 #36 0x420589 in _start (firefox+0x420589)
Flags: in-testsuite?
Priority: -- → P3
The corresponding line is: https://searchfox.org/mozilla-central/rev/fb5422ff98ba43f3732debd9d1f4dcd3b3a920f6/layout/generic/nsFrame.cpp#1704 The specific line and its if-statement should probably be wrapped inside the "if (sum)" above.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: