1437732 - UBSan: divide-by-zero in [@ mozilla::layers::AnimationHelper::SampleAnimationForEachNode]

Status: RESOLVED WORKSFORME

(Core :: Graphics: Layers, defect)

Description

[Tyson Smith [:tsmith]]

This seems to be triggered after a few minutes with regular browsing.

Found in mozilla-central changeset: 403479:6d8f470b2579. Built with -fsanitize=float-divide-by-zero,integer-divide-by-zero

/gfx/layers/AnimationHelper.cpp:262:68: runtime error: division by zero
    #0 0x7fed99d69286 in mozilla::layers::AnimationHelper::SampleAnimationForEachNode(mozilla::TimeStamp, nsTArray<mozilla::layers::Animation>&, nsTArray<mozilla::layers::AnimData>&, mozilla::AnimationValue&, bool&) /gfx/layers/AnimationHelper.cpp:262:68
    #1 0x7fed99f20bc8 in operator() /gfx/layers/composite/AsyncCompositionManager.cpp:667:13
    #2 0x7fed99f20bc8 in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_PNS0_26CompositorAnimationStorageENS_9TimeStampEPmE3$_8ZNS0_L16SampleAnimationsES4_S6_S7_S8_E3$_9EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /gfx/layers/TreeTraversal.h:137
    #3 0x7fed99f20f6d in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_PNS0_26CompositorAnimationStorageENS_9TimeStampEPmE3$_8ZNS0_L16SampleAnimationsES4_S6_S7_S8_E3$_9EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /gfx/layers/TreeTraversal.h:142:5
    #4 0x7fed99f20f6d in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_PNS0_26CompositorAnimationStorageENS_9TimeStampEPmE3$_8ZNS0_L16SampleAnimationsES4_S6_S7_S8_E3$_9EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /gfx/layers/TreeTraversal.h:142:5
    #5 0x7fed99f20f6d in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_PNS0_26CompositorAnimationStorageENS_9TimeStampEPmE3$_8ZNS0_L16SampleAnimationsES4_S6_S7_S8_E3$_9EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /gfx/layers/TreeTraversal.h:142:5
    #6 0x7fed99f20f6d in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_PNS0_26CompositorAnimationStorageENS_9TimeStampEPmE3$_8ZNS0_L16SampleAnimationsES4_S6_S7_S8_E3$_9EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /gfx/layers/TreeTraversal.h:142:5
    #7 0x7fed99f20f6d in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_PNS0_26CompositorAnimationStorageENS_9TimeStampEPmE3$_8ZNS0_L16SampleAnimationsES4_S6_S7_S8_E3$_9EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /gfx/layers/TreeTraversal.h:142:5
    #8 0x7fed99f20f6d in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_PNS0_26CompositorAnimationStorageENS_9TimeStampEPmE3$_8ZNS0_L16SampleAnimationsES4_S6_S7_S8_E3$_9EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /gfx/layers/TreeTraversal.h:142:5
    #9 0x7fed99f20f6d in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_PNS0_26CompositorAnimationStorageENS_9TimeStampEPmE3$_8ZNS0_L16SampleAnimationsES4_S6_S7_S8_E3$_9EENS_8EnableIfIXaasr6IsSameIDTclfp0_fp_EEvEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeET0_RKT1_RKT2_ /gfx/layers/TreeTraversal.h:142:5
    #10 0x7fed99f0e447 in SampleAnimations /gfx/layers/composite/AsyncCompositionManager.cpp:657:3
    #11 0x7fed99f0e447 in mozilla::layers::AsyncCompositionManager::TransformShadowTree(mozilla::TimeStamp, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>, mozilla::layers::AsyncCompositionManager::TransformsToSkip) /gfx/layers/composite/AsyncCompositionManager.cpp:1381
    #12 0x7fed99f59216 in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gfx/layers/ipc/CompositorBridgeParent.cpp:1018:48
    #13 0x7fed99f61cf2 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /gfx/layers/ipc/CompositorVsyncScheduler.cpp:243:27
    #14 0x7fed99f7ecd0 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /objdir-ff-ubsan/dist/include/nsThreadUtils.h:1155:12
    #15 0x7fed99f7ecd0 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::TimeStamp>::Run() /objdir-ff-ubsan/dist/include/nsThreadUtils.h:1200
    #16 0x7fed98da1fd6 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /ipc/chromium/src/base/message_loop.cc:452:9
    #17 0x7fed98da25bf in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /ipc/chromium/src/base/message_loop.cc:460:5
    #18 0x7fed98da278a in MessageLoop::DoWork() /ipc/chromium/src/base/message_loop.cc:535:13
    #19 0x7fed98da34eb in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /ipc/chromium/src/base/message_pump_default.cc:36:31
    #20 0x7fed98da1dc9 in RunHandler /ipc/chromium/src/base/message_loop.cc:319:3
    #21 0x7fed98da1dc9 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299
    #22 0x7fed98dbd16d in base::Thread::ThreadMain() /ipc/chromium/src/base/thread.cc:181:16
    #23 0x7fed98da7ab6 in ThreadFunc(void*) /ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #24 0x7fedbf5a97fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
    #25 0x7fedbe5d7b5e in clone /build/glibc-itYbWN/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Hiroyuki Ikezoe (:hiro)]

I don't recall why we haven't checked it there.

Comment 2

[Hiroyuki Ikezoe (:hiro)]

Does this error also happen with setting layers.offmainthreadcomposition.async-animations false?  If it happens we need also fix main-thread side.

Comment 3

[Tyson Smith [:tsmith]]

I am no longer able to reproduce the issue.