Closed Bug 1437735 Opened 6 years ago Closed 4 years ago

UBSan: divide-by-zero in [@ ClampAndAlignWithPixels]

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Version:
60 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1603807
Tracking Flags:
Tracking Status
firefox60 --- affected

People

(Reporter: tsmith, Unassigned)

Details

(Keywords: csectype-undefined) 

This seems to be triggered after a few minutes with regular browsing.

Found in mozilla-central changeset: 403479:6d8f470b2579. Built with -fsanitize=float-divide-by-zero,integer-divide-by-zero

/layout/generic/nsGfxScrollFrame.cpp:2689:62: runtime error: division by zero
    #0 0x7f7212f978de in ClampAndAlignWithPixels(int, int, int, int, int, int, double, int) /layout/generic/nsGfxScrollFrame.cpp:2689:62
    #1 0x7f7212f505a5 in ClampAndAlignWithLayerPixels /layout/generic/nsGfxScrollFrame.cpp:2733:18
    #2 0x7f7212f505a5 in mozilla::ScrollFrameHelper::ScrollToImpl(nsPoint, nsRect const&, nsAtom*) /layout/generic/nsGfxScrollFrame.cpp:2826
    #3 0x7f7212f5aab6 in mozilla::ScrollFrameHelper::ReflowFinished() /layout/generic/nsGfxScrollFrame.cpp:5502:5
    #4 0x7f7212d9f09c in mozilla::PresShell::HandlePostedReflowCallbacks(bool) /layout/base/PresShell.cpp:4031:22
    #5 0x7f7212d989fa in mozilla::PresShell::DidDoReflow(bool) /layout/base/PresShell.cpp:8792:3
    #6 0x7f7212da0596 in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9148:7
    #7 0x7f7212d9fb38 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4250:11
    #8 0x7f7211c36958 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*) /dom/events/EventStateManager.cpp:735:5
    #9 0x7f7212dad1fa in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool) /layout/base/PresShell.cpp:7737:19
    #10 0x7f7212dac6d3 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /layout/base/PresShell.cpp:7386:17
    #11 0x7f7212977bad in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /view/nsViewManager.cpp:812:14
    #12 0x7f7212977900 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /view/nsView.cpp:1139:9
    #13 0x7f72129a7c3c in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /widget/PuppetWidget.cpp:410:35
    #14 0x7f72109a0f70 in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /gfx/layers/apz/util/APZCCallbackHelper.cpp:499:21
    #15 0x7f721266fad2 in mozilla::dom::TabChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /dom/ipc/TabChild.cpp:1736:3
    #16 0x7f721267000f in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /dom/ipc/TabChild.cpp:1703:3
    #17 0x7f721267016f in mozilla::dom::TabChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /dom/ipc/TabChild.cpp:1664:8
    #18 0x7f720ff110c2 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /objdir-ff-ubsan/ipc/ipdl/PBrowserChild.cpp:3395:20
    #19 0x7f720f9764fd in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /ipc/glue/MessageChannel.cpp:2110:25
    #20 0x7f720f974ce7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /ipc/glue/MessageChannel.cpp:2040:17
    #21 0x7f720f975c08 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1919:15
    #22 0x7f720eec3b74 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:413:25
    #23 0x7f720eedfc62 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1040:14
    #24 0x7f720eefb9d0 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:517:10
    #25 0x7f720f97a0ab in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:97:21
    #26 0x7f720f8a1dc9 in RunHandler /ipc/chromium/src/base/message_loop.cc:319:3
    #27 0x7f720f8a1dc9 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299
    #28 0x7f72129c12b6 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:157:27
    #29 0x7f72167f6f94 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:892:22
    #30 0x7f720f8a1dc9 in RunHandler /ipc/chromium/src/base/message_loop.cc:319:3
    #31 0x7f720f8a1dc9 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299
    #32 0x7f72167f6bc0 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:718:34
    #33 0x42d23b in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #34 0x42d358 in main /browser/app/nsBrowserApp.cpp:280:18
    #35 0x7f7234f6e1c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #36 0x407159 in _start (firefox+0x407159)
[ Triage 2017/02/20: P2 ]
Priority: -- → P2
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.