Open Bug 1443910 Opened 2 years ago Updated 2 years ago

UBSan: multiple instances of undefined behavior

Categories

(Core :: Layout: Tables, defect, P3)

Product:
Core
Component:
Layout: Tables
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox60 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(2 files)

testcase.html
146 bytes, text/html
Details
UB_logs.txt
126.10 KB, text/plain
Details
Attached file testcase.html 
Found with mozilla-central changeset: 406904:493e45400842

For full list of errors see attached log.

mozilla-central/layout/tables/BasicTableLayoutStrategy.cpp:985:48: runtime error: division by zero
    #0 0x7f2d419eb5a9 in BasicTableLayoutStrategy::DistributeISizeToColumns(int, int, int, BasicTableLayoutStrategy::BtlsISizeType, bool) mozilla-central/layout/tables/BasicTableLayoutStrategy.cpp:985:48
    #1 0x7f2d41a0a68d in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) mozilla-central/layout/tables/nsTableFrame.cpp:2354:27
    #2 0x7f2d41a09ded in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) mozilla-central/layout/tables/nsTableFrame.cpp:2144:5
    #3 0x7f2d41876a9d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) mozilla-central/layout/generic/nsContainerFrame.cpp:940:14
    #4 0x7f2d41a2d294 in nsTableWrapperFrame::OuterDoReflowChild(nsPresContext*, nsIFrame*, mozilla::ReflowInput const&, mozilla::ReflowOutput&, nsReflowStatus&) mozilla-central/layout/tables/nsTableWrapperFrame.cpp:840:3
    #5 0x7f2d41a2daa2 in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) mozilla-central/layout/tables/nsTableWrapperFrame.cpp:1002:3
    #6 0x7f2d4185e88a in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) mozilla-central/layout/generic/nsBlockReflowContext.cpp:306:11
    #7 0x7f2d4185acda in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) mozilla-central/layout/generic/nsBlockFrame.cpp:3463:11
    #8 0x7f2d41854d5e in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) mozilla-central/layout/generic/nsBlockFrame.cpp:2352:7
    #9 0x7f2d41851fda in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) mozilla-central/layout/generic/nsBlockFrame.cpp:1225:3
    #10 0x7f2d4185e88a in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) mozilla-central/layout/generic/nsBlockReflowContext.cpp:306:11
    #11 0x7f2d4185acda in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) mozilla-central/layout/generic/nsBlockFrame.cpp:3463:11
    #12 0x7f2d41854d5e in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) mozilla-central/layout/generic/nsBlockFrame.cpp:2352:7
    #13 0x7f2d41851fda in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) mozilla-central/layout/generic/nsBlockFrame.cpp:1225:3
    #14 0x7f2d41876a9d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) mozilla-central/layout/generic/nsContainerFrame.cpp:940:14
    #15 0x7f2d41875ffb in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) mozilla-central/layout/generic/nsCanvasFrame.cpp:720:5
    #16 0x7f2d41876a9d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) mozilla-central/layout/generic/nsContainerFrame.cpp:940:14
    #17 0x7f2d418ea458 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) mozilla-central/layout/generic/nsGfxScrollFrame.cpp:554:3
    #18 0x7f2d418eb0ad in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) mozilla-central/layout/generic/nsGfxScrollFrame.cpp:677:3
    #19 0x7f2d418ec98c in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) mozilla-central/layout/generic/nsGfxScrollFrame.cpp:1054:3
    #20 0x7f2d41848b99 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) mozilla-central/layout/generic/nsContainerFrame.cpp:984:14
    #21 0x7f2d41848573 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) mozilla-central/layout/generic/ViewportFrame.cpp:335:7
    #22 0x7f2d4172da07 in mozilla::PresShell::DoReflow(nsIFrame*, bool) mozilla-central/layout/base/PresShell.cpp:8939:11
    #23 0x7f2d41735cb8 in mozilla::PresShell::ProcessReflowCommands(bool) mozilla-central/layout/base/PresShell.cpp:9112:24
    #24 0x7f2d41735311 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) mozilla-central/layout/base/PresShell.cpp:4261:11
    #25 0x7f2d417a43e4 in FlushPendingNotifications mozilla-central/objdir-ff-ubsan/dist/include/nsIPresShell.h:565:5
    #26 0x7f2d417a43e4 in nsDocumentViewer::LoadComplete(nsresult) mozilla-central/layout/base/nsDocumentViewer.cpp:984
    #27 0x7f2d44432c7f in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) mozilla-central/docshell/base/nsDocShell.cpp:7303:21
    #28 0x7f2d444317ad in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) mozilla-central/docshell/base/nsDocShell.cpp:7096:7
    #29 0x7f2d44433c2f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) mozilla-central/docshell/base/nsDocShell.cpp
    #30 0x7f2d3eba4262 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) mozilla-central/uriloader/base/nsDocLoader.cpp:1315:3
    #31 0x7f2d3eba3e55 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) mozilla-central/uriloader/base/nsDocLoader.cpp:858:14
    #32 0x7f2d3eba2d18 in nsDocLoader::DocLoaderIsEmpty(bool) mozilla-central/uriloader/base/nsDocLoader.cpp:747:9
    #33 0x7f2d3eba386e in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) mozilla-central/uriloader/base/nsDocLoader.cpp:632:5
    #34 0x7f2d3eba3d4c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) mozilla-central/uriloader/base/nsDocLoader.cpp
    #35 0x7f2d3d9c0744 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) mozilla-central/netwerk/base/nsLoadGroup.cpp:629:28
    #36 0x7f2d3f68c50b in nsDocument::DoUnblockOnload() mozilla-central/dom/base/nsDocument.cpp:8487:18
    #37 0x7f2d3f682c8b in nsDocument::DispatchContentLoadedEvents() mozilla-central/dom/base/nsDocument.cpp:5420:3
    #38 0x7f2d3f6cc0f6 in applyImpl<nsDocument, void (nsDocument::*)()> mozilla-central/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1149:12
    #39 0x7f2d3f6cc0f6 in apply<nsDocument, void (nsDocument::*)()> mozilla-central/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1155
    #40 0x7f2d3f6cc0f6 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() mozilla-central/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1200
    #41 0x7f2d3d89d5b4 in mozilla::SchedulerGroup::Runnable::Run() mozilla-central/xpcom/threads/SchedulerGroup.cpp:413:25
    #42 0x7f2d3d8bb393 in nsThread::ProcessNextEvent(bool, bool*) mozilla-central/xpcom/threads/nsThread.cpp:1040:14
    #43 0x7f2d3d8d7c60 in NS_ProcessNextEvent(nsIThread*, bool) mozilla-central/xpcom/threads/nsThreadUtils.cpp:517:10
    #44 0x7f2d3e368aab in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) mozilla-central/ipc/glue/MessagePump.cpp:97:21
    #45 0x7f2d3e28f679 in RunHandler mozilla-central/ipc/chromium/src/base/message_loop.cc:319:3
    #46 0x7f2d3e28f679 in MessageLoop::Run() mozilla-central/ipc/chromium/src/base/message_loop.cc:299
    #47 0x7f2d4134f146 in nsBaseAppShell::Run() mozilla-central/widget/nsBaseAppShell.cpp:157:27
    #48 0x7f2d4495a614 in XRE_RunAppShell() mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:892:22
    #49 0x7f2d3e28f679 in RunHandler mozilla-central/ipc/chromium/src/base/message_loop.cc:319:3
    #50 0x7f2d3e28f679 in MessageLoop::Run() mozilla-central/ipc/chromium/src/base/message_loop.cc:299
    #51 0x7f2d4495a240 in XRE_InitChildProcess(int, char**, XREChildData const*) mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:718:34
    #52 0x42d23b in content_process_main(mozilla::Bootstrap*, int, char**) mozilla-central/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #53 0x42d358 in main mozilla-central/browser/app/nsBrowserApp.cpp:280:18
    #54 0x7f2d623011c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #55 0x407159 in _start (mozilla-central/objdir-ff-ubsan/dist/bin/firefox+0x407159)
Flags: in-testsuite?
Attached file UB_logs.txt 
[Triage 2018/03/23 - P3]
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.