Open Bug 1486956 Opened 2 years ago Updated 1 year ago

Assertion failure: n2 >= -epsilon, at /builds/worker/workspace/build/src/gfx/2d/BezierUtils.cpp:335

Categories

(Core :: Graphics, defect, P5)

defect

Tracking

()

Tracking Status
firefox63 --- unaffected
firefox66 --- unaffected
firefox67 --- affected
firefox68 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [gfx-noted])

Attachments

(1 file)

Attached file testcase.html
Testcase found while fuzzing mozilla-central rev 190b827aaa2b.

rax = 0x0000000000000000   rdx = 0x0000000000000000
rcx = 0x0000000000000b40   rbx = 0x00007ffc24c752a8
rsi = 0x00007fd3574f48b0   rdi = 0x00007fd3574f3680
rbp = 0x00007ffc24c74fd0   rsp = 0x00007ffc24c74fd0
r8 = 0x00007fd3574f48b0    r9 = 0x00007fd35866c740
r10 = 0x00000000ffffffc7   r11 = 0x0000000000000000
r12 = 0x0000000000000020   r13 = 0x00007ffc24c752e8
r14 = 0x00007ffc24c75028   r15 = 0x00007ffc24c75038
rip = 0x00007fd34694316c
OS|Linux|0.0.0 Linux 4.15.0-32-generic #35-Ubuntu SMP Fri Aug 10 17:58:07 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::gfx::CalculateDistanceToEllipticArc(mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, float, float)|hg:hg.mozilla.org/mozilla-central:gfx/2d/BezierUtils.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|335|0x18
0|1|libxul.so|mozilla::DottedCornerFinder::FindNext(float)|hg:hg.mozilla.org/mozilla-central:layout/painting/DottedCornerFinder.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|295|0x15
0|2|libxul.so|mozilla::DottedCornerFinder::GetCountAndLastOverlap(float, unsigned long*, float*)|hg:hg.mozilla.org/mozilla-central:layout/painting/DottedCornerFinder.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|556|0x11
0|3|libxul.so|mozilla::DottedCornerFinder::FindBestOverlap(float, float, float)|hg:hg.mozilla.org/mozilla-central:layout/painting/DottedCornerFinder.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|410|0x17
0|4|libxul.so|mozilla::DottedCornerFinder::DetermineType(float, float)|hg:hg.mozilla.org/mozilla-central:layout/painting/DottedCornerFinder.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|157|0x17
0|5|libxul.so|mozilla::DottedCornerFinder::DottedCornerFinder(mozilla::gfx::Bezier const&, mozilla::gfx::Bezier const&, mozilla::Corner, float, float, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, float, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, float, mozilla::gfx::SizeTyped<mozilla::gfx::UnknownUnits, float> const&)|hg:hg.mozilla.org/mozilla-central:layout/painting/DottedCornerFinder.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|74|0x5
0|6|libxul.so|nsCSSBorderRenderer::DrawDottedCornerSlow(mozilla::Side, mozilla::Corner)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsCSSRenderingBorders.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2379|0x5
0|7|libxul.so|nsCSSBorderRenderer::DrawDashedOrDottedCorner(mozilla::Side, mozilla::Corner)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsCSSRenderingBorders.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2311|0x5
0|8|libxul.so|nsCSSBorderRenderer::DrawBorderSides(int)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsCSSRenderingBorders.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1314|0x12
0|9|libxul.so|nsCSSBorderRenderer::DrawBorders()|hg:hg.mozilla.org/mozilla-central:layout/painting/nsCSSRenderingBorders.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|3317|0xe
0|10|libxul.so|nsCSSRendering::PaintBorderWithStyleBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, nsStyleBorder const&, mozilla::ComputedStyle*, mozilla::PaintBorderFlags, mozilla::Sides)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsCSSRendering.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|974|0x8
0|11|libxul.so|nsCSSRendering::PaintBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, mozilla::ComputedStyle*, mozilla::PaintBorderFlags, mozilla::Sides)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsCSSRendering.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|653|0x30
0|12|libxul.so|nsDisplayBorder::Paint(nsDisplayListBuilder*, gfxContext*)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|5333|0x16
0|13|libxul.so|mozilla::FrameLayerBuilder::PaintItems(std::vector<mozilla::AssignedDisplayItem, std::allocator<mozilla::AssignedDisplayItem> >&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|7080|0x1a
0|14|libxul.so|mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|7241|0x18
0|15|libxul.so|mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientPaintedLayer.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|164|0x2a
0|16|libxul.so|mozilla::layers::ClientContainerLayer::RenderLayer()|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientContainerLayer.h:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|58|0xd
0|17|libxul.so|mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientLayerManager.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|340|0xa
0|18|libxul.so|mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientLayerManager.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|398|0x11
0|19|libxul.so|nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2759|0x17
0|20|libxul.so|nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|3843|0x5
0|21|libxul.so|mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|6350|0x17
0|22|libxul.so|nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|480|0x28
0|23|libxul.so|nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|412|0xd
0|24|libxul.so|nsViewManager::ProcessPendingUpdates()|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1102|0x11
0|25|libxul.so|nsRefreshDriver::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2042|0x8
0|26|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|324|0x8
0|27|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|317|0xc
0|28|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|755|0xc
0|29|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|571|0xc
0|30|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|78|0x9
0|31|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:0c7cf777c2ff93c34ff1546f677320cb1229427e6947e87c6fa76720f9b9c5b6a4a4d036521ed9a643f4fa5e10a57d8748e2532d47fce8282aa653340c0c00ff/ipc/ipdl/PVsyncChild.cpp:|167|0xc
0|32|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2239|0x6
0|33|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2166|0xb
0|34|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2012|0xb
0|35|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2045|0xc
0|36|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1167|0x15
0|37|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|519|0x11
0|38|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|125|0xd
0|39|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|325|0x17
0|40|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|318|0x8
0|41|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|158|0xd
0|42|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|944|0x11
0|43|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|269|0x5
0|44|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|325|0x17
0|45|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|318|0x8
0|46|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|770|0x8
0|47|firefox|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|50|0x14
0|48|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|287|0x11
0|49|libc-2.27.so||||0x21b97
0|50|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|164|0x5
Flags: in-testsuite?
These asserts were added in bug 1394405. n1 = 0.117837898, n2 = -0.0011491999. This is probably a case of us not relaxing the assertion sufficiently.
Depends on: 1394405
Priority: -- → P5
Whiteboard: [gfx-noted]
You need to log in before you can comment on or make changes to this bug.