Closed Bug 1490685 Opened 6 years ago Closed 6 years ago

Assertion failure: density > 0.0, at /builds/worker/workspace/build/src/layout/generic/nsImageFrame.cpp:411

Categories

(Core :: Layout: Images, Video, and HTML Frames, defect)

Product:
Core
Component:
Layout: Images, Video, and HTML Frames
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- fixed

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

testcase.html
256 bytes, text/html
Details
Bug 1490685 - Protect against division by zero in a couple places. r=dholbert
46 bytes, text/x-phabricator-request
dholbert
: review+
Details | Review
Attached file testcase.html 
Testcase found while fuzzing mozilla-central rev 703546ab6d0c.

Assertion failure: density > 0.0, at /builds/worker/workspace/build/src/layout/generic/nsImageFrame.cpp:411

rax = 0x0000000000000000   rdx = 0x0000000000000000
rcx = 0x0000000000000b40   rbx = 0x00007f41beeac030
rsi = 0x00007f41d8f1c8b0   rdi = 0x00007f41d8f1b680
rbp = 0x00007ffe402d72f0   rsp = 0x00007ffe402d7270
r8 = 0x00007f41d8f1c8b0    r9 = 0x00007f41da094740
r10 = 0x00000000ffffffc3   r11 = 0x0000000000000000
r12 = 0x00007ffe402d7280   r13 = 0x00007f41beeac020
r14 = 0x00007ffe402d72a0   r15 = 0x00007f41beeabf60
rip = 0x00007f41c9a5fa7d
OS|Linux|0.0.0 Linux 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|nsImageFrame::UpdateIntrinsicSize(imgIContainer*)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCOMPtr.h:703546ab6d0cb643028a1ab4fda997b38f38a2e6|819|0x21
0|1|libxul.so|nsImageFrame::OnSizeAvailable(imgIRequest*, imgIContainer*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsImageFrame.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|694|0xf
0|2|libxul.so|nsImageFrame::Notify(imgIRequest*, int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsImageFrame.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|641|0xf
0|3|libxul.so|ReplayImageStatus|hg:hg.mozilla.org/mozilla-central:dom/base/nsImageLoadingContent.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|414|0x13
0|4|libxul.so|nsImageLoadingContent::AddNativeObserver(imgINotificationObserver*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsImageLoadingContent.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|458|0xc
0|5|libxul.so|nsImageFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsImageFrame.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|323|0x18
0|6|libxul.so|nsCSSFrameConstructor::InitAndRestoreFrame(nsFrameConstructorState const&, nsIContent*, nsContainerFrame*, nsIFrame*, bool)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|4793|0x1d
0|7|libxul.so|nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|3832|0x26
0|8|libxul.so|nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|5954|0x16
0|9|libxul.so|nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|9965|0x15
0|10|libxul.so|nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|7588|0x20
0|11|libxul.so|nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|9041|0x1a
0|12|libxul.so|mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|1551|0xf
0|13|libxul.so|mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|3057|0xb
0|14|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|4295|0x19
0|15|libxul.so|nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/nsIPresShell.h:703546ab6d0cb643028a1ab4fda997b38f38a2e6|577|0xf
0|16|libxul.so|nsIDocument::FlushPendingNotifications(mozilla::FlushType)|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|7502|0x7
0|17|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|698|0x10
0|18|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|631|0x16
0|19|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|629|0x1f
0|20|libxul.so|nsIDocument::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|8422|0x20
0|21|libxul.so|nsDocument::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|8344|0x5
0|22|libxul.so|mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher()|hg:hg.mozilla.org/mozilla-central:dom/events/AsyncEventDispatcher.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|127|0x19
0|23|libxul.so|mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher()|hg:hg.mozilla.org/mozilla-central:dom/events/AsyncEventDispatcher.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|129|0x5
0|24|libxul.so|mozilla::Runnable::Release()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|50|0x9
0|25|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCOMPtr.h:703546ab6d0cb643028a1ab4fda997b38f38a2e6|638|0x5
0|26|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|1161|0x15
0|27|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|519|0x11
0|28|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|97|0xa
0|29|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:703546ab6d0cb643028a1ab4fda997b38f38a2e6|325|0x17
0|30|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:703546ab6d0cb643028a1ab4fda997b38f38a2e6|318|0x8
0|31|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|158|0xd
0|32|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|944|0x11
0|33|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|269|0x5
0|34|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:703546ab6d0cb643028a1ab4fda997b38f38a2e6|325|0x17
0|35|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:703546ab6d0cb643028a1ab4fda997b38f38a2e6|318|0x8
0|36|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|770|0x8
0|37|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|50|0x14
0|38|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|287|0x11
0|39|libc-2.27.so||||0x21b97
0|40|firefox-bin|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:703546ab6d0cb643028a1ab4fda997b38f38a2e6|164|0x5
Flags: in-testsuite?
Flags: needinfo?(emilio)
I'm glad I added that assertion, because the other callers I'm fixing
were also bogus.
Note that I'm doing this under the assumption that float division by zero is UB, which it is according to https://stackoverflow.com/questions/15277129/c-divide-by-zero.

But if we don't care much about it I should just adjust the assertion to >=. Please double-check me on this :)
Assignee: nobody → emilio
Flags: needinfo?(emilio) → needinfo?(dholbert)
(In reply to Emilio Cobos Álvarez (:emilio) from comment #2)
> Note that I'm doing this under the assumption that float division by zero is UB

FWIW, https://www.quora.com/Why-does-division-by-zero-return-INF-infinite-with-floats-but-makes-the-program-crash-with-integers-in-C++ says:
 - "the C++ standard says "If the second operand of / or % is zero the behavior is undefined"
 - "However, if std::numeric_limits<T>::is_iec559 == true, which it normally is for T = float and T = double, the behavior is overridden by IEC 559 aka IEEE 754, which says ... The default result shall be a correctly signed infinity" (IEE 754 paragraph 7.2)

I'll bet we're pretty well guaranteed to have IEEE754-compliant floats types.  So this probably isn't an issue in practice. Nonetheless, probably reasonable to do some belt-and-suspenders checking I suppose.
Flags: needinfo?(dholbert)
Comment on attachment 9008442 [details]
Bug 1490685 - Protect against division by zero in a couple places. r=dholbert

Daniel Holbert [:dholbert] has approved the revision.
Attachment #9008442 - Flags: review+
(In reply to Daniel Holbert [:dholbert] from comment #3)
> I'll bet we're pretty well guaranteed to have IEEE754-compliant floats
> types.  So this probably isn't an issue in practice. Nonetheless, probably
> reasonable to do some belt-and-suspenders checking I suppose.

Given this I talked with Daniel and decided to just adjust the assertion for now, I don't think it's worth the churn.
Should've noticed during review -- this didn't end up landing with the testcase as a crashtest. Mind pushing that as a followup?
Flags: needinfo?(emilio)
Yeah, it was kinda intentional, since my reasoning was that the crashtest wasn't likely to come up ever again. But I guess somebody could mess worse with the density and it'd make sense to have a crashtest that selects an image with 0 density, will do.
Flags: needinfo?(emilio)
Blocks: 1149357
status-firefox62: --- → wontfix
status-firefox63: --- → wontfix
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: