Divide-by-zero in [@webrtc::I420Buffer::CropAndScaleFrom]

RESOLVED FIXED in Firefox 64

Status

()

defect
P2
critical
Rank:
15
RESOLVED FIXED
9 months ago
9 months ago

People

(Reporter: jkratzer, Assigned: pehrsons)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
mozilla64
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 wontfix, firefox62 wontfix, firefox63 wontfix, firefox64 fixed)

Details

Attachments

(4 attachments)

Reporter

Description

9 months ago
Posted file testcase.html
Testcase found while fuzzing mozilla-central rev 703546ab6d0c.

Opt Build:
rax = 0x0000000000000000   rdx = 0x0000000000000000
rcx = 0x0000000000000000   rbx = 0x0000000000000000
rsi = 0x00007f9f2de16330   rdi = 0x00007f9f2d77bd90
rbp = 0x00007f9f2d0bd560   rsp = 0x00007f9f2d0bd530
r8 = 0x0000000000000000    r9 = 0x0000000000000066
r10 = 0x00000000ff800000   r11 = 0x0000000000000280
r12 = 0x0000000000000000   r13 = 0x00007f9f2de16330
r14 = 0x00007f9f2d77bd90   r15 = 0x0000000000000500
rip = 0x00007f9f38f9440b
OS|Linux|0.0.0 Linux 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGFPE / FPE_INTDIV|0x7f9f38f9440b|26
26|0|libxul.so|webrtc::I420Buffer::CropAndScaleFrom(webrtc::VideoFrameBuffer const&)|hg:hg.mozilla.org/mozilla-central:media/webrtc/trunk/webrtc/api/video/i420_buffer.cc:703546ab6d0cb643028a1ab4fda997b38f38a2e6|246|0x3
26|1|libxul.so|mozilla::MediaEngineRemoteVideoSource::DeliverFrame(unsigned char*, mozilla::camera::VideoFrameProperties const&)|hg:hg.mozilla.org/mozilla-central:dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|612|0x8
26|2|libxul.so|non-virtual thunk to mozilla::MediaEngineRemoteVideoSource::DeliverFrame(unsigned char*, mozilla::camera::VideoFrameProperties const&)|hg:hg.mozilla.org/mozilla-central:dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|0|0x5
26|3|libxul.so|mozilla::camera::CamerasChild::RecvDeliverFrame(mozilla::camera::CaptureEngine const&, int const&, mozilla::ipc::Shmem&&, mozilla::camera::VideoFrameProperties const&)|hg:hg.mozilla.org/mozilla-central:dom/media/systemservices/CamerasChild.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|679|0xc
26|4|libxul.so|mozilla::camera::PCamerasChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:e4b39c2c236a046c7a43beb380122f7bc94674123579ed07fea8c612b813b763959dd343ee9734fed63ba458a6df14682727d36f5bfc9fd1204940a260a8fabf/ipc/ipdl/PCamerasChild.cpp:|435|0x1f
26|5|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|2248|0x9
26|6|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|2175|0xb
26|7|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|2045|0x8
26|8|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|1161|0xa
26|9|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|519|0xd
26|10|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|364|0xd
26|11|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:703546ab6d0cb643028a1ab4fda997b38f38a2e6|325|0x8
26|12|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:703546ab6d0cb643028a1ab4fda997b38f38a2e6|464|0x8
26|13|libnspr4.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:703546ab6d0cb643028a1ab4fda997b38f38a2e6|201|0x3
26|14|libpthread-2.27.so||||0x76db
26|15|libc-2.27.so||||0x12188f


==6166==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x557777804a17 bp 0x7f57be6d6350 sp 0x7f57be6d6340 T26)
==6166==The signal is caused by a WRITE memory access.
==6166==Hint: address points to the zero page.
    #0 0x557777804a16 in mozalloc_abort /builds/worker/workspace/build/src/memory/mozalloc/mozalloc_abort.cpp:35:5
    #1 0x7f5811f3e2a5 in Abort(char const*) /builds/worker/workspace/build/src/xpcom/base/nsDebugImpl.cpp:471:3
    #2 0x7f5811f3de69 in NS_DebugBreak /builds/worker/workspace/build/src/xpcom/base/nsDebugImpl.cpp
    #3 0x7f58203078b7 in fpehandler(int, siginfo*, void*) /builds/worker/workspace/build/src/toolkit/xre/nsSigHandlers.cpp:155:5
    #4 0x7f5834eb188f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1288f)
    #5 0x7f581efa332f in webrtc::I420Buffer::CropAndScaleFrom(webrtc::VideoFrameBuffer const&) /builds/worker/workspace/build/src/media/webrtc/trunk/webrtc/api/video/i420_buffer.cc:246:52
    #6 0x7f581abede29 in mozilla::MediaEngineRemoteVideoSource::DeliverFrame(unsigned char*, mozilla::camera::VideoFrameProperties const&) /builds/worker/workspace/build/src/dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:612:19
    #7 0x7f581abeea84 in non-virtual thunk to mozilla::MediaEngineRemoteVideoSource::DeliverFrame(unsigned char*, mozilla::camera::VideoFrameProperties const&) /builds/worker/workspace/build/src/dom/media/webrtc/MediaEngineRemoteVideoSource.cpp
    #8 0x7f581aa21e0f in mozilla::camera::CamerasChild::RecvDeliverFrame(mozilla::camera::CaptureEngine const&, int const&, mozilla::ipc::Shmem&&, mozilla::camera::VideoFrameProperties const&) /builds/worker/workspace/build/src/dom/media/systemservices/CamerasChild.cpp:679:33
    #9 0x7f58140e455d in mozilla::camera::PCamerasChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCamerasChild.cpp:435:20
    #10 0x7f5813b50cb8 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #11 0x7f58133a323e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2248:25
    #12 0x7f581339eb2a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2175:17
    #13 0x7f58133a0f8d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5
    #14 0x7f58133a1ce7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15
    #15 0x7f58121901a0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1161:14
    #16 0x7f5812198f45 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #17 0x7f58133aeb1f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:364:5
    #18 0x7f58132ae04c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #19 0x7f58132ae04c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #20 0x7f58132ae04c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #21 0x7f5812188083 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:464:11
    #22 0x7f583525f8c8 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #23 0x7f5834ea66da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #24 0x7f5833e7f88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

ASAN Build:
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/memory/mozalloc/mozalloc_abort.cpp:35:5 in mozalloc_abort
Thread T26 (Cameras IPC) created by T25 (MediaManager) here:
    #0 0x5577777bc74d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f583525c605 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7f583525c1ee in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7f581218b4b3 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:659:8
    #4 0x7f581219789e in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:518:22
    #5 0x7f581219c8de in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:143:45
    #6 0x7f581aa1997c in NS_NewNamedThread<12> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:75:10
    #7 0x7f581aa1997c in mozilla::camera::GetCamerasChild() /builds/worker/workspace/build/src/dom/media/systemservices/CamerasChild.cpp:125
    #8 0x7f581abcf84c in GetChildAndCall<int (mozilla::camera::CamerasChild::*)(mozilla::DeviceChangeCallback *), mozilla::MediaEngineWebRTC *> /builds/worker/workspace/build/src/obj-firefox/dist/include/CamerasChild.h:143:25
    #9 0x7f581abcf84c in mozilla::MediaEngineWebRTC::MediaEngineWebRTC(mozilla::MediaEnginePrefs&) /builds/worker/workspace/build/src/dom/media/webrtc/MediaEngineWebRTC.cpp:43
    #10 0x7f581a2f2f13 in mozilla::MediaManager::GetBackend(unsigned long) /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:3431:20
    #11 0x7f581a3c76cb in operator() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:2090:30
    #12 0x7f581a3c76cb in mozilla::media::LambdaTask<mozilla::MediaManager::EnumerateRawDevices(unsigned long, mozilla::dom::MediaSourceEnum, mozilla::dom::MediaSourceEnum, mozilla::MediaSinkEnum, mozilla::MediaManager::DeviceEnumerationType, mozilla::MediaManager::DeviceEnumerationType)::$_26>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/media/MediaTaskUtils.h:37
    #13 0x7f58121901a0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1161:14
    #14 0x7f5812198f45 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #15 0x7f58133aeb1f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:364:5
    #16 0x7f58132ae04c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #17 0x7f58132ae04c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #18 0x7f58132ae04c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #19 0x7f58132f8d24 in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #20 0x7f58132c6c7d in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:44:13
    #21 0x7f5834ea66da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T25 (MediaManager) created by T0 (file:// Content) here:
    #0 0x5577777bc74d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f58132c37f2 in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:131:14
    #2 0x7f58132c37f2 in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:142
    #3 0x7f58132f841f in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7f581a2deaa9 in mozilla::MediaManager::Get() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:2265:36
    #5 0x7f581a1c5901 in mozilla::dom::MediaDevices::GetUserMedia(mozilla::dom::MediaStreamConstraints const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/media/MediaDevices.cpp:189:9
    #6 0x7f5816b780b0 in mozilla::dom::MediaDevices_Binding::getUserMedia(JSContext*, JS::Handle<JSObject*>, mozilla::dom::MediaDevices*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:194:45
    #7 0x7f5816b77abf in mozilla::dom::MediaDevices_Binding::getUserMedia_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::MediaDevices*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:208:13
    #8 0x7f58191ef8da in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3296:13
    #9 0x7f5822066bbb in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:460:15
    #10 0x7f5822066bbb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:552
    #11 0x7f5822050503 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:612:12
    #12 0x7f5822050503 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3439
    #13 0x7f582203608e in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:439:12
    #14 0x7f58220676ce in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:579:15
    #15 0x7f5822069462 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:625:10
    #16 0x7f5821109c6d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2959:12
    #17 0x7f58187f52ae in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
    #18 0x7f5819a666dc in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #19 0x7f5819a666dc in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1108
    #20 0x7f5819a68837 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1342:20
    #21 0x7f5819a4c2d9 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
    #22 0x7f5819a4c2d9 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:420
    #23 0x7f5819a4a593 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:637:16
    #24 0x7f5819a50d7e in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1112:9
    #25 0x7f581c6e1884 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1167:7
    #26 0x7f581f5495fc in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7095:21
    #27 0x7f581f54428a in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6888:7
    #28 0x7f581f54ded7 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #29 0x7f5814973535 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1313:3
    #30 0x7f581497215c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:856:14
    #31 0x7f581496dc61 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:745:9
    #32 0x7f5814970748 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:631:5
    #33 0x7f5814971c84 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #34 0x7f5812410a57 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
    #35 0x7f58162772f7 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8422:18
    #36 0x7f58162772f7 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8344
    #37 0x7f581625075b in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5216:3
    #38 0x7f58163baadb in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1178:12
    #39 0x7f58163baadb in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1184
    #40 0x7f58163baadb in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1229
    #41 0x7f5812152465 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #42 0x7f58121901a0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1161:14
    #43 0x7f5812198f45 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #44 0x7f58133ad2fe in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #45 0x7f58132ae04c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #46 0x7f58132ae04c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #47 0x7f58132ae04c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #48 0x7f581be67de6 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #49 0x7f58202f789e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:944:22
    #50 0x7f58132ae04c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #51 0x7f58132ae04c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #52 0x7f58132ae04c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #53 0x7f58202f6955 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:770:34
    #54 0x557777803ba1 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #55 0x557777803ba1 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #56 0x7f5833d7fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

==6166==ABORTING

[Dumping log 'log_stdout.txt' (0.00KB)]

[Dumping log 'log_stderr.txt' (0.71KB)]
[ffpuppet] Launch command: /home/forb1dden/builds/mc-asan/firefox -no-remote -profile /tmp/ffprof_HiR7BS http://127.0.0.1:27888

JavaScript error: jar:file:///home/forb1dden/builds/mc-asan/omni.ja!/components/captivedetect.js, line 231: NS_ERROR_FAILURE: No canonical URL set up.
[Child 6166, Cameras IPC] ###!!! ABORT: Divide by zero: file /builds/worker/workspace/build/src/toolkit/xre/nsSigHandlers.cpp, line 155
[Child 6166, Cameras IPC] ###!!! ABORT: Divide by zero: file /builds/worker/workspace/build/src/toolkit/xre/nsSigHandlers.cpp, line 155
AddressSanitizer:DEADLYSIGNAL
Flags: in-testsuite?
Assignee

Updated

9 months ago
Rank: 15
Priority: -- → P2
Assignee

Comment 1

9 months ago
We end up scaling to 0x0 because req_max_width is 65535 and req_max_height is 0.

req_max_height ends up being 0 because `892534784 & 0xffff` is 0 [1]. 892534784 is from the testcase. 65536 gives the same result. 0 does as well!

Impressive that the fuzzer found such a high multiple of 65536. I'd expect it to start with common edge cases like -1, 0, 1, etc.


[1] https://searchfox.org/mozilla-central/rev/a23c3959b62cd3f616435e02810988ef5bac9031/dom/media/webrtc/MediaEngineRemoteVideoSource.cpp#904
Assignee: nobody → apehrson
Status: NEW → ASSIGNED
Comment on attachment 9008807 [details]
Bug 1490700 - Add crashtest. r?jib

Jan-Ivar Bruaroey [:jib] (needinfo? me) has approved the revision.
Attachment #9008807 - Flags: review+
Comment on attachment 9008808 [details]
Bug 1490700 - Ignore scaling requests to a max dimension of 0. r?jib

Jan-Ivar Bruaroey [:jib] (needinfo? me) has approved the revision.
Attachment #9008808 - Flags: review+
Comment on attachment 9008809 [details]
Bug 1490700 - Cap capability values to avoid truncation. r?jib

Jan-Ivar Bruaroey [:jib] (needinfo? me) has approved the revision.
Attachment #9008809 - Flags: review+

Comment 8

9 months ago
Pushed by pehrsons@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/05cec36e3769
Add crashtest. r=jib
https://hg.mozilla.org/integration/autoland/rev/53e3ff3c189d
Ignore scaling requests to a max dimension of 0. r=jib
https://hg.mozilla.org/integration/autoland/rev/55cda0919f07
Cap capability values to avoid truncation. r=jib
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.