Closed Bug 1603280 Opened 4 years ago Closed 4 years ago

division by zero in src/gfx/layers/apz/src/AsyncPanZoomController.cpp:3377

Categories

(Core :: Panning and Zooming, defect)

Product:
Core
Component:
Panning and Zooming
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox73 --- fixed

People

(Reporter: tsmith, Assigned: botond)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1603280 - Guard against division-by-zero in AsyncPanZoomController::ComputePLPPI(). r=tnikkel
47 bytes, text/x-phabricator-request
Details | Review

Found with m-c 20191211-b823b005f00e
This is triggered with an UBSan build while running gtests. To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="float-divide-by-zero"
ac_add_options --disable-jemalloc

[ RUN      ] APZCPinchGestureDetectorTester.Panning_TwoFingerFling_ZoomDisabled
src/objdir-ff-ubsan/dist/include/mozilla/gfx/BasePoint.h:77:48: runtime error: division by zero
    #0 0x7f347406c974 in mozilla::gfx::BasePoint<float, mozilla::gfx::PointTyped<mozilla::ParentLayerPixel, float>, mozilla::gfx::CoordTyped<mozilla::ParentLayerPixel, float> >::operator/(float) const src/objdir-ff-ubsan/dist/include/mozilla/gfx/BasePoint.h:77:48
    #1 0x7f347406c2a3 in mozilla::layers::AsyncPanZoomController::ComputePLPPI(mozilla::gfx::PointTyped<mozilla::ParentLayerPixel, float>, mozilla::gfx::PointTyped<mozilla::ParentLayerPixel, float>) const src/gfx/layers/apz/src/AsyncPanZoomController.cpp:3377:27
    #2 0x7f3474021aed in mozilla::layers::AsyncPanZoomController::AttemptFling(mozilla::layers::FlingHandoffState const&) src/gfx/layers/apz/src/AsyncPanZoomController.cpp:3324:17
    #3 0x7f34740206ff in mozilla::layers::APZCTreeManager::DispatchFling(mozilla::layers::AsyncPanZoomController*, mozilla::layers::FlingHandoffState const&) src/gfx/layers/apz/src/APZCTreeManager.cpp:2581:34
    #4 0x7f3474059e70 in mozilla::layers::AsyncPanZoomController::HandleEndOfPan() src/gfx/layers/apz/src/AsyncPanZoomController.cpp:1857:23
    #5 0x7f3474056720 in mozilla::layers::AsyncPanZoomController::OnScaleEnd(mozilla::PinchGestureInput const&) src/gfx/layers/apz/src/AsyncPanZoomController.cpp:1811:18
    #6 0x7f34740527fe in mozilla::layers::AsyncPanZoomController::HandleGestureEvent(mozilla::InputData const&) src/gfx/layers/apz/src/AsyncPanZoomController.cpp:1266:16
    #7 0x7f347416f3bb in mozilla::layers::GestureEventListener::HandleInputTouchEnd() src/gfx/layers/apz/src/GestureEventListener.cpp:493:34
    #8 0x7f347416cbd0 in mozilla::layers::GestureEventListener::HandleInputEvent(mozilla::MultiTouchInput const&) src/gfx/layers/apz/src/GestureEventListener.cpp:132:12
    #9 0x7f347404c9a0 in mozilla::layers::AsyncPanZoomController::HandleInputEvent(mozilla::InputData const&, mozilla::gfx::Matrix4x4Typed<mozilla::ScreenPixel, mozilla::ParentLayerPixel, float> const&) src/gfx/layers/apz/src/AsyncPanZoomController.cpp:1129:24
    #10 0x7f347418640c in mozilla::layers::InputQueue::ProcessQueue() src/gfx/layers/apz/src/InputQueue.cpp:765:19
    #11 0x7f3474183ea6 in mozilla::layers::InputQueue::ReceiveTouchInput(RefPtr<mozilla::layers::AsyncPanZoomController> const&, mozilla::layers::TargetConfirmationFlags, mozilla::MultiTouchInput const&, unsigned long*, mozilla::Maybe<nsTArray<unsigned int> > const&) src/gfx/layers/apz/src/InputQueue.cpp:178:3
    #12 0x7f34741833ba in mozilla::layers::InputQueue::ReceiveInputEvent(RefPtr<mozilla::layers::AsyncPanZoomController> const&, mozilla::layers::TargetConfirmationFlags, mozilla::InputData const&, unsigned long*, mozilla::Maybe<nsTArray<unsigned int> > const&) src/gfx/layers/apz/src/InputQueue.cpp:41:14
    #13 0x7f346fc80d95 in TestAsyncPanZoomController::ReceiveInputEvent(mozilla::InputData const&, unsigned long*) src/gfx/layers/apz/test/gtest/APZTestCommon.h:289:29
    #14 0x7f346fc92548 in void APZCTesterBase::PinchWithTouchInput<TestAsyncPanZoomController>(RefPtr<TestAsyncPanZoomController> const&, mozilla::gfx::IntPointTyped<mozilla::ScreenPixel> const&, mozilla::gfx::IntPointTyped<mozilla::ScreenPixel> const&, float, int&, nsTArray<unsigned int>*, nsEventStatus (*) [4], unsigned long*, APZCTesterBase::PinchOptions) src/gfx/layers/apz/test/gtest/APZTestCommon.h:833:23
    #15 0x7f346fc29f18 in APZCPinchGestureDetectorTester_Panning_TwoFingerFling_ZoomDisabled_Test::TestBody() src/gfx/layers/apz/test/gtest/TestPinching.cpp:290:3
    #16 0x7f346fb94d5f in testing::Test::Run() src/testing/gtest/gtest/src/gtest.cc:2519:5
    #17 0x7f346fb95d86 in testing::TestInfo::Run() src/testing/gtest/gtest/src/gtest.cc:2695:11
    #18 0x7f346fb966da in testing::TestCase::Run() src/testing/gtest/gtest/src/gtest.cc:2813:28
    #19 0x7f346fba499b in testing::internal::UnitTestImpl::RunAllTests() src/testing/gtest/gtest/src/gtest.cc:5179:43
    #20 0x7f346fba43f4 in testing::UnitTest::Run() src/testing/gtest/gtest/src/gtest.cc:4788:10
    #21 0x7f346fbe54dc in mozilla::RunGTestFunc(int*, char**) src/testing/gtest/mozilla/GTestRunner.cpp:158:10
    #22 0x7f347cdd59ed in XREMain::XRE_mainStartup(bool*) src/toolkit/xre/nsAppRunner.cpp:3764:16
    #23 0x7f347cddeacb in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4722:12
    #24 0x7f347cddf6c3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4818:21
    #25 0x561442105da2 in do_main(int, char**, char**) src/browser/app/nsBrowserApp.cpp:217:22

(In reply to Tyson Smith [:tsmith] from comment #0)

Found with m-c 20191211-b823b005f00e
[...]

    #1 0x7f347406c2a3 in mozilla::layers::AsyncPanZoomController::ComputePLPPI(mozilla::gfx::PointTyped<mozilla::ParentLayerPixel, float>, mozilla::gfx::PointTyped<mozilla::ParentLayerPixel, float>) const src/gfx/layers/apz/src/AsyncPanZoomController.cpp:3377:27

The code on this line is:

  aDirection = aDirection / aDirection.Length();

This check should guard against the velocity being zero. However, some tests set apz_fling_min_velocity_threshold() to zero to make it easier simulate flings in test code, thus defeating the check.

Assignee: nobody → botond
Pushed by bballo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fd999a06e1e9
Guard against division-by-zero in AsyncPanZoomController::ComputePLPPI(). r=tnikkel

https://hg.mozilla.org/mozilla-central/rev/fd999a06e1e9

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox73: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: