Open Bug 1603857 Opened 4 years ago Updated 2 years ago

division by zero in gfx/2d/BezierUtils.cpp:201

Categories

(Core :: Graphics, defect, P3)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox73 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: testcase-wanted)

Found with m-c 20191212-ca62389e0be3. I will attach the test case once it is reduced.

To enable this check add the following to your mozconfig:

ac_add_options --enable-undefined-sanitizer="float-divide-by-zero"

src/gfx/2d/BezierUtils.cpp:201:15: runtime error: division by zero
    #0 0x7fe2741c1415 in mozilla::gfx::FindBezierNearestPoint(mozilla::gfx::Bezier const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, float, float*) src/gfx/2d/BezierUtils.cpp:201:15
    #1 0x7fe27a379029 in mozilla::DashedCornerFinder::FindNext(float) src/layout/painting/DashedCornerFinder.cpp:207:14
    #2 0x7fe27a37958f in mozilla::DashedCornerFinder::GetCountAndLastDashLength(float, unsigned long*, float*) src/layout/painting/DashedCornerFinder.cpp:402:30
    #3 0x7fe27a3781c2 in mozilla::DashedCornerFinder::FindBestDashLength(float, float, float, float) src/layout/painting/DashedCornerFinder.cpp:306:10
    #4 0x7fe27a377a0e in mozilla::DashedCornerFinder::DetermineType(float, float) src/layout/painting/DashedCornerFinder.cpp:101:5
    #5 0x7fe27a3772a1 in mozilla::DashedCornerFinder::DashedCornerFinder(mozilla::gfx::Bezier const&, mozilla::gfx::Bezier const&, float, float, mozilla::gfx::SizeTyped<mozilla::gfx::UnknownUnits, float> const&) src/layout/painting/DashedCornerFinder.cpp:52:3
    #6 0x7fe27a3e9ab2 in nsCSSBorderRenderer::DrawDashedCornerSlow(mozilla::Side, mozilla::Corner) src/layout/painting/nsCSSRenderingBorders.cpp:2412:22
    #7 0x7fe27a3e39e2 in nsCSSBorderRenderer::DrawDashedOrDottedCorner(mozilla::Side, mozilla::Corner) src/layout/painting/nsCSSRenderingBorders.cpp:2281:7
    #8 0x7fe27a3e1801 in nsCSSBorderRenderer::DrawBorderSides(mozilla::SideBits) src/layout/painting/nsCSSRenderingBorders.cpp
    #9 0x7fe27a3bca61 in nsCSSBorderRenderer::DrawBorders() src/layout/painting/nsCSSRenderingBorders.cpp:3255:11
    #10 0x7fe27a3b44e0 in nsCSSRendering::PaintBorderWithStyleBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, nsStyleBorder const&, mozilla::ComputedStyle*, mozilla::PaintBorderFlags, mozilla::Sides) src/layout/painting/nsCSSRendering.cpp:898:6
    #11 0x7fe27a3b3d2a in nsCSSRendering::PaintBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, mozilla::ComputedStyle*, mozilla::PaintBorderFlags, mozilla::Sides) src/layout/painting/nsCSSRendering.cpp:649:10
    #12 0x7fe27a41df22 in nsDisplayBorder::Paint(nsDisplayListBuilder*, gfxContext*) src/layout/painting/nsDisplayList.cpp:5748:26
    #13 0x7fe27a3aae0b in mozilla::FrameLayerBuilder::PaintItems(std::vector<mozilla::AssignedDisplayItem, std::allocator<mozilla::AssignedDisplayItem> >&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float) src/layout/painting/FrameLayerBuilder.cpp:7133:20
    #14 0x7fe27a3ac82d in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) src/layout/painting/FrameLayerBuilder.cpp:7293:19
    #15 0x7fe274b05098 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) src/gfx/layers/client/ClientPaintedLayer.cpp:159:9
    #16 0x7fe274b24ed9 in mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:53:29
    #17 0x7fe274afb182 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:352:13
    #18 0x7fe274afc6d4 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:415:3
    #19 0x7fe27a408019 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:3273:19
    #20 0x7fe279d5fe14 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:4092:13
    #21 0x7fe279c8d54b in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) src/layout/base/PresShell.cpp:6033:5
    #22 0x7fe27978ff6c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:461:18
    #23 0x7fe27978f842 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:396:22
    #24 0x7fe279791882 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1019:5
    #25 0x7fe279c21583 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2178:11
    #26 0x7fe279c305ae in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:351:7
    #27 0x7fe279c30311 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:368:5
    #28 0x7fe279c2ecf9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:740:16
    #29 0x7fe279c2e057 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:635:9
    #30 0x7fe27a3074c6 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
    #31 0x7fe2733843f6 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PVsyncChild.cpp:187:54
    #32 0x7fe272d688eb in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PBackgroundChild.cpp:5876:32
    #33 0x7fe27251bb5b in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2209:25
    #34 0x7fe272516ff7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2131:9
    #35 0x7fe272518b73 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1973:3
    #36 0x7fe272519ab8 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2004:13
    #37 0x7fe271133ec4 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1240:14
    #38 0x7fe271139b5e in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #39 0x7fe272528717 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:109:5
    #40 0x7fe27236b3e4 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
    #41 0x7fe279827c1a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #42 0x7fe27d91f3c9 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:946:20
    #43 0x7fe272529d41 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
    #44 0x7fe27236b3e4 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
    #45 0x7fe27d91e817 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:781:34
    #46 0x558aa51af1c5 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #47 0x558aa51af3ef in main src/browser/app/nsBrowserApp.cpp:303:18

The priority flag is not set for this bug.
:jbonisteel, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jbonisteel)
Flags: needinfo?(jbonisteel)
Priority: -- → P3
Severity: normal → S3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.