Closed Bug 1622895 Opened 5 years ago Closed 3 years ago

subtraction of unsigned offset in src/gfx/layers/basic/BasicCompositor.cpp:522

Categories

(Core :: Graphics: Layers, defect, P3)

Product:
Core
Component:
Graphics: Layers
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox75 --- wontfix
firefox76 --- wontfix

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: testcase)

Attachments

(1 file)

testcase.html
690 bytes, text/html
Details
Attached file testcase.html

Reduced with m-c 20200316-62ab2cd02833

src/gfx/layers/basic/BasicCompositor.cpp:522:45: runtime error: subtraction of unsigned offset from 0x7f21eb634c30 overflowed to 0x7f289f304c30
    #0 0x7f2220110d37 in mozilla::layers::AttemptVideoScale(mozilla::layers::TextureSourceBasic*, mozilla::gfx::SourceSurface const*, float, mozilla::gfx::CompositionOp, mozilla::layers::TexturedEffect const*, mozilla::gfx::BaseMatrix<float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawTarget*, mozilla::gfx::DrawTarget const*) src/gfx/layers/basic/BasicCompositor.cpp:522:45
    #1 0x7f22201018d3 in void mozilla::layers::BasicCompositor::DrawGeometry<mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> >(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, bool) src/gfx/layers/basic/BasicCompositor.cpp:726:20
    #2 0x7f22200ffeba in mozilla::layers::BasicCompositor::DrawQuad(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&) src/gfx/layers/basic/BasicCompositor.cpp:598:3
    #3 0x7f222017c237 in mozilla::layers::Compositor::DrawGeometry(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/Compositor.cpp:241:5
    #4 0x7f22204e4043 in mozilla::layers::Compositor::DrawGeometry(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/obj-build/dist/include/mozilla/layers/Compositor.h:319:5
    #5 0x7f2220520d87 in mozilla::layers::ImageHost::Composite(mozilla::layers::Compositor*, mozilla::layers::LayerComposite*, mozilla::layers::EffectChain&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::SamplingFilter, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ImageHost.cpp:278:20
    #6 0x7f2220562e90 in mozilla::layers::ImageLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&)::$_0::operator()(mozilla::layers::EffectChain&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) const src/gfx/layers/composite/ImageLayerComposite.cpp:95:36
    #7 0x7f2220525520 in RenderWithAllMasks<(lambda at src/gfx/layers/composite/ImageLayerComposite.cpp:93:22)> src/gfx/layers/composite/LayerManagerComposite.h:740:5
    #8 0x7f2220525520 in mozilla::layers::ImageLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ImageLayerComposite.cpp:92:3
    #9 0x7f222050e341 in void mozilla::layers::RenderLayers<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ContainerLayerComposite.cpp:474:22
    #10 0x7f22204dd7dd in void mozilla::layers::ContainerRender<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ContainerLayerComposite.cpp:646:5
    #11 0x7f22205169a1 in void mozilla::layers::RenderLayers<mozilla::layers::RefLayerComposite>(mozilla::layers::RefLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ContainerLayerComposite.cpp:474:22
    #12 0x7f22204dfb6d in void mozilla::layers::ContainerRender<mozilla::layers::RefLayerComposite>(mozilla::layers::RefLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ContainerLayerComposite.cpp:646:5
    #13 0x7f222050e341 in void mozilla::layers::RenderLayers<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ContainerLayerComposite.cpp:474:22
    #14 0x7f22204dd7dd in void mozilla::layers::ContainerRender<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) src/gfx/layers/composite/ContainerLayerComposite.cpp:646:5
    #15 0x7f222053bfc6 in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&)::$_2::operator()(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) const src/gfx/layers/composite/LayerManagerComposite.cpp:1198:18
    #16 0x7f222053127e in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) src/gfx/layers/composite/LayerManagerComposite.cpp:1260:7
    #17 0x7f222052f23d in mozilla::layers::LayerManagerComposite::UpdateAndRender() src/gfx/layers/composite/LayerManagerComposite.cpp:645:19
    #18 0x7f222052e906 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/composite/LayerManagerComposite.cpp:564:5
    #19 0x7f222058f83b in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) src/gfx/layers/ipc/CompositorBridgeParent.cpp:1043:18
    #20 0x7f22205ab07f in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:249:27
    #21 0x7f22205ddf84 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> >, StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1158:12
    #22 0x7f22205ddf84 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:12
    #23 0x7f22205ddf84 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1210:13
    #24 0x7f221ed31582 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) src/ipc/chromium/src/base/message_loop.cc:442:9
    #25 0x7f221ed32364 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) src/ipc/chromium/src/base/message_loop.cc:450:5
    #26 0x7f221ed32bdb in MessageLoop::DoWork() src/ipc/chromium/src/base/message_loop.cc:523:13
    #27 0x7f221ed34616 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) src/ipc/chromium/src/base/message_pump_default.cc:35:31
    #28 0x7f221ed31167 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #29 0x7f221ed31167 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
    #30 0x7f221ed31167 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
    #31 0x7f221ed5031e in base::Thread::ThreadMain() src/ipc/chromium/src/base/thread.cc:192:16
    #32 0x7f221ed41c2c in ThreadFunc(void*) src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #33 0x7f223fb546b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #34 0x7f223eb7a41c in clone /build/glibc-LK5gWL/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Flags: in-testsuite?
Blocks: ubsan

Couldn't reproduce this on Mac with ASAN build.

Priority: -- → P3

(In reply to Miko Mynttinen [:miko] from comment #1)

Couldn't reproduce this on Mac with ASAN build.

FWIW this requires UBSan not ASan

A Pernosco session is available here: https://pernos.co/debug/kCV2IX1_MGaUUj09EoBEhg/index.html

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3 (Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3 (normal.)

Severity: normal → S3

bug 1727876, bug 1727672

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox75: affectedwontfix
status-firefox76: affectedwontfix
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: