Closed Bug 1691652 Opened 4 years ago Closed 4 years ago

Consistent crash from CSS with percentages in linear-gradient

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Version:
Firefox 85
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
87 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox85 --- wontfix
firefox86 --- fixed
firefox87 --- fixed

People

(Reporter: danieldoesntcheckthis, Assigned: emilio)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

testcase.html
96 bytes, text/html
Details
Bug 1691652 - Normalize NaN to zero as a result of calc(). r=#style,#layout-reviewers
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review
Bug 1691652 - Don't require a spec link for crashtests under css/. r=jgraham
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:85.0) Gecko/20100101 Firefox/85.0

Steps to reproduce:

  1. Load this one-liner html file:

<style> body { background: linear-gradient(black calc(0% * (1e39 - 1e39)), black 0%); } </style>

  1. The page crashes

Actual results:

I get sent to the Tab crash reporter on load

Expected results:

I should see a empty document with black background

I should add that I found this while playing with that CSS double truncating hack: https://stackoverflow.com/a/64921523

It really feels like an edge case in the CSS! It doesn't crash unless you multiply with a percent (0% * ...) and it doesn't crash if the big number is any smaller, like 1e38 - 1e38.

(In reply to Daniel Wang from comment #1)

I should add that I found this while playing with that CSS double truncating hack: https://stackoverflow.com/a/64921523

It really feels like an edge case in the CSS! It doesn't crash unless you multiply with a percent (0% * ...) and it doesn't crash if the big number is any smaller, like 1e38 - 1e38.

Component: Untriaged → CSS Parsing and Computation
Product: Firefox → Core
Summary: Consistent crash with percentages in linear-gradient → Consistent crash from CSS with percentages in linear-gradient

Can repro this crash

https://crash-stats.mozilla.org/report/index/2e4988a3-1fb3-4171-a0cb-123770210209#tab-bugzilla

Status: UNCONFIRMED → NEW
Crash Signature: [@ webrender_api::gradient_builder::GradientBuilder::normalize ]
Ever confirmed: true
Keywords: crash, testcase
Attached file testcase.html
Flags: needinfo?(emilio)

I get a crash with HW-WR, SW-WR, and Basic
With Direct3d11, I get a black tab, but no crash

1e39 - 1e39 ends up being std::f32::INFINITY + -1.0 * std::f32::INFINITY, which is NaN, and when we multiply 0% times that is NaN, so we end up passing that `NaN all the way down to rendering.

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Flags: needinfo?(emilio)

The only purpose of a crashtest is not crashing, there's no great spec
link for that.

Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0679e32a0faf Don't require a spec link for crashtests under css/. r=jgraham
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/27558 for changes under testing/web-platform/tests
Keywords: leave-open
Keywords: leave-open
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/64e2b89ff57f Normalize NaN to zero as a result of calc(). r=layout-reviewers,jfkthame

https://hg.mozilla.org/mozilla-central/rev/64e2b89ff57f

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox87: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch

Comment on attachment 9202117 [details]
Bug 1691652 - Normalize NaN to zero as a result of calc(). r=#style,#layout-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined: Crashes when large CSS values are used. Blocks bug 1682607 too.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Handle floating point edge cases earlier to avoid making WR sad.
  • String changes made/needed: none
Attachment #9202117 - Flags: approval-mozilla-beta?
Attachment #9202145 - Flags: approval-mozilla-beta?
Upstream PR merged by moz-wptsync-bot

Comment on attachment 9202117 [details]
Bug 1691652 - Normalize NaN to zero as a result of calc(). r=#style,#layout-reviewers

Approved for our last beta, thanks.

Attachment #9202117 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9202145 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: