Closed Bug 1747458 Opened 2 years ago Closed 2 years ago

src/dom/base/nsJSEnvironment.cpp:1193:18: runtime error: -256.159 is outside the range of representable values of type 'unsigned int'

Categories

(Core :: DOM: Core & HTML, defect, P5)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
98 Branch
Tracking Flags:
Tracking Status
firefox97 --- wontfix
firefox98 --- fixed

People

(Reporter: tsmith, Assigned: mccr8)

References

(Blocks 3 open bugs)

Details

(Keywords: csectype-undefined)

Attachments

(1 file)

Bug 1747458 - Don't allow negative idleDuration when computing CYCLE_COLLECTOR_SLICE_DURING_IDLE.
48 bytes, text/x-phabricator-request
Details | Review

Found while fuzzing m-c 20211222-b538ca737314 (--enable-undefined-sanitizer --enable-fuzzing)

This was found by enabling the float-cast-overflow check in UBSan. This type of issue can create inconsistencies across platforms, architectures and optimization levels.

This was found while trying to collect a rr trace for a different issue.

To enable this check add the following to your mozconfig:

ac_add_options --enable-undefined-sanitizer="float-cast-overflow"

src/dom/base/nsJSEnvironment.cpp:1193:18: runtime error: -256.159 is outside the range of representable values of type 'unsigned int'
    #0 0x7fb65bcca420 in CycleCollectorStats::AfterCycleCollectionSlice() src/dom/base/nsJSEnvironment.cpp:1193:18
    #1 0x7fb65bcd2a81 in nsJSContext::EndCycleCollectionCallback(mozilla::CycleCollectorResults&) src/dom/base/nsJSEnvironment.cpp:1486:12
    #2 0x7fb65799415e in XPCJSRuntime::EndCycleCollectionCallback(mozilla::CycleCollectorResults&) src/js/xpconnect/src/XPCJSRuntime.cpp:758:3
    #3 0x7fb6518adb41 in nsCycleCollector::CleanupAfterCollection() src/xpcom/base/nsCycleCollector.cpp:3328:19
    #4 0x7fb6518ae8d7 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3435:9
    #5 0x7fb6518b2ffc in nsCycleCollector_collectSlice(js::SliceBudget&, mozilla::CCReason, bool) src/xpcom/base/nsCycleCollector.cpp:3921:21
    #6 0x7fb65bcd1035 in nsJSContext::RunCycleCollectorSlice(mozilla::CCReason, mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:1417:5
    #7 0x7fb65bcd3d0d in mozilla::CCGCScheduler::CCRunnerFired(mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:1555:9
    #8 0x7fb658579ecc in std::_Function_handler<bool (mozilla::TimeStamp), bool (*)(mozilla::TimeStamp)>::_M_invoke(std::_Any_data const&, mozilla::TimeStamp&&) /home/twsmith/.mozbuild/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:301:9
    #9 0x7fb651cac984 in std::function<bool (mozilla::TimeStamp)>::operator()(mozilla::TimeStamp) const /home/twsmith/.mozbuild/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
    #10 0x7fb651caa3b5 in mozilla::IdleTaskRunner::Run() src/xpcom/threads/IdleTaskRunner.cpp:109:14
    #11 0x7fb651cadf23 in mozilla::IdleTaskRunnerTask::Run() src/xpcom/threads/IdleTaskRunner.cpp:42:15
    #12 0x7fb651d09236 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:771:26
    #13 0x7fb651d0480a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:649:15
    #14 0x7fb651d04c90 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:391:36
    #15 0x7fb651d589f9 in mozilla::TaskController::InitializeInternal()::$_0::operator()() const src/xpcom/threads/TaskController.cpp:124:37
    #16 0x7fb651d5891c in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() src/xpcom/threads/nsThreadUtils.h:531:5
    #17 0x7fb651d3755d in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1183:16
    #18 0x7fb651d459d9 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
    #19 0x7fb6550fd964 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
    #20 0x7fb655100c0b in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:268:30
    #21 0x7fb654c44d72 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
    #22 0x7fb654c44c76 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:324:3
    #23 0x7fb654c44bb9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #24 0x7fb66690de13 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #25 0x7fb67a2c0627 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:864:20
    #26 0x7fb65510097b in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
    #27 0x7fb654c44d72 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
    #28 0x7fb654c44c76 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:324:3
    #29 0x7fb654c44bb9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #30 0x7fb67a2bf624 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:701:34
    #31 0x7fb67a2e7b98 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/Bootstrap.cpp:67:12
    #32 0x55d1c63aad27 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #33 0x55d1c63ab5d3 in main src/browser/app/nsBrowserApp.cpp:327:18
    #34 0x133a56156bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #35 0x55d1c62f9c68 in _start (src/objdir-ff-ubsan/dist/bin/firefox+0x28ec68)

A Pernosco session is available here: https://pernos.co/debug/_JrsYhRnRBsnIjbyR6j4mg/index.html

This is about telemetry probe and even there a case which might happen only if TimeStamp implementation is bogus.
So fixing this is mostly about silencing the warning.

Severity: -- → S4
Priority: -- → P5
Blocks: float-cast-overflow

Hey Olli,

This issue is one of the most frequently hit issues when enabling the float-cast-overflow check and running CI. It currently blocking Bug 1749864. Could you please increase the priority of this issue if the fix isn't too complicated? We could add it to a suppression list but we'd prefer to only do that as a last resort. Thank you!

Flags: needinfo?(bugs)
Assignee: nobody → continuation
Flags: needinfo?(bugs)

It looks like the CYCLE_COLLECTOR_SLICE_DURING_IDLE calculation is missing a positivity check that FORGET_SKIPPABLE_DURING_IDLE has. The latter check was added in bug 1467920.

See Also: → 1467920

Apparently this can go negative under some conditions while fuzzing.
Just treat it as zero in that case. This makes the calculation
consistent with FORGET_SKIPPABLE_DURING_IDLE.

(In reply to Andrew McCreight [:mccr8] from comment #5)

Apparently this can go negative under some conditions while fuzzing.

Not just fuzzing, this is the most common issue (float-cast-overflow) hit when running tests in CI.

Ok, I updated the description.

I looked at factoring out a common function to do the calculation, but it would require passing in so many variables that it didn't seem worthwhile.

Pushed by amccreight@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0dea715a2df5
Don't allow negative idleDuration when computing CYCLE_COLLECTOR_SLICE_DURING_IDLE. r=smaug

https://hg.mozilla.org/mozilla-central/rev/0dea715a2df5

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox98: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: