Closed Bug 1752456 Opened 2 years ago Closed 2 years ago

Rect.h:272:61: runtime error: inf is outside the range of representable values of type 'int'

Categories

(Core :: Graphics: Canvas2D, defect, P3)

defect

Tracking

()

RESOLVED FIXED
99 Branch
Tracking Status
firefox98 --- wontfix
firefox99 --- fixed

People

(Reporter: tsmith, Assigned: lsalzman)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined)

Attachments

(1 file)

This was found by enabling the float-cast-overflow check in UBSan and running existing tests. This type of issue can create inconsistencies across platforms, architectures and optimization levels.

To enable this check add the following to your mozconfig:

ac_add_options --enable-undefined-sanitizer="float-cast-overflow"

This issue is found by the existing test: dom/canvas/crashtests/1223740-1.html

INFO - REFTEST TEST-START | dom/canvas/crashtests/1223740-1.html
INFO - REFTEST TEST-LOAD | file:///builds/worker/workspace/build/tests/reftest/tests/dom/canvas/crashtests/1223740-1.html | 411 / 3924 (10%)
INFO - /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Rect.h:272:61: runtime error: inf is outside the range of representable values of type 'int'
INFO -     #0 0x7f4003edaebc in mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>::ToIntRect(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits>*) const /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Rect.h:272:61
INFO -     #1 0x7f40069c2af4 in mozilla::dom::AdjustedTargetForShadow::AdjustedTargetForShadow(mozilla::dom::CanvasRenderingContext2D*, mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::CompositionOp) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:510:12
INFO -     #2 0x7f40069c2642 in mozilla::detail::UniqueSelector<mozilla::dom::AdjustedTargetForShadow>::SingleObject mozilla::MakeUnique<mozilla::dom::AdjustedTargetForShadow, mozilla::dom::CanvasRenderingContext2D*&, RefPtr<mozilla::gfx::DrawTarget>&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>&, mozilla::gfx::CompositionOp&>(mozilla::dom::CanvasRenderingContext2D*&, RefPtr<mozilla::gfx::DrawTarget>&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>&, mozilla::gfx::CompositionOp&) /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:609:27
INFO -     #3 0x7f40068e950c in mozilla::dom::AdjustedTarget::AdjustedTarget(mozilla::dom::CanvasRenderingContext2D*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:616:23
INFO -     #4 0x7f40069c6bf5 in mozilla::dom::CanvasBidiProcessor::DrawText(int, int) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:3683:20
INFO -     #5 0x7f40096388a8 in nsBidiPresUtils::ProcessText(char16_t const*, unsigned long, mozilla::intl::BidiEmbeddingLevel, nsPresContext*, nsBidiPresUtils::BidiProcessor&, nsBidiPresUtils::Mode, nsBidiPositionResolve*, int, int*, mozilla::intl::Bidi*) /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2231:20
INFO -     #6 0x7f40068f5d0f in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsTSubstring<char16_t> const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4064:12
INFO -     #7 0x7f4005a40064 in mozilla::dom::CanvasRenderingContext2D_Binding::fillText(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/CanvasRenderingContext2DBinding.cpp:6480:24
INFO -     #8 0x7f400679799d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306:13
INFO -     #9 0x7f400d6263a4 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:425:13
INFO -     #10 0x7f400d6263a4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512:12
INFO -     #11 0x7f400d6127da in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:576:10
INFO -     #12 0x7f400d6127da in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309:16
INFO -     #13 0x7f400d5f7591 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394:13
INFO -     #14 0x7f400d6264df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544:13
INFO -     #15 0x7f400d62862b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589:8
INFO -     #16 0x7f400d84efbd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
INFO -     #17 0x7f40063ebeaf in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
INFO -     #18 0x7f4006fc76a3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
INFO -     #19 0x7f4006fc5bd4 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
INFO -     #20 0x7f4006f8eb18 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:22
INFO -     #21 0x7f4006f900dc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1505:17
INFO -     #22 0x7f4006f7e5ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
INFO -     #23 0x7f4006f7cdbd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
INFO -     #24 0x7f4006f81035 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1085:11
INFO -     #25 0x7f4009685bc7 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1086:7
INFO -     #26 0x7f400c92e213 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6278:20
INFO -     #27 0x7f400c92d50b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5667:7
INFO -     #28 0x7f400c92f4df in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
INFO -     #29 0x7f4003bb31a0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1377:3
INFO -     #30 0x7f4003bb1f14 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:975:14
INFO -     #31 0x7f4003bae832 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:794:9
INFO -     #32 0x7f4003bb0945 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:677:5
INFO -     #33 0x7f400c96767b in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13540:23
INFO -     #34 0x7f40020fb40e in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:614:22
INFO -     #35 0x7f40020fdbf3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:518:10
INFO -     #36 0x7f4004b85090 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11554:18
INFO -     #37 0x7f4004b3fcc6 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11484:9
INFO -     #38 0x7f4004b63427 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7999:3
INFO -     #39 0x7f4004c26bef in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
INFO -     #40 0x7f4004c26bef in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
INFO -     #41 0x7f4004c26bef in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
INFO -     #42 0x7f4001d9515f in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:144:20
INFO -     #43 0x7f4001de0d82 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467:16
INFO -     #44 0x7f4001da7dfd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770:26
INFO -     #45 0x7f4001da56b8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606:15
INFO -     #46 0x7f4001da5dc9 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390:36
INFO -     #47 0x7f4001de9241 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
INFO -     #48 0x7f4001de9241 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531:5
INFO -     #49 0x7f4001dc77db in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1195:16
INFO -     #50 0x7f4001dd293c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
INFO -     #51 0x7f4002f77a28 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
INFO -     #52 0x7f4002e850d1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
INFO -     #53 0x7f4002e850d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
INFO -     #54 0x7f4002e850d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
INFO -     #55 0x7f4009030767 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
INFO -     #56 0x7f400d3ee78f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:870:20
INFO -     #57 0x7f4002e850d1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
INFO -     #58 0x7f4002e850d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
INFO -     #59 0x7f4002e850d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
INFO -     #60 0x7f400d3ee1b0 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:707:34
INFO -     #61 0x5582db2cf6dd in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
INFO -     #62 0x5582db2cfafd in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
INFO -     #63 0x7f4023d92b96 in __libc_start_main /tmp/glibc/csu/../csu/libc-start.c:310
INFO -     #64 0x5582db21e7cc in _start (/builds/worker/workspace/build/application/firefox/firefox+0x577cc)
Severity: -- → S4
Priority: -- → P3

This issue is currently triggered in CI when the 'float-cast-overflow' UBSan check is enabled. This issue will need to be addressed before the check can be enabled by default.

If it requires too much effort to fix immediately please ni? me and let me know. If necessary it will be added to a suppression list. Thank you :)

Flags: needinfo?(lsalzman)
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Flags: needinfo?(lsalzman)
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3b5cf3002541
Check for non-finite adjusted target bounds. r=aosmond
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch
Regressed by: 1757925

Set release status flags based on info from the regressing bug 1757925

No longer regressed by: 1757925
Regressions: 1757925
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: