Closed Bug 1762973 Opened 2 years ago Closed 2 years ago

divide-by-zero in [@ scale]

Categories

(Core :: Graphics: WebRender, defect)

defect

Tracking

()

VERIFIED FIXED
101 Branch
Tracking Status
firefox-esr91 --- wontfix
firefox99 --- wontfix
firefox100 --- wontfix
firefox101 --- verified

People

(Reporter: tsmith, Assigned: lsalzman)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20220218-b21fa00b5f33 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

Hit MOZ_CRASH([Parent 319365, SwComposite] ###!!! ABORT: Divide by zero: file src/toolkit/xre/nsSigHandlers.cpp:153) at src/xpcom/base/nsDebugImpl.cpp:450

#0 0x7f845aa11ca1 in NS_DebugBreak src/xpcom/base/nsDebugImpl.cpp
#1 0x7f84618d9be6 in fpehandler(int, siginfo_t*, void*) src/toolkit/xre/nsSigHandlers.cpp:152:5
#2 0x7f84713e13bf  (/lib/x86_64-linux-gnu/libpthread.so.0+0x143bf)
#3 0x7f8463c41ecd in scale src/gfx/wr/swgl/src/gl.cc:145:57
#4 0x7f8463c41ecd in void scale_blit<true>(Texture&, IntRect const&, Texture&, IntRect const&, bool, IntRect const&) src/gfx/wr/swgl/src/composite.h:119:11
#5 0x7f8463c40902 in Composite src/gfx/wr/swgl/src/composite.h:460:7
#6 0x7f84639450f3 in webrender::compositor::sw_compositor::SwCompositeJob::process::h31dc3518fa0639e9 src/gfx/wr/webrender/src/compositor/sw_compositor.rs:231:17
#7 0x7f84639450f3 in webrender::compositor::sw_compositor::SwCompositeGraphNode::process_job::h6d1b6d5d1654523f src/gfx/wr/webrender/src/compositor/sw_compositor.rs:408:13
#8 0x7f84639450f3 in webrender::compositor::sw_compositor::SwCompositeThread::process_job::h525ecb8ddfdb20cf src/gfx/wr/webrender/src/compositor/sw_compositor.rs:517:9
#9 0x7f8463a4073a in webrender::compositor::sw_compositor::SwCompositeThread::new::_$u7b$$u7b$closure$u7d$$u7d$::h48499616ca4eb5eb src/gfx/wr/webrender/src/compositor/sw_compositor.rs:497:21
#10 0x7f8463a4073a in std::sys_common::backtrace::__rust_begin_short_backtrace::h444d1a078ba64815 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys_common/backtrace.rs:123:18
#11 0x7f84637cfe0c in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hd515058e1152c7cd /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/thread/mod.rs:477:17
#12 0x7f84637cfe0c in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h0e2cea5bf1b73c95 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panic/unwind_safe.rs:271:9
#13 0x7f84637cfe0c in std::panicking::try::do_call::hfb8fe9394988033f /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:406:40
#14 0x7f84637cfe0c in std::panicking::try::h95d59e980adccbf2 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:370:19
#15 0x7f84637cfe0c in std::panic::catch_unwind::hce2176c24a2b9f70 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panic.rs:133:14
#16 0x7f84637cfe0c in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h82b565ad17426a48 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/thread/mod.rs:476:30
#17 0x7f84637cfe0c in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h1022dee9232d9b43 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/ops/function.rs:227:5
#18 0x7f8464e48bd2 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h49b6c7c5155a2296 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/alloc/src/boxed.rs:1854:9
#19 0x7f8464e48bd2 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::ha8b5234bfeb15105 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/alloc/src/boxed.rs:1854:9
#20 0x7f8464e48bd2 in std::sys::unix::thread::Thread::new::thread_start::h6f207dd842d64859 /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/sys/unix/thread.rs:108:17
#21 0x7f84713d5608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
#22 0x7f8470f9c162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/LGYIPWmiq_qecesovyDBqw/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220404231805-605d0f0c41e6.
The bug appears to have been introduced in the following build range:

Start: 2e36d2d47679a0a059f8dfa9fd7771ccad199998 (20211124071013)
End: d2c1f4743cfa4557cd2e1383ea2745aaf1813aaf (20211124114555)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2e36d2d47679a0a059f8dfa9fd7771ccad199998&tochange=d2c1f4743cfa4557cd2e1383ea2745aaf1813aaf

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

Looks swiggle related?

Flags: needinfo?(lsalzman)
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Flags: needinfo?(lsalzman)
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/30c7407116ae
Skip empty composite requests. r=gfx-reviewers,bradwerth
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch

:lsalzman, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(lsalzman)
Crash Signature: [@ scale]
Flags: in-testsuite? → in-testsuite+
Flags: needinfo?(lsalzman)

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220407092959-6ff2b7d52aa3.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: