20071 - [DOGFOOD] divide by zero in nsProgressMeterFrame::PaintBarSolid()

Status: VERIFIED FIXED

(Core :: Layout, defect, P1)

Description

[edburns]

If the rect argument passed into this method has a 0 height, the following
lines will cause a divide by zero and core dump:

500 nsProgressMeterFrame::PaintBarSolid(nsIPresContext* aPresContext,
                                        nsIRenderingContext& aRenderingContext,
501                                     const nsRect& rect, nscolor color,
                                        float skew)
502 {

...

509     // how many pixel lines will fit?
510     int segments = (rect.height/2) / onePixel;

...

532     // we need to figure out how bright we can get.
533     PRUint8 units = (255 - brightness)/segments;
534

It so happens that rect.height is zero when runnig mozilla after building --
with-xlib --enable-toolkit=xlib.

Here's a partial stack trace:

#0  0xef1a83a4 in .div ()
#1  0xed1d75b4 in nsProgressMeterFrame::PaintBarSolid ()
    at ./nsProgressMeterFrame.cpp:536
#2  0xed1d7170 in nsProgressMeterFrame::PaintBar ()
    at ./nsProgressMeterFrame.cpp:450
#3  0xed1d6f84 in nsProgressMeterFrame::Paint ()
    at ./nsProgressMeterFrame.cpp:411
#4  0xecf45668 in nsContainerFrame::PaintChild (this=0x708558,
    aPresContext=@0x4a0e50, aRenderingContext=@0x72a7a0,
    aDirtyRect=@0xefffb340, aFrame=0x708e60,
    aWhichLayer=eFramePaintLayer_Underlay) at ./nsContainerFrame.cpp:253
#5  0xed1d2e1c in nsBoxFrame::PaintChild (this=0x708558,
    aPresContext=@0x4a0e50, aRenderingContext=@0x72a7a0,
    aDirtyRect=@0xefffb340, aFrame=0x708e60,
    aWhichLayer=eFramePaintLayer_Underlay) at ./nsBoxFrame.cpp:1874
#6  0xecf4539c in nsContainerFrame::PaintChildren (this=0x708558,
    aPresContext=@0x4a0e50, aRenderingContext=@0x72a7a0,
    aDirtyRect=@0xefffb340, aWhichLayer=eFramePaintLayer_Underlay)
    at ./nsContainerFrame.cpp:193
#7  0xecf67878 in nsHTMLContainerFrame::Paint (this=0x708558,
    aPresContext=@0x4a0e50, aRenderingContext=@0x72a7a0,
    aDirtyRect=@0xefffb340, aWhichLayer=eFramePaintLayer_Underlay)
    at ./nsHTMLContainerFrame.cpp:88
---Type <return> to continue, or q <return> to quit---
#8  0xed1d2d30 in nsBoxFrame::Paint (this=0x708558, aPresContext=@0x4a0e50,
    aRenderingContext=@0x72a7a0, aDirtyRect=@0xefffb340,
    aWhichLayer=eFramePaintLayer_Underlay) at ./nsBoxFrame.cpp:1846
#9  0xecf45668 in nsContainerFrame::PaintChild (this=0x7080b8,
    aPresContext=@0x4a0e50, aRenderingContext=@0x72a7a0,
    aDirtyRect=@0xefffb610, aFrame=0x708558,
    aWhichLayer=eFramePaintLayer_Underlay) at ./nsContainerFrame.cpp:253
(More stack frames follow...)

Comment 1

[travis]

Reassigning to Eric.  Looks like he wrote this code.  Not sure why I got this
bug in the first place.

Comment 2

[leger]

Putting on PDT+ radar.

Comment 3

[Chris McAfee]

stole this from evauhan

Comment 4

[don]

Approved.  Upgrading to P1.

Comment 5

[Chris McAfee]

This code now bails if divide-by-zero case shows up.
evaughan says this painting code will be rewritten soon,
"Just make this so it doesn't crash"  -- done.

Comment 6

[Chris Petersen]

I'm not sure what I should do to verify this fix. Is there a test case I
could use to help me ? If not, could the engineer please mark this as verified
fixed.

Comment 7

[Chris McAfee]

Ed, can you verify this?  Let's give Ed some time, otherwise
I will verify.  This just a bandaid fix, no reproduceable case,
hard for QA to verify.  You can give me verification honor if you want.

Comment 8

[edburns]

You can assign the bug to me so I'll remember to test it.

Comment 9

[Chris McAfee]

over to edburns

Comment 10

[Christine Hoffman]

edburns@acm.org: I need to get this verified today if possible. Can you take a
look and, if you agree that it is fixed, verify it so? Thanks

Comment 11

[edburns]

This fix works.