Closed
Bug 1443893
Opened 7 years ago
Closed 5 years ago
UBSan: division by zero in [@ nsCSSRendering::ComputeRoundedSize]
Categories
(Core :: Web Painting, defect, P3)
Core
Web Painting
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox60 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-undefined, testcase)
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
Found with mozilla-central changeset: 406904:493e45400842
mozilla-central/layout/painting/nsCSSRendering.cpp:3054:57: runtime error: division by zero
#0 0x7fa4943a7921 in nsCSSRendering::ComputeRoundedSize(int, int) mozilla-central/layout/painting/nsCSSRendering.cpp:3054:57
#1 0x7fa494436886 in ComputeTile(nsRect&, mozilla::StyleBorderImageRepeat, mozilla::StyleBorderImageRepeat, nsSize const&, nsSize&) mozilla-central/layout/painting/nsImageRenderer.cpp:772:18
#2 0x7fa4944366fc in mozilla::nsImageRenderer::DrawBorderImageComponent(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, mozilla::StyleBorderImageRepeat, mozilla::StyleBorderImageRepeat, nsSize const&, unsigned char, mozilla::Maybe<nsSize> const&, bool) mozilla-central/layout/painting/nsImageRenderer.cpp:944:21
#3 0x7fa49439bfbf in nsCSSBorderImageRenderer::DrawBorderImage(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&) mozilla-central/layout/painting/nsCSSRenderingBorders.cpp:3660:24
#4 0x7fa4943986e0 in nsCSSRendering::PaintBorderWithStyleBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, nsStyleBorder const&, nsStyleContext*, mozilla::PaintBorderFlags, mozilla::Sides) mozilla-central/layout/painting/nsCSSRendering.cpp:936:24
#5 0x7fa49439853b in nsCSSRendering::PaintBorder(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, nsStyleContext*, mozilla::PaintBorderFlags, mozilla::Sides) mozilla-central/layout/painting/nsCSSRendering.cpp:648:12
#6 0x7fa4943dba6d in nsDisplayBorder::Paint(nsDisplayListBuilder*, gfxContext*) mozilla-central/layout/painting/nsDisplayList.cpp:5774:5
#7 0x7fa494391cfb in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::AssignedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) mozilla-central/layout/painting/FrameLayerBuilder.cpp:6109:21
#8 0x7fa49439268c in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) mozilla-central/layout/painting/FrameLayerBuilder.cpp:6266:19
#9 0x7fa491911b3e in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) mozilla-central/gfx/layers/client/ClientPaintedLayer.cpp:158:5
#10 0x7fa491912766 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) mozilla-central/gfx/layers/client/ClientPaintedLayer.cpp:314:3
#11 0x7fa49192d4d5 in mozilla::layers::ClientContainerLayer::RenderLayer() mozilla-central/gfx/layers/client/ClientContainerLayer.h:58:29
#12 0x7fa49190f272 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) mozilla-central/gfx/layers/client/ClientLayerManager.cpp:359:13
#13 0x7fa49190f7b4 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) mozilla-central/gfx/layers/client/ClientLayerManager.cpp:423:3
#14 0x7fa4943caae9 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) mozilla-central/layout/painting/nsDisplayList.cpp:2779:19
#15 0x7fa493fbff6d in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) mozilla-central/layout/base/nsLayoutUtils.cpp:4016:12
#16 0x7fa493f3ea19 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) mozilla-central/layout/base/PresShell.cpp:6447:5
#17 0x7fa493b061d4 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) mozilla-central/view/nsViewManager.cpp:480:19
#18 0x7fa493b05bd7 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) mozilla-central/view/nsViewManager.cpp:412:33
#19 0x7fa493b06f16 in nsViewManager::ProcessPendingUpdates() mozilla-central/view/nsViewManager.cpp:1102:5
#20 0x7fa493ef7909 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) mozilla-central/layout/base/nsRefreshDriver.cpp:2063:11
#21 0x7fa493efdd19 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) mozilla-central/layout/base/nsRefreshDriver.cpp:310:7
#22 0x7fa493efdb5c in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) mozilla-central/layout/base/nsRefreshDriver.cpp:332:5
#23 0x7fa493f00366 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) mozilla-central/layout/base/nsRefreshDriver.cpp:773:5
#24 0x7fa493eff90d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) mozilla-central/layout/base/nsRefreshDriver.cpp:686:35
#25 0x7fa493eff4c2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) mozilla-central/layout/base/nsRefreshDriver.cpp:587:9
#26 0x7fa494322627 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) mozilla-central/layout/ipc/VsyncChild.cpp:68:16
#27 0x7fa490e88965 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) mozilla-central/objdir-ff-ubsan/ipc/ipdl/PVsyncChild.cpp:156:20
#28 0x7fa490b64efd in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) mozilla-central/ipc/glue/MessageChannel.cpp:2133:25
#29 0x7fa490b636e3 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) mozilla-central/ipc/glue/MessageChannel.cpp:2063:17
#30 0x7fa490b64608 in mozilla::ipc::MessageChannel::MessageTask::Run() mozilla-central/ipc/glue/MessageChannel.cpp:1942:15
#31 0x7fa4900bb393 in nsThread::ProcessNextEvent(bool, bool*) mozilla-central/xpcom/threads/nsThread.cpp:1040:14
#32 0x7fa4900d7c60 in NS_ProcessNextEvent(nsIThread*, bool) mozilla-central/xpcom/threads/nsThreadUtils.cpp:517:10
#33 0x7fa490b68aab in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) mozilla-central/ipc/glue/MessagePump.cpp:97:21
#34 0x7fa490a8f679 in RunHandler mozilla-central/ipc/chromium/src/base/message_loop.cc:319:3
#35 0x7fa490a8f679 in MessageLoop::Run() mozilla-central/ipc/chromium/src/base/message_loop.cc:299
#36 0x7fa493b4f146 in nsBaseAppShell::Run() mozilla-central/widget/nsBaseAppShell.cpp:157:27
#37 0x7fa49715a614 in XRE_RunAppShell() mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:892:22
#38 0x7fa490a8f679 in RunHandler mozilla-central/ipc/chromium/src/base/message_loop.cc:319:3
#39 0x7fa490a8f679 in MessageLoop::Run() mozilla-central/ipc/chromium/src/base/message_loop.cc:299
#40 0x7fa49715a240 in XRE_InitChildProcess(int, char**, XREChildData const*) mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:718:34
#41 0x42d23b in content_process_main(mozilla::Bootstrap*, int, char**) mozilla-central/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#42 0x42d358 in main mozilla-central/browser/app/nsBrowserApp.cpp:280:18
#43 0x7fa4b4aa61c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
#44 0x407159 in _start (mozilla-central/objdir-ff-ubsan/dist/bin/firefox+0x407159)
Flags: in-testsuite?
|
||
Comment 1•7 years ago
|
||
Permalinks for the first several stack frames:
https://searchfox.org/mozilla-central/rev/33cc9e0331da8d9ff3750f1e68d72d61201176cb/layout/painting/nsCSSRendering.cpp#3054
https://searchfox.org/mozilla-central/rev/33cc9e0331da8d9ff3750f1e68d72d61201176cb/layout/painting/nsImageRenderer.cpp#772
https://searchfox.org/mozilla-central/rev/33cc9e0331da8d9ff3750f1e68d72d61201176cb/layout/painting/nsImageRenderer.cpp#944
https://searchfox.org/mozilla-central/rev/33cc9e0331da8d9ff3750f1e68d72d61201176cb/layout/painting/nsCSSRenderingBorders.cpp#3660
|
||
Updated•7 years ago
|
Blocks: stylo-fuzzing
Priority: -- → P3
|
|
||
Comment 2•7 years ago
|
||
I don't think this is related to stylo at all...
No longer blocks: stylo-fuzzing
Component: CSS Parsing and Computation → Layout: Web Painting
|
Reporter | |
Comment 3•5 years ago
|
||
This is no longer reproducible with the attached testcase.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•