Open
Bug 1468126
Opened 6 years ago
Updated 2 years ago
UBSan: signed integer overflow in [@ ClampAndAlignWithPixels]
Categories
(Core :: Layout, defect, P4)
Core
Layout
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox62 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: csectype-undefined, testcase)
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
Found with commit 422090:874dedd55599
layout/generic/nsGfxScrollFrame.cpp:2703:19: runtime error: signed integer overflow: 0 - -2147483648 cannot be represented in type 'int'
#0 0x7fd5eaf5b8db in ClampAndAlignWithPixels(int, int, int, int, int, int, double, int) layout/generic/nsGfxScrollFrame.cpp:2703:19
#1 0x7fd5eaf2a81c in ClampAndAlignWithLayerPixels(nsPoint const&, nsRect const&, nsRect const&, nsPoint const&, int, mozilla::gfx::SizeTyped<mozilla::gfx::UnknownUnits, double> const&) layout/generic/nsGfxScrollFrame.cpp:2741:18
#2 0x7fd5eaf28488 in mozilla::ScrollFrameHelper::ScrollToImpl(nsPoint, nsRect const&, nsAtom*) layout/generic/nsGfxScrollFrame.cpp:2834:5
#3 0x7fd5eaf30e3b in mozilla::ScrollFrameHelper::ReflowFinished() layout/generic/nsGfxScrollFrame.cpp:5568:5
#4 0x7fd5eadcda5c in mozilla::PresShell::HandlePostedReflowCallbacks(bool) layout/base/PresShell.cpp:4081:22
#5 0x7fd5eadc86b9 in mozilla::PresShell::DidDoReflow(bool) layout/base/PresShell.cpp:8769:3
#6 0x7fd5eadc781f in mozilla::PresShell::ResizeReflowIgnoreOverride(int, int, int, int, nsIPresShell::ResizeReflowOptions) layout/base/PresShell.cpp:2043:7
#7 0x7fd5eab5668e in nsViewManager::DoSetWindowDimensions(int, int) view/nsViewManager.cpp:191:19
#8 0x7fd5eab567cd in nsViewManager::FlushDelayedResize(bool) view/nsViewManager.cpp:243:7
#9 0x7fd5eadce1a0 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) layout/base/PresShell.cpp:4334:20
#10 0x7fd5eada4854 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1923:16
#11 0x7fd5eadaabe1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) layout/base/nsRefreshDriver.cpp:301:7
#12 0x7fd5eadaaac8 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:320:5
#13 0x7fd5eadace4b in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:760:5
#14 0x7fd5eadac4ad in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:673:35
#15 0x7fd5eadac125 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:574:9
#16 0x7fd5eb0d5aee in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) layout/ipc/VsyncChild.cpp:68:16
#17 0x7fd5e83f1e70 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) objdir-ff-ubsan/ipc/ipdl/PVsyncChild.cpp:167:20
#18 0x7fd5e805d84c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp:2134:25
#19 0x7fd5e805c85c in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) ipc/glue/MessageChannel.cpp:2064:17
#20 0x7fd5e805d2b0 in mozilla::ipc::MessageChannel::MessageTask::Run() ipc/glue/MessageChannel.cpp:1943:15
#21 0x7fd5e785c472 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1088:14
#22 0x7fd5e787af5e in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:519:10
#23 0x7fd5e806037f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:97:21
#24 0x7fd5e7fc9a89 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:298:3
#25 0x7fd5eab97fff in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:157:27
#26 0x7fd5ec91a993 in XRE_RunAppShell() toolkit/xre/nsEmbedFunctions.cpp:896:22
#27 0x7fd5e8060a98 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:269:9
#28 0x7fd5e7fc9a89 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:298:3
#29 0x7fd5ec91a552 in XRE_InitChildProcess(int, char**, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:722:34
#30 0x430a7a in content_process_main(mozilla::Bootstrap*, int, char**) browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#31 0x430b40 in main browser/app/nsBrowserApp.cpp:287:18
#32 0x7fd60a4361c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
#33 0x4092e9 in _start (firefox+0x4092e9)
Flags: in-testsuite?
|
Reporter | |
Updated•6 years ago
|
Component: Graphics → Layout
|
||
Updated•6 years ago
|
Priority: -- → P4
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•