Closed Bug 1758825 Opened 2 years ago Closed 2 years ago

src/swgl_ext.h:537:16: runtime error: -nan is outside the range of representable values of type 'int'

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1758219
Tracking Flags:
Tracking Status
firefox99 --- affected
firefox100 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(1 file)

testcase.html
(deleted), text/html
Details
Attached file testcase.html (deleted) —

This was found by enabling the float-cast-overflow check in UBSan and fuzzing. This type of issue can create inconsistencies across platforms, architectures and optimization levels.

Found with m-c 20220304-ee4f4beb8186

To enable this check add the following to your mozconfig:

ac_add_options --enable-undefined-sanitizer="float-cast-overflow"

src/swgl_ext.h:537:16: runtime error: -nan is outside the range of representable values of type 'int'
    #0 0x7f535bae2776 in brush_image_ALPHA_PASS_TEXTURE_2D_frag::swgl_drawSpanRGBA8() src/objdir-ff-ubsan/x86_64-unknown-linux-gnu/release/build/swgl-17ac762633f478af/out/brush_image_ALPHA_PASS_TEXTURE_2D.h
    #1 0x7f535bad5431 in brush_image_ALPHA_PASS_TEXTURE_2D_frag::draw_span_RGBA8(glsl::FragmentShaderImpl*) src/objdir-ff-ubsan/x86_64-unknown-linux-gnu/release/build/swgl-17ac762633f478af/out/brush_image_ALPHA_PASS_TEXTURE_2D.h:940:28
    #2 0x7f535be1914c in glsl::FragmentShaderImpl::draw_span(unsigned int*, int) src/gfx/wr/swgl/src/program.h:168:12
    #3 0x7f535be1914c in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) src/gfx/wr/swgl/src/rasterize.h:1028:42
    #4 0x7f535b8daa9c in draw_quad(int, Texture&, Texture&) src/gfx/wr/swgl/src/rasterize.h:1615:5
    #5 0x7f535b8d95a3 in void draw_elements<unsigned short>(int, int, unsigned long, VertexArray&, Texture&, Texture&) src/gfx/wr/swgl/src/rasterize.h:1648:7
    #6 0x7f535b8d91ae in DrawElementsInstanced src/gfx/wr/swgl/src/gl.cc:2738:7
    #7 0x7f535b1fc691 in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::h2a13a442a4a0fbdf src/gfx/wr/webrender/src/device/gl.rs:3639:9
    #8 0x7f535a62ddc9 in webrender::renderer::Renderer::draw_instanced_batch::h524e1394e2950ff5 src/gfx/wr/webrender/src/renderer/mod.rs:2501:17
    #9 0x7f535b4b6b77 in webrender::renderer::Renderer::draw_alpha_batch_container::he4b2c7703ec09331 src/gfx/wr/webrender/src/renderer/mod.rs:2994:17
    #10 0x7f535b4c1546 in webrender::renderer::Renderer::draw_picture_cache_target::hb92d8d40d7fd36b1 src/gfx/wr/webrender/src/renderer/mod.rs:2811:9
    #11 0x7f535b4c1546 in webrender::renderer::Renderer::draw_frame::hd7890b990cb3c701 src/gfx/wr/webrender/src/renderer/mod.rs:4707:21
    #12 0x7f535b4a53d8 in webrender::renderer::Renderer::render_impl::hc89b7dbac7001336 src/gfx/wr/webrender/src/renderer/mod.rs:2005:17
    #13 0x7f535b4a2298 in webrender::renderer::Renderer::render::h050e53d5ddb6b50a src/gfx/wr/webrender/src/renderer/mod.rs:1727:30
    #14 0x7f535a4cef1b in wr_renderer_render src/gfx/webrender_bindings/src/bindings.rs:620:11
    #15 0x7f534bf06b8e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) src/gfx/webrender_bindings/RendererOGL.cpp:185:8
    #16 0x7f534bf05386 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) src/gfx/webrender_bindings/RenderThread.cpp:533:31
    #17 0x7f534bf0466b in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) src/gfx/webrender_bindings/RenderThread.cpp:385:3
    #18 0x7f534bf25116 in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, bool>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool>, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> >&, std::integer_sequence<unsigned long, 0ul, 1ul>) src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1147:12
    #19 0x7f534bf24edb in decltype(applyImpl(fp, fp0, *(this).mArguments, std::integer_sequence<unsigned long, 0ul, 1ul>{})) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, bool>::apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)) src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1153:12
    #20 0x7f534bf24edb in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1200:13
    #21 0x7f534951303e in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1167:16
    #22 0x7f534951c7e4 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
    #23 0x7f534abdc499 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20
    #24 0x7f534aa4b191 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
    #25 0x7f534aa4b191 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:324:3
    #26 0x7f534aa4b191 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #27 0x7f534950b7d8 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:389:10
    #28 0x7f5373a083ee in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #29 0x7f53736356da in start_thread /build/glibc-uZu3wS/glibc-2.27/nptl/pthread_create.c:463
    #30 0x7f537261361e in __clone /build/glibc-uZu3wS/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Please ni? me if a Pernosco session would be helpful.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: