Closed
Bug 1604357
Opened 5 years ago
Closed 5 years ago
division by zero in src/gfx/2d/Path.cpp:282
Categories
(Core :: Graphics, defect, P3)
Core
Graphics
Tracking
()
RESOLVED
FIXED
mozilla78
People
(Reporter: tsmith, Assigned: lsalzman)
References
(Blocks 2 open bugs)
Details
(Keywords: testcase)
Attachments
(2 files)
Found with m-c 20191213-5343dd9f67f3
To enable this check add the following to your mozconfig:
ac_add_options --enable-undefined-sanitizer="float-divide-by-zero"
src/gfx/2d/Path.cpp:282:48: runtime error: division by zero
#0 0x7f380e6ef30e in mozilla::gfx::FindInflectionApproximationRange(mozilla::gfx::BezierControlPoints, double*, double*, double, double) src/gfx/2d/Path.cpp:282:48
#1 0x7f380e6ed1d6 in mozilla::gfx::FlattenBezier(mozilla::gfx::BezierControlPoints const&, mozilla::gfx::PathSink*, double) src/gfx/2d/Path.cpp:453:5
#2 0x7f380e6ecdda in mozilla::gfx::FlattenedPath::BezierTo(mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&) src/gfx/2d/Path.cpp:92:3
#3 0x7f380e6093e3 in mozilla::gfx::PathSkia::StreamToSink(mozilla::gfx::PathSink*) const src/gfx/2d/PathSkia.cpp:189:16
#4 0x7f380e6eb992 in mozilla::gfx::Path::ComputeLength() src/gfx/2d/Path.cpp:51:3
#5 0x7f381303b4f7 in mozilla::dom::SVGGeometryElement::GetTotalLength() src/dom/svg/SVGGeometryElement.cpp:220:23
#6 0x7f38106c73d4 in mozilla::dom::SVGGeometryElement_Binding::getTotalLength(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) src/objdir-ff-ubsan/dom/bindings/SVGGeometryElementBinding.cpp:151:37
#7 0x7f38114b24b1 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3151:13
#8 0x7f3818082630 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:457:13
#9 0x7f3818082630 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:549:12
#10 0x7f381808363a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:618:10
#11 0x7f381806cd76 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3116:16
#12 0x7f381804fe15 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:10
#13 0x7f3818082478 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:590:13
#14 0x7f381808363a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:618:10
#15 0x7f381808382d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:635:8
#16 0x7f38182f0cfb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2753:10
#17 0x7f3810fe36d7 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/objdir-ff-ubsan/dom/bindings/EventHandlerBinding.cpp:267:37
#18 0x7f3811bd7c8f in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/objdir-ff-ubsan/dist/include/mozilla/dom/EventHandlerBinding.h:364:12
#19 0x7f3811bbc18d in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
#20 0x7f3811b95ef4 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1082:22
#21 0x7f3811b970ed in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1274:17
#22 0x7f3811bca377 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:356:17
#23 0x7f3811b89ae2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:558:16
#24 0x7f3811b8c728 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1056:11
#25 0x7f3814194611 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1163:7
#26 0x7f381734f98b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6192:20
#27 0x7f381734eda2 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5975:7
#28 0x7f381735155f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#29 0x7f380e385f1d in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1347:3
#30 0x7f380e385262 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:906:14
#31 0x7f380e382807 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:726:9
#32 0x7f380e3844fd in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:614:5
#33 0x7f380e38504c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#34 0x7f380b801377 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:594:22
#35 0x7f380b803636 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:501:10
#36 0x7f380fa2175d in mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:10509:18
#37 0x7f380f9f5362 in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:10441:9
#38 0x7f380fa09e3a in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7111:3
#39 0x7f380fae4c8a in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1176:13
#40 0x7f380b54c5cc in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:282:20
#41 0x7f380b57ed24 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1241:14
#42 0x7f380b58584e in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#43 0x7f380c97fd2e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#44 0x7f380c7c29e4 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#45 0x7f3813c8875a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#46 0x7f3817d7f899 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:946:20
#47 0x7f380c981341 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#48 0x7f380c7c29e4 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#49 0x7f3817d7ece7 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:781:34
#50 0x555d8d2dc1c5 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#51 0x555d8d2dc3ef in main src/browser/app/nsBrowserApp.cpp:303:18
Flags: in-testsuite?
|
||
Comment 1•5 years ago
|
||
I see you've previously fixed divide by zeroes in this code Lee :)
Flags: needinfo?(lsalzman)
Priority: -- → P3
|
Assignee | |
Comment 2•5 years ago
|
||
|
||
Updated•5 years ago
|
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•5 years ago
|
Flags: needinfo?(lsalzman)
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b5d0938fb4f1
handle divide by zero in bezier inflection approximation range. r=aosmond
|
||
Comment 4•5 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox78:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
|
||
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•