Tyson Smith [:tsmith] Reporter
	Description • 7 years ago

This seems to be triggered every few minutes with regular browsing.

Found in mozilla-central changeset: 402372:3df7961bad2c. Built with -fsanitize=enum,float-cast-overflow,float-divide-by-zero,integer-divide-by-zero,signed-integer-overflow

/include/mozilla/gfx/Rect.h:258:43: runtime error: 2.14748e+09 is outside the range of representable values of type 'int'
    #0 0x7fb5a16775f5 in mozilla::gfx::RectTyped<mozilla::LayerPixel, float>::ToIntRect(mozilla::gfx::IntRectTyped<mozilla::LayerPixel>*) const //include/mozilla/gfx/Rect.h:258:43
    #1 0x7fb5a165d4ed in mozilla::layers::LayerManagerComposite::PostProcessLayers(mozilla::layers::Layer*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::IntRegionTyped<mozilla::LayerPixel>&, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> > const&, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::ParentLayerPixel> > const&) /gfx/layers/composite/LayerManagerComposite.cpp:304:27
    #2 0x7fb5a165e1cc in mozilla::layers::LayerManagerComposite::PostProcessLayers(mozilla::layers::Layer*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::IntRegionTyped<mozilla::LayerPixel>&, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> > const&, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::ParentLayerPixel> > const&) /gfx/layers/composite/LayerManagerComposite.cpp:341:7
    #3 0x7fb5a165cde5 in mozilla::layers::LayerManagerComposite::PostProcessLayers(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>&) /gfx/layers/composite/LayerManagerComposite.cpp:247:3
    #4 0x7fb5a165f0c5 in mozilla::layers::LayerManagerComposite::UpdateAndRender() /gfx/layers/composite/LayerManagerComposite.cpp:485:3
    #5 0x7fb5a165ed18 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) /gfx/layers/composite/LayerManagerComposite.cpp:463:5
    #6 0x7fb5a16dd52a in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /gfx/layers/ipc/CompositorBridgeParent.cpp:1040:18
    #7 0x7fb5a16ec836 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /gfx/layers/ipc/CompositorVsyncScheduler.cpp:243:27
    #8 0x7fb5a172c15d in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::TimeStamp>::Run() //include/nsThreadUtils.h:1200:13
    #9 0x7fb59f667595 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /ipc/chromium/src/base/message_loop.cc:452:9
    #10 0x7fb59f668339 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /ipc/chromium/src/base/message_loop.cc:460:5
    #11 0x7fb59f6687a4 in MessageLoop::DoWork() /ipc/chromium/src/base/message_loop.cc:535:13
    #12 0x7fb59f669d93 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /ipc/chromium/src/base/message_pump_default.cc:36:31
    #13 0x7fb59f667090 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299:3
    #14 0x7fb59f6a91da in base::Thread::ThreadMain() /ipc/chromium/src/base/thread.cc:181:16
    #15 0x7fb59f672209 in ThreadFunc(void*) /ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #16 0x7fb5d73dc7fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
    #17 0x7fb5d640ab5e in clone /build/glibc-itYbWN/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

	Bas Schouten (:bas.schouten)
	Comment 1 • 7 years ago

The rect being 'un'transformed here is already MaxIntRect, so I suspect it's fairly easy to end up with a rectangle that is larger than integers can represent, although I don't fully understand this code. As far as I can tell though the effects of this rect getting too large would be benign, I could see this causing rendering artifacts in some cases, but I guess it's not.