Closed Bug 1439446 Opened 7 years ago Closed 5 years ago

UBSan: src/gfx/skia/skia/src/pathops/SkPathOpsQuad.cpp:150:24: runtime error: division by zero

Categories

(Core :: Graphics, defect, P2)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1502152
Tracking Flags:
Tracking Status
firefox60 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, Whiteboard: [gfx-noted])

Attachments

(1 file)

testcase.html
99 bytes, text/html
Details 
Found in mozilla-central changeset: 404376:d0d3693d9bef. Built with -fsanitize=float-divide-by-zero,integer-divide-by-zero

This is logged externally as https://bugs.chromium.org/p/skia/issues/detail?id=7623

src/gfx/skia/skia/src/pathops/SkPathOpsQuad.cpp:150:24: runtime error: division by zero
    #0 0x7f08061bcc29 in SkDQuad::RootsReal(double, double, double, double*) src/gfx/skia/skia/src/pathops/SkPathOpsQuad.cpp:150:24
    #1 0x7f08061bb26f in SkDCubic::RootsValidT(double, double, double, double, double*) src/gfx/skia/skia/src/pathops/SkPathOpsCubic.cpp:382:21
    #2 0x7f0806191471 in LineCubicIntersections::HorizontalIntersect(SkDCubic const&, double, double*) src/gfx/skia/skia/src/pathops/SkDCubicLineIntersection.cpp:171:21
    #3 0x7f080634c761 in cubic_dchop_at_intercept(SkPoint const*, float, SkPoint*, int (SkDCubic::*)(double, double*) const) src/gfx/skia/skia/src/core/SkGeometry.cpp:839:17
    #4 0x7f0806343b27 in SkChopMonoCubicAtY src/gfx/skia/skia/src/core/SkGeometry.cpp:851:12
    #5 0x7f0806343b27 in chop_mono_cubic_at_y src/gfx/skia/skia/src/core/SkEdgeClipper.cpp:271
    #6 0x7f0806343b27 in chop_cubic_in_Y src/gfx/skia/skia/src/core/SkEdgeClipper.cpp:283
    #7 0x7f0806343b27 in SkEdgeClipper::clipMonoCubic(SkPoint const*, SkRect const&) src/gfx/skia/skia/src/core/SkEdgeClipper.cpp:342
    #8 0x7f08063419d4 in SkEdgeClipper::clipCubic(SkPoint const*, SkRect const&) src/gfx/skia/skia/src/core/SkEdgeClipper.cpp:433:27
    #9 0x7f0806340f5f in SkEdgeBuilder::build(SkPath const&, SkIRect const*, int, bool, bool) src/gfx/skia/skia/src/core/SkEdgeBuilder.cpp:396:33
    #10 0x7f080642827a in aaa_fill_path src/gfx/skia/skia/src/core/SkScan_AAAPath.cpp:1613:25
    #11 0x7f080642827a in SkScan::AAAFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool) src/gfx/skia/skia/src/core/SkScan_AAAPath.cpp:1824
    #12 0x7f080615a1d1 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const src/gfx/skia/skia/src/core/SkDraw.cpp:1070:5
    #13 0x7f080615a6f4 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const src/gfx/skia/skia/src/core/SkDraw.cpp:1163:11
    #14 0x7f0805f603c5 in drawPath src/gfx/skia/skia/src/core/SkDraw.h:55:15
    #15 0x7f0805f603c5 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:235
    #16 0x7f0805f78e4f in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) src/gfx/skia/skia/src/core/SkCanvas.cpp:2227:23
    #17 0x7f0800cde42c in mozilla::gfx::DrawTargetSkia::Fill(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&) src/gfx/2d/DrawTargetSkia.cpp:971:12
    #18 0x7f08038049f0 in mozilla::SVGGeometryFrame::Render(gfxContext*, unsigned int, mozilla::gfx::BaseMatrix<double> const&, mozilla::image::imgDrawingParams&) src/layout/svg/SVGGeometryFrame.cpp:807:21
    #19 0x7f0803804470 in mozilla::SVGGeometryFrame::PaintSVG(gfxContext&, mozilla::gfx::BaseMatrix<double> const&, mozilla::image::imgDrawingParams&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) src/layout/svg/SVGGeometryFrame.cpp:288:5
    #20 0x7f08038038db in nsDisplaySVGGeometry::Paint(nsDisplayListBuilder*, gfxContext*) src/layout/svg/SVGGeometryFrame.cpp:131:43
    #21 0x7f08039572cc in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) src/layout/painting/FrameLayerBuilder.cpp:6019:21
    #22 0x7f0803957d68 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) src/layout/painting/FrameLayerBuilder.cpp:6180:19
    #23 0x7f080114005e in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) src/gfx/layers/client/ClientPaintedLayer.cpp:158:5
    #24 0x7f0801140c86 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) src/gfx/layers/client/ClientPaintedLayer.cpp:314:3
    #25 0x7f0801165355 in mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29
    #26 0x7f0801165355 in mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29
    #27 0x7f080113d759 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:359:13
    #28 0x7f080113dc94 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:423:3
    #29 0x7f080398fef2 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2767:19
Attached file testcase.html 
Priority: -- → P2
Whiteboard: [gfx-noted]

    
  
Blocks: ubsan

    
    

    
  
Upstream's fix appears to have been merged in bug 1502152. Can you confirm?


Flags: needinfo?(twsmith)

    
    

    
  
The issue is no longer reproducible with the attached test case.


Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(twsmith)
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.