Closed Bug 1772643 Opened 2 years ago Closed 2 years ago

src/swgl_ext.h:692:27: runtime error: -4.2924e+09 is outside the range of representable values of type 'int'

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox103 --- fixed

People

(Reporter: tsmith, Assigned: lsalzman)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(2 files)

testcase.html
268 bytes, text/html
Details
Bug 1772643 - Clamp no-repeat steps to valid range. r?jrmuizel
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

This was found by enabling the float-cast-overflow check in UBSan and running existing tests. This type of issue can create inconsistencies across platforms, architectures and optimization levels.

Found with m-c 20220603-68727ef04ccf

To enable this check add the following to your mozconfig:

ac_add_options --enable-undefined-sanitizer="float-cast-overflow"

src/swgl_ext.h:692:27: runtime error: -4.2924e+09 is outside the range of representable values of type 'int'
    #0 0x7f25d805786d in int blendTextureLinearRepeat<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar const&, glsl::vec4_scalar const&, glsl::vec4_scalar const&, NoColor, unsigned int*) src/gfx/wr/swgl/src/swgl_ext.h
    #1 0x7f25d81c6e91 in brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::swgl_drawSpanRGBA8() src/objdir-ff-ubsan/x86_64-unknown-linux-gnu/release/build/swgl-8967b363083f5b77/out/brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D.h:962:2
    #2 0x7f25d81bbb11 in brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::draw_span_RGBA8(glsl::FragmentShaderImpl*) src/objdir-ff-ubsan/x86_64-unknown-linux-gnu/release/build/swgl-8967b363083f5b77/out/brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D.h:1010:28
    #3 0x7f25d852263f in glsl::FragmentShaderImpl::draw_span(unsigned int*, int) src/gfx/wr/swgl/src/program.h:168:12
    #4 0x7f25d852263f in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) src/gfx/wr/swgl/src/rasterize.h:1031:42
    #5 0x7f25d7ff6f7c in draw_quad(int, Texture&, Texture&) src/gfx/wr/swgl/src/rasterize.h:1620:5
    #6 0x7f25d7ff5a41 in void draw_elements<unsigned short>(int, int, unsigned long, VertexArray&, Texture&, Texture&) src/gfx/wr/swgl/src/rasterize.h:1650:5
    #7 0x7f25d7ff568c in DrawElementsInstanced src/gfx/wr/swgl/src/gl.cc:2744:7
    #8 0x7f25d6def8f1 in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::ha386959895d4e313 src/gfx/wr/webrender/src/device/gl.rs:3633:9
    #9 0x7f25d780fba0 in webrender::renderer::Renderer::draw_instanced_batch::h80b96db922ddd912 src/gfx/wr/webrender/src/renderer/mod.rs:2511:17
    #10 0x7f25d72bb38c in webrender::renderer::Renderer::draw_alpha_batch_container::he55390523bcbe720 src/gfx/wr/webrender/src/renderer/mod.rs:3144:17
    #11 0x7f25d72cf39b in webrender::renderer::Renderer::draw_color_target::h5e53e9e30b76c93f src/gfx/wr/webrender/src/renderer/mod.rs:3855:13
    #12 0x7f25d72cf39b in webrender::renderer::Renderer::draw_frame::ha7f1bb55f0a6f2a3 src/gfx/wr/webrender/src/renderer/mod.rs:4962:17
    #13 0x7f25d72a5735 in webrender::renderer::Renderer::render_impl::hfd5d33cf6208fcd6 src/gfx/wr/webrender/src/renderer/mod.rs:2015:17
    #14 0x7f25d72a1f2e in webrender::renderer::Renderer::render::he29e365bd783ea6e src/gfx/wr/webrender/src/renderer/mod.rs:1737:30
    #15 0x7f25d69eab9d in wr_renderer_render src/gfx/webrender_bindings/src/bindings.rs:616:11
    #16 0x7f25c815ea9e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) src/gfx/webrender_bindings/RendererOGL.cpp:185:8
    #17 0x7f25c815d26b in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) src/gfx/webrender_bindings/RenderThread.cpp:537:31
    #18 0x7f25c815c4db in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) src/gfx/webrender_bindings/RenderThread.cpp:387:3
    #19 0x7f25c817dec6 in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, bool>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool>, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> >&, std::integer_sequence<unsigned long, 0ul, 1ul>) src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1147:12
    #20 0x7f25c817dd0b in decltype(applyImpl(fp, fp0, *(this).mArguments, std::integer_sequence<unsigned long, 0ul, 1ul>{})) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, bool>::apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)) src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1153:12
    #21 0x7f25c817dd0b in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1200:13
    #22 0x7f25c569e9ae in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1174:16
    #23 0x7f25c56a6dd4 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
    #24 0x7f25c6dcc874 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:330:5
    #25 0x7f25c6c3f411 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
    #26 0x7f25c6c3f411 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:373:3
    #27 0x7f25c6c3f411 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
    #28 0x7f25c5696f68 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:378:10
    #29 0x7f25f0f80bbe in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #30 0x7f25f0ca06da in start_thread /build/glibc-uZu3wS/glibc-2.27/nptl/pthread_create.c:463
    #31 0x7f25efc7e61e in __clone /build/glibc-uZu3wS/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Doesn't look too complicated nor too bad as far as the bug is concerned, but this code is likely very performance sensitive so deferring to Lee.

Severity: -- → S3
Flags: needinfo?(lsalzman)
Priority: -- → P3
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f181d3190ab2
Clamp no-repeat steps to valid range. r=jrmuizel

https://hg.mozilla.org/mozilla-central/rev/f181d3190ab2

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox103: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch
Flags: needinfo?(lsalzman)
You need to log in before you can comment on or make changes to this bug.