CHECK failed: base::IsValueInRangeForNumericType<int>( std::floor(rect.y() * y_s |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4577094461292544 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: CHECK failed: base::IsValueInRangeForNumericType<int>( std::floor(rect.y() * y_s gfx::ScaleToEnclosingRect gfx::ScaleToEnclosingRect Minimized Testcase (0.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97JCCG5YPeakgfM0jJ1YMXeQ-hpL1EcnmxEmuPJc1ZR7-oSnb3H9llH5_8_OF4e_TNVLGAZR9FBlQ2Ldhi_k6Od1uPoCLAJ7SHfehc_Hswc28BHk0fhqFssyBH8yWw2u17s0xYD1edNsIrf-p0eqGSTirsocw Filer: manoranjanr See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 25 2016
Here's the callstack from the report: #0 0x0000004b58c1 __interceptor_backtrace #1 0x7f336dfe30cc base::debug::StackTrace::StackTrace() #2 0x7f336e143082 logging::LogMessage::~LogMessage() #3 0x7f3368fcdfba gfx::ScaleToEnclosingRect() #4 0x7f3369069e58 gfx::ScaleToEnclosingRect() #5 0x7f336904c9e2 cc::LayerImpl::PopulateScaledSharedQuadState() #6 0x7f33690b83f2 cc::PictureLayerImpl::AppendQuads() #7 0x7f33698993d6 cc::LayerTreeHostImpl::CalculateRenderPasses() #8 0x7f33698a4e8e cc::LayerTreeHostImpl::PrepareToDraw() #9 0x7f3369a9e174 cc::ProxyImpl::DrawAndSwapInternal() #10 0x7f3369a9d69d cc::ProxyImpl::ScheduledActionDrawAndSwapIfPossible() #11 0x7f33695e574b cc::Scheduler::DrawAndSwapIfPossible()
,
Apr 25 2016
PopularScaledSharedQuadState does
gfx::Rect scaled_visible_layer_rect =
gfx::ScaleToEnclosingRect(visible_layer_rect(), scale);
visible_layer_rect.y() * scale in this case does not fit inside an integer.
,
Apr 25 2016
This is the transform on the layer: transform: rotatex(-6deg) scale3d(24, 4, 23) rotatex(13deg);
,
Apr 25 2016
So, the page is really tall, and scaled by 4, which makes its size no longer fit in an integer. What's the right thing to do in this case?
,
Apr 25 2016
the page is 536,870,912px tall? Correct fix imo is to refuse to render at all.
,
Apr 25 2016
We already will clip pages that are > an int tall in GraphicsLayer (I think?). In this case the page fits in an int, but there's a scale. Should we do some checking of the scale vs the size when we choose to promote a layer?
,
Apr 25 2016
Is it easy to just cap the size?
,
Apr 25 2016
We could divide out the transform scales or something when doing the size capping we do. There will always be corner cases though. Like if we're animating then suddenly we need to check those too. Maybe PictureLayerImpl should deal with this by capping the raster scale: https://code.google.com/p/chromium/codesearch#chromium/src/cc/layers/picture_layer_impl.cc&rcl=1461583037&l=1123
,
Oct 1 2016
ClusterFuzz has detected this issue as fixed in range 392686:392692. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4577094461292544 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: base::IsValueInRangeForNumericType<int>( std::floor(rect.y() * y_scale)) in rect gfx::ScaleToEnclosingRect gfx::ScaleToEnclosingRect Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=334568:334589 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=392686:392692 Minimized Testcase (0.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv960e6PBXxyo85BRiyqv3Ux2wckZ1EXGBSKvGJJ5exWBkpQtC1WOAHAx9Rj4VZ1DZe7kVo136iuoxcHPzprqdgAayD7nsCfeNdZz7MIFw5wUtXmPnMEoKyZUccZp8Cv1o5pfD80WFLUw88U6Ish4cFUPDEfEqA?testcase_id=4577094461292544 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 1 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by manoranj...@chromium.org
, Apr 25 2016Components: Tools>Test>FindIt>NoResult UI>GFX
Labels: Te-Logged
Owner: danakj@chromium.org
Status: Assigned (was: Available)