New issue
Advanced search Search tips

Issue 884644 link

Starred by 1 user
Status: Verified
Owner:
f...@opera.com
Closed: Jan 8
Cc:
tkent@chromium.org
pnangunoori@chromium.org
brat...@opera.com
fmalita@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: !std::isnan(static_cast<double>(value)) in math_extras.h

Project Member Reported by ClusterFuzz, Sep 17 
Detailed report: https://clusterfuzz.com/testcase?key=5035371711430656

Fuzzer: inferno_twister_c
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !std::isnan(static_cast<double>(value)) in math_extras.h
  float clampTo<float, double>
  blink::AffineTransform::MapPoint
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5035371711430656

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by pnangunoori@chromium.org, Sep 18

Cc: tkent@chromium.org fmalita@chromium.org pnangunoori@chromium.org
Labels: M-71 Test-Predator-Wrong
Owner: brat...@opera.com
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.

Using Code Search for the file, "math_extras.h" suspecting the below Cl might have caused this issue

Suspect CL: https://chromium.googlesource.com/chromium/src/+/19105bf325d14227fcdf7dcaca1e9aadaceca933

Since author is not chromium member, assigning it to reviewer 

bratell@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Also, CC'ing tkent@ for the recent changes made to the file - math_extras.h

Thanks!

Comment 2 by brat...@opera.com, Sep 18

Cc: brat...@opera.com
Components: Blink>SVG
Owner: f...@opera.com
Is it possible to teach the bot to ignore this assert and instead blame the caller? That would be helpful because the asserts just check that the input arguments are correct.

This seems to be a NaN that appears through a transformed svg so I'll forward it to someone working on svg.

Comment 3 by brat...@opera.com, Sep 18 

    #4 0x7fcd1dce2802 in float clampTo<float, double>(double, float, float) third_party/blink/renderer/platform/wtf/math_extras.h:322:3
    #5 0x7fcd1f0cfc10 in blink::AffineTransform::MapPoint(blink::FloatPoint const&) const third_party/blink/renderer/platform/transforms/affine_transform.cc:267:41
    #6 0x7fcd1f0d1145 in blink::AffineTransform::MapRect(blink::FloatRect const&) const third_party/blink/renderer/platform/transforms/affine_transform.cc:301:16
    #7 0x7fcd2dd9b631 in blink::LayoutSVGRoot::LocalVisualRectIgnoringVisibility() const third_party/blink/renderer/core/layout/svg/layout_svg_root.cc:450:38
    #8 0x7fcd2d58744b in blink::LayoutObject::LocalVisualRect() const third_party/blink/renderer/core/layout/layout_object.h:1510:12
    #9 0x7fcd2e6bcde5 in blink::PaintInvalidator::ComputeVisualRect(blink::LayoutObject const&, blink::PaintInvalidatorContext const&) third_party/blink/renderer/core/paint/paint_invalidator.cc:175:34
    #10 0x7fcd2e6b8e24 in blink::PaintInvalidator::UpdateVisualRect(blink::LayoutObject const&, blink::FragmentData&, blink::PaintInvalidatorContext&) third_party/blink/renderer/core/paint/paint_invalidator.cc:328:32
    #11 0x7fcd2e6b2bde in blink::PaintInvalidator::InvalidatePaint(blink::LayoutObject const&, blink::PaintPropertyTreeBuilderContext const*, blink::PaintInvalidatorContext&) third_party/blink/renderer/core/paint/paint_invalidator.cc:501:7
    #12 0x7fcd2e84b379 in blink::PrePaintTreeWalk::WalkInternal(blink::LayoutObject const&, blink::PrePaintTreeWalk::PrePaintTreeWalkContext&) third_party/blink/renderer/core/paint/pre_paint_tree_walk.cc:339:22
    #13 0x7fcd2e8485fb in blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) third_party/blink/renderer/core/paint/pre_paint_tree_walk.cc:420:3
    #14 0x7fcd2e8486e8 in blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) third_party/blink/renderer/core/paint/pre_paint_tree_walk.cc:428:5
    #15 0x7fcd2e8486e8 in blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) third_party/blink/renderer/core/paint/pre_paint_tree_walk.cc:428:5
    #16 0x7fcd2e8486e8 in blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) third_party/blink/renderer/core/paint/pre_paint_tree_walk.cc:428:5
    #17 0x7fcd2e8477d4 in blink::PrePaintTreeWalk::Walk(blink::LocalFrameView&) third_party/blink/renderer/core/paint/pre_paint_tree_walk.cc:126:5
    #18 0x7fcd2e846a97 in blink::PrePaintTreeWalk::WalkTree(blink::LocalFrameView&) third_party/blink/renderer/core/paint/pre_paint_tree_walk.cc:54:3
    #19 0x7fcd2b990962 in blink::LocalFrameView::RunPrePaintLifecyclePhase(blink::DocumentLifecycle::LifecycleState) third_party/blink/renderer/core/frame/local_frame_view.cc:2573:24
    #20 0x7fcd2b98df9a in blink::LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) third_party/blink/renderer/core/frame/local_frame_view.cc:2445:33
    #21 0x7fcd2b98a2a3 in blink::LocalFrameView::UpdateLifecyclePhases(blink::DocumentLifecycle::LifecycleState) third_party/blink/renderer/core/frame/local_frame_view.cc:2398:3
    #22 0x7fcd2b989609 in blink::LocalFrameView::UpdateAllLifecyclePhases() third_party/blink/renderer/core/frame/local_frame_view.cc:2199:39
    #23 0x7fcd2e2c48fc in blink::PageAnimator::UpdateAllLifecyclePhases(blink::LocalFrame&) third_party/blink/renderer/core/page/page_animator.cc:110:9
    #24 0x7fcd2e2de62e in blink::PageWidgetDelegate::UpdateLifecycle(blink::Page&, blink::LocalFrame&, blink::WebWidget::LifecycleUpdate) third_party/blink/renderer/core/page/page_widget_delegate.cc:70:21
    #25 0x7fcd2b4864f6 in blink::WebViewImpl::UpdateLifecycle(blink::WebWidget::LifecycleUpdate) third_party/blink/renderer/core/exported/web_view_impl.cc:1574:3
    #26 0x7fcd2bca54e4 in blink::WebViewFrameWidget::UpdateLifecycle(blink::WebWidget::LifecycleUpdate) third_party/blink/renderer/core/frame/web_view_frame_widget.cc:66:21
    #27 0x7fcd871f9b3e in content::RenderWidget::UpdateVisualState() content/renderer/render_widget.cc:1108:19
    #28 0x7fcd86153c51 in content::LayerTreeView::UpdateLayerTreeHost() content/renderer/gpu/layer_tree_view.cc:595:14
    #29 0x7fcd71fd3081 in cc::LayerTreeHost::RequestMainFrameUpdate() cc/trees/layer_tree_host.cc:281:12
    #30 0x7fcd72426070 in cc::ProxyMain::BeginMainFrame(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >) cc/trees/proxy_main.cc:222:21
Project Member

Comment 4 by ClusterFuzz, Jan 8 

ClusterFuzz has detected this issue as fixed in range 620568:620571.

Detailed report: https://clusterfuzz.com/testcase?key=5035371711430656

Fuzzer: inferno_twister_c
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !std::isnan(static_cast<double>(value)) in math_extras.h
  float clampTo<float, double>
  blink::AffineTransform::MapPoint
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=620568:620571

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5035371711430656

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Jan 8

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5035371711430656 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment