New issue
Advanced search Search tips

Issue 918430 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Jan 10
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Float-cast-overflow in blink::CSSOffsetRotateInterpolationType::ApplyStandardPropertyValue

Project Member Reported by ClusterFuzz, Jan 1

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4900011464458240

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::CSSOffsetRotateInterpolationType::ApplyStandardPropertyValue
  blink::CSSInterpolationType::Apply
  blink::TransitionInterpolation::Apply
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:563900

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4900011464458240

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
 
Project Member

Comment 1 by ClusterFuzz, Jan 1

Components: Blink>Animation
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jan 1

Cc: iclell...@chromium.org futhark@chromium.org
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

Disable non-composited animations via feature policy by iclelland@chromium.org - https://chromium.googlesource.com/chromium/src/+/9831ecc703d4316100735d9ed9a86702d3a34652

[Squad] style_ in StyleResolverState is always mutable. by futhark@chromium.org - https://chromium.googlesource.com/chromium/src/+/f1b06666866a207acc3a263a83f787267b56ad05

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
Cc: kkaluri@chromium.org
iclelland@/futhark@ : Could you please look into it.
Cc: xidac...@chromium.org
Xida, is this the same underlying issue as the previous float cast problems?
Owner: xidac...@chromium.org
Status: Assigned (was: Untriaged)
I will investigate
Thanks :)

It looks like an actual issue, that a very large (> float range) value is used as a rotation offset, which is out of bounds for the float in StyleOffsetRotation. Probably need to clamp, or promote StyleOffsetRotation.angle to double.
I think clamp is probably the right thing to do, we have existing implementation that does this:
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/animation/css_font_variation_settings_interpolation_type.cc?l=218
Labels: Stability-Crash
Project Member

Comment 9 by bugdroid1@chromium.org, Jan 10

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/59380c61f271cd6d64378a44bc19f1ca60e173a4

commit 59380c61f271cd6d64378a44bc19f1ca60e173a4
Author: Xida Chen <xidachen@chromium.org>
Date: Thu Jan 10 18:15:57 2019

Fix float-cast-overflow in CSSOffsetRotateInterpolationType

Right now in the
CSSOffsetRotateInterpolationType::ApplyStandardPropertyValue, there is
an implicit cast from double to float, and that could overflow. This
CL applies clampTo, which is consistent to the existing implementation:
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/animation/css_font_variation_settings_interpolation_type.cc?l=218

This CL also adds a layout test to make sure that it doesn't regress.

Bug:  918430 
Change-Id: I4a603e5b5992b5132fb37a3982d69a2db4e710b3
Reviewed-on: https://chromium-review.googlesource.com/c/1394788
Reviewed-by: Stephen McGruer <smcgruer@chromium.org>
Commit-Queue: Xida Chen <xidachen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#621641}
[modify] https://crrev.com/59380c61f271cd6d64378a44bc19f1ca60e173a4/third_party/blink/renderer/core/animation/css_offset_rotate_interpolation_type.cc
[modify] https://crrev.com/59380c61f271cd6d64378a44bc19f1ca60e173a4/third_party/blink/web_tests/animations/interpolation/offset-rotate-interpolation.html

Status: Fixed (was: Assigned)
Project Member

Comment 11 by ClusterFuzz, Jan 11

ClusterFuzz has detected this issue as fixed in range 621636:621642.

Detailed report: https://clusterfuzz.com/testcase?key=4900011464458240

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::CSSOffsetRotateInterpolationType::ApplyStandardPropertyValue
  blink::CSSInterpolationType::Apply
  blink::TransitionInterpolation::Apply
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:563900
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=621636:621642

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4900011464458240

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by ClusterFuzz, Jan 11

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 4900011464458240 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment