attempt to multiply with overflow in webrender::texture_allocator.rs:55 #18655

mateon1 · 2017-09-27T16:10:31Z

Found with domato.

<style>
*{position:fixed}
dl{text-shadow:0 1px 1px; text-indent:1}
</style>
<dl>
<dialog open>S

attempt to multiply with overflow (thread RenderBackend, at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/texture_allocator.rs:55)
stack backtrace:
   0:     0x55cf2cf41374 - backtrace::backtrace::libunwind::trace
                        at /shared/dev/rust/servo/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.2/src/backtrace/libunwind.rs:53
                         - backtrace::backtrace::trace<closure>
                        at /shared/dev/rust/servo/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.2/src/backtrace/mod.rs:42
   1:     0x55cf2cf344df - backtrace::capture::{{impl}}::new
                        at /shared/dev/rust/servo/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.2/src/capture.rs:64
   2:     0x55cf2717652e - servo::main::{{closure}}
                        at /shared/dev/rust/servo/ports/servo/main.rs:130
   3:     0x55cf2df02d96 - std::panicking::rust_panic_with_hook
                        at /checkout/src/libstd/panicking.rs:578
   4:     0x55cf2df02c24 - std::panicking::begin_panic<alloc::string::String>
                        at /checkout/src/libstd/panicking.rs:538
   5:     0x55cf2df02b29 - std::panicking::begin_panic_fmt
                        at /checkout/src/libstd/panicking.rs:522
   6:     0x55cf2df02aba - std::panicking::rust_begin_panic
                        at /checkout/src/libstd/panicking.rs:498
   7:     0x55cf2df3d110 - core::panicking::panic_fmt
                        at /checkout/src/libcore/panicking.rs:71
   8:     0x55cf2df3d046 - core::panicking::panic
                        at /checkout/src/libcore/panicking.rs:51
   9:     0x55cf2b5f7e13 - webrender::texture_allocator::{{impl}}::find_index_of_best_rect_in_bin
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/texture_allocator.rs:55
  10:     0x55cf2b5f7f81 - webrender::texture_allocator::{{impl}}::find_index_of_best_rect
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/texture_allocator.rs:73
  11:     0x55cf2b5f8091 - webrender::texture_allocator::{{impl}}::allocate
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/texture_allocator.rs:86
  12:     0x55cf2b4d63ff - webrender::tiling::{{impl}}::allocate
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/tiling.rs:912
  13:     0x55cf2b4d7355 - webrender::tiling::{{impl}}::allocate
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/tiling.rs:1056
  14:     0x55cf2b4d7009 - webrender::tiling::{{impl}}::allocate<webrender::tiling::ColorRenderTarget>
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/tiling.rs:1016
  15:     0x55cf2b4d907c - webrender::tiling::{{impl}}::build
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/tiling.rs:1398
  16:     0x55cf2b5c4822 - webrender::frame_builder::{{impl}}::build
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/frame_builder.rs:1841
  17:     0x55cf2b4c3ae5 - webrender::frame::{{impl}}::build_frame::{{closure}}
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/frame.rs:1239
  18:     0x55cf2b3daa45 - core::option::{{impl}}::map<&mut webrender::frame_builder::FrameBuilder,webrender::tiling::Frame,closure>
                        at /checkout/src/libcore/option.rs:398
  19:     0x55cf2b4c37ec - webrender::frame::{{impl}}::build_frame
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/frame.rs:1238
  20:     0x55cf2b4c35d8 - webrender::frame::{{impl}}::build
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/frame.rs:1215
  21:     0x55cf2b75181a - webrender::render_backend::{{impl}}::render
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/render_backend.rs:106
  22:     0x55cf2b7531f1 - webrender::render_backend::{{impl}}::process_document
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/render_backend.rs:394
  23:     0x55cf2b753d27 - webrender::render_backend::{{impl}}::run
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/render_backend.rs:462
  24:     0x55cf2b6043e0 - webrender::renderer::{{impl}}::new::{{closure}}
                        at /shared/dev/rust/servo/.cargo/git/checkouts/webrender-c3596abe1cf4f320/eb8e67b/webrender/src/renderer.rs:1713
  25:     0x55cf2b5406ea - std::sys_common::backtrace::__rust_begin_short_backtrace<closure,()>
                        at /checkout/src/libstd/sys_common/backtrace.rs:136
  26:     0x55cf2b3ec913 - std::thread::{{impl}}::spawn::{{closure}}::{{closure}}<closure,()>
                        at /checkout/src/libstd/thread/mod.rs:394
  27:     0x55cf2b3aff3a - std::panic::{{impl}}::call_once<(),closure>
                        at /checkout/src/libstd/panic.rs:296
  28:     0x55cf2b3edfd2 - std::panicking::try::do_call<std::panic::AssertUnwindSafe<closure>,()>
                        at /checkout/src/libstd/panicking.rs:480
  29:     0x55cf2df09f2c - panic_unwind::__rust_maybe_catch_panic
                        at /checkout/src/libpanic_unwind/lib.rs:99
  30:     0x55cf2b3ed4ac - std::panicking::try<(),std::panic::AssertUnwindSafe<closure>>
                        at /checkout/src/libstd/panicking.rs:459
  31:     0x55cf2b3ec615 - std::panic::catch_unwind<std::panic::AssertUnwindSafe<closure>,()>
                        at /checkout/src/libstd/panic.rs:361
  32:     0x55cf2b5433eb - std::thread::{{impl}}::spawn::{{closure}}<closure,()>
                        at /checkout/src/libstd/thread/mod.rs:393
  33:     0x55cf2b574573 - alloc::boxed::{{impl}}::call_box<(),closure>
                        at /checkout/src/liballoc/boxed.rs:728
  34:     0x55cf2df01a1b - alloc::boxed::{{impl}}::call_once<(),()>
                        at /checkout/src/liballoc/boxed.rs:738
                         - std::sys_common::thread::start_thread
                        at /checkout/src/libstd/sys_common/thread.rs:24
                         - std::sys::imp::thread::{{impl}}::new::thread_start
                        at /checkout/src/libstd/sys/unix/thread.rs:90
  35:     0x7fba4e20d493 - start_thread
  36:     0x7fba4dd3aabe - __clone
  37:                0x0 - <unknown>
ERROR:servo: attempt to multiply with overflow

jdm · 2017-09-27T16:31:33Z

cc @glennw


        Cull primitives with invalid dimensions, to avoid overflow later.

Primitives with invalid dimensions can cause overflow and general badness in the texture and render task allocators. Detect them and ensure they are not considered visible. Fixes servo/servo#18655


        Auto merge of #1768 - glennw:fix-overflow, r=nical

Cull primitives with invalid dimensions, to avoid overflow later. Primitives with invalid dimensions can cause overflow and general badness in the texture and render task allocators. Detect them and ensure they are not considered visible. Fixes servo/servo#18655  --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/webrender/1768)

jdm added A-webrender C-has-manual-testcase I-panic labels Sep 27, 2017

glennw mentioned this issue Sep 28, 2017

Cull primitives with invalid dimensions, to avoid overflow later. servo/webrender#1768

Merged

bors-servo closed this in servo/webrender#1768 Sep 29, 2017

mateon1 mentioned this issue Oct 2, 2017

attempt to multiply with overflow in texture_allocator on filter:blur with large radius #18711

Closed

asajeffrey mentioned this issue Aug 9, 2019

Added gstreamer support to the magicleap port #23929

Merged

3 of 3 tasks complete

servo / servo

attempt to multiply with overflow in webrender::texture_allocator.rs:55 #18655

attempt to multiply with overflow in webrender::texture_allocator.rs:55 #18655

mateon1 commented Sep 27, 2017

jdm commented Sep 27, 2017

servo / servo

Join GitHub today

attempt to multiply with overflow in webrender::texture_allocator.rs:55 #18655

attempt to multiply with overflow in webrender::texture_allocator.rs:55 #18655

Comments

mateon1 commented Sep 27, 2017

jdm commented Sep 27, 2017