GUI: reducing the volume of a channel manually to zero produces a zero division

[neuromancer]

Tested on the latest git branch (ae3bc057d5cd8058e62eb3994a4a8ac38fdc927e)

Backtrace:

graphics/VectorRendererSpec.cpp:3234:43: runtime error: division by zero

Thread 1 "scummvm" received signal SIGFPE, Arithmetic exception.
0x00005555677be626 in Graphics::VectorRendererSpec<unsigned int>::drawBorderRoundedSquareAlg (this=0x50e0000122c0, x1=1314, y1=630, r=-2, w=3, h=54, 
    color=4281888891, fill_m=Graphics::VectorRenderer::kFillGradient, alpha_t=255 '\377', alpha_r=255 '\377', alpha_b=255 '\377', alpha_l=255 '\377')
    at graphics/VectorRendererSpec.cpp:3234
3234			int alphaStep_tr = ((alpha_t - alpha_r) / (y + 1));
(gdb) bt
#0  0x00005555677be626 in Graphics::VectorRendererSpec<unsigned int>::drawBorderRoundedSquareAlg (this=0x50e0000122c0, x1=1314, y1=630, r=-2, w=3, h=54, 
    color=4281888891, fill_m=Graphics::VectorRenderer::kFillGradient, alpha_t=255 '\377', alpha_r=255 '\377', alpha_b=255 '\377', alpha_l=255 '\377')
    at graphics/VectorRendererSpec.cpp:3234
#1  0x00005555677bc4c0 in Graphics::VectorRendererSpec<unsigned int>::drawRoundedSquareAlg (this=0x50e0000122c0, x1=1314, y1=630, r=1, w=3, h=54, 
    color=4281888891, fill_m=Graphics::VectorRenderer::kFillGradient) at graphics/VectorRendererSpec.cpp:3519
#2  0x0000555567668e60 in Graphics::VectorRendererSpec<unsigned int>::drawRoundedSquare (this=0x50e0000122c0, x=1314, y=630, r=1, w=3, h=54)
    at graphics/VectorRendererSpec.cpp:1269
#3  0x0000555566083337 in Graphics::VectorRenderer::drawCallback_ROUNDSQ (this=0x50e0000122c0, area=..., step=...) at ./graphics/VectorRenderer.h:449
#4  0x00005555675a56b9 in Graphics::VectorRenderer::drawStep (this=0x50e0000122c0, area=..., clip=..., step=..., extra=0) at graphics/VectorRenderer.cpp:59
#5  0x0000555565fcc825 in GUI::ThemeEngine::drawDD (this=0x51e00006c080, type=GUI::kDDSliderHover, r=..., dynamic=0, forceRestore=false)
    at gui/ThemeEngine.cpp:953
#6  0x0000555565fd14af in GUI::ThemeEngine::drawSlider (this=0x51e00006c080, r=..., width=3, state=GUI::ThemeEngine::kStateHighlight, rtl=false)
    at gui/ThemeEngine.cpp:1152
#7  0x00005555660e0fc8 in GUI::SliderWidget::drawWidget (this=0x51200000a540) at gui/widget.cpp:930
#8  0x00005555660aacb8 in GUI::Widget::draw (this=0x51200000a540) at gui/widget.cpp:138
#9  0x00005555660ac2dd in GUI::Widget::draw (this=0x51300000de80) at gui/widget.cpp:158
#10 0x0000555566233dfa in GUI::TabWidget::draw (this=0x51300000de80) at gui/widgets/tab.cpp:417
#11 0x0000555565d0b6d5 in GUI::Dialog::drawWidgets (this=0x7fffeef5a820) at gui/dialog.cpp:192
#12 0x0000555565d2cf11 in GUI::GuiManager::redrawInternal (this=0x51d0000d2080) at gui/gui-manager.cpp:471
#13 0x0000555565d2d688 in GUI::GuiManager::redraw (this=0x51d0000d2080) at gui/gui-manager.cpp:488
#14 0x0000555565d35864 in GUI::GuiManager::runLoop (this=0x51d0000d2080) at gui/gui-manager.cpp:661
#15 0x0000555565d0666e in GUI::Dialog::runModal (this=0x7fffeef5a820) at gui/dialog.cpp:78
#16 0x0000555565d6166c in GUI::LauncherDialog::editGame (this=0x52b00007e200, item=74) at gui/launcher.cpp:485
#17 0x0000555565d69a10 in GUI::LauncherDialog::handleCommand (this=0x52b00007e200, sender=0x516000972218, cmd=1162105927, data=0) at gui/launcher.cpp:780
#18 0x0000555565d8af7c in GUI::LauncherSimple::handleCommand (this=0x52b00007e200, sender=0x516000972218, cmd=1162105927, data=0) at gui/launcher.cpp:1358
#19 0x0000555565cdcb7f in GUI::CommandSender::sendCommand (this=0x516000972218, cmd=1162105927, data=0) at ./gui/object.h:54
#20 0x00005555660b8b3f in GUI::ButtonWidget::handleMouseUp (this=0x516000972080, x=206, y=54, button=1, clickCount=1) at gui/widget.cpp:416
#21 0x0000555565d0db31 in GUI::Dialog::handleMouseUp (this=0x52b00007e200, x=3653, y=705, button=1, clickCount=1) at gui/dialog.cpp:233
#22 0x0000555565d42fd8 in GUI::GuiManager::processEvent (this=0x51d0000d2080, event=..., activeDialog=0x52b00007e200) at gui/gui-manager.cpp:896
#23 0x0000555565d3065e in GUI::GuiManager::runLoop (this=0x51d0000d2080) at gui/gui-manager.cpp:594
#24 0x0000555565d5b5b8 in GUI::LauncherDialog::run (this=0x52b00007e200) at gui/launcher.cpp:345
#25 0x0000555565d7839b in GUI::LauncherChooser::runModal (this=0x7fffeec62330) at gui/launcher.cpp:1064
#26 0x0000555562d0338f in launcherDialog () at base/main.cpp:118
#27 0x0000555562d172c6 in scummvm_main (argc=4, argv=0x7fffffffe708) at base/main.cpp:733
--Type <RET> for more, q to quit, c to continue without paging--
#28 0x0000555562cfa0f3 in main (argc=4, argv=0x7fffffffe708) at backends/platform/sdl/posix/posix-main.cpp:44

[antoniou79]

I am unable to reproduce this on mine, with a MSYS2/MINGW64 Windows 10 build from current master HEAD (2.10.0git).

I've tested with volume sliders on the launcher from Global Options, Game specific options and the in-game ScummVM GMM menu for volume. I also tested with a few other GUI sliders since this issue might not be specific to only volume sliders.

For setting the value to 0, I've tested with:

1. clicking on the edge of the slider (tricky but 0 can be achieved with a bit of patience)
2. clicking within the widget, holding and dragging the slider to its edge (easier way to get 0)
3. using mouse scroll wheel to go to 0.

All the above worked without crash.

Looking at the code, y seems to be initialized (within the BE_RESET()) to the value of the "r" method argument, so if r was -1 then that would result to (y + 1) being zero and hence the division by zero issue.

​https://github.com/scummvm/scummvm/blob/4440b3ca24ab35ca3f86b3ce44a2baf643acb6a7/graphics/VectorRendererSpec.cpp#L3234

But I can't tell off hand what would cause r to be -1 or which use case that would be.

Edit: r gets reduced by 1 (r--) during the iteration of the outer loop, so I think the error is more likely to happen after a few iterations, not necessarily in the initial one.

[athrxx]

I find it pretty easy to reproduce the issue. All I have to do is drag the volume slider over the left border. But it also depends a bit on the y pos. Sliding to the left may not always trigger it. But if I keep the mouse button pressed, move a bit up or down and then to the left again, I sure get it to crash.

I mentioned the issue on discord a month ago, but it got overlooked I guess...

[sev-]

I could not reproduce it either. Could you please provide your window size, theme, and the renderer you use? It could happen only if radius equals -1.

[sev-]

In d4559955:

GUI: Prevent potential negative radius for border.

Fixes bug #15587

[sev-]

I added a sanity check without reproducing the bug.

[athrxx]

I can still trigger the zero division, even with the fix.
I'll try to examine this a bit more, later...