Closed Bug 761021 Opened 12 years ago Closed 12 years ago

cross_fuzz crash in mozilla::SVGStringList::GetValue

Categories

(Core :: SVG, defect)

All
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: cpeterson, Unassigned)

References

()

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-014afbd0-bde8-4687-9168-a03d72120603 .
============================================================= 

Also these crash reports:
bp-e0ee69cd-46bd-4b13-a51e-9aba22120603
bp-ba260e94-2602-4b98-9552-874972120603

STR:
1. Load "cross_fuzz" browser stress test:
http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_msie_randomized_seed.html

2. Wait 5-10 minutes.

AR:
Crash in mozilla::SVGStringList::GetValue(). I was able to reproduce this same cross_fuzz crash 3 times today.

Frame 	Module 	Signature 	Source
0 	XUL 	mozilla::SVGStringList::GetValue 	nsTArray.h:192
1 	XUL 	nsAttrValue::ToString 	nsAttrValue.cpp:601
2 	XUL 	nsGenericElement::GetAttr 	nsGenericElement.cpp:5427
3 	XUL 	nsDOMAttribute::GetValue 	nsDOMAttribute.cpp:160
4 	XUL 	nsDOMAttribute::SetMap 	nsDOMAttribute.cpp:93
5 	XUL 	RemoveMapRef 	nsDOMAttributeMap.cpp:40
6 	XUL 	PL_DHashTableEnumerate 	pldhash.cpp:715 

Frame 	Module 	Signature 	Source
0 	XUL 	mozilla::SVGStringList::GetValue 	nsTArray.h:192
1 	XUL 	nsAttrValue::ToString 	nsAttrValue.cpp:601
2 	XUL 	nsGenericElement::CopyInnerTo 	nsGenericElement.cpp:5120
3 	XUL 	nsSVGSVGElement::Clone 	nsSVGSVGElement.cpp:193
4 	XUL 	nsNodeUtils::CloneAndAdopt 	nsNodeUtils.cpp:438
5 	XUL 	nsNodeUtils::CloneAndAdopt 	nsNodeUtils.cpp:559
6 	XUL 	nsNodeUtils::CloneAndAdopt 	nsNodeUtils.cpp:559
7 	XUL 	nsDocument::ImportNode 	nsNodeUtils.h:272
8 	XUL 	nsIDOMDocument_ImportNode 	dom_quickstubs.cpp:3391
9 	XUL 	js::InvokeKernel 	jscntxtinlines.h:395
10 	XUL 	js::Invoke 	jsinterp.h:125
Depends on: 761507
I imagine the patch in bug 761507 will fix this.
Is this fixed now?
I think this crash has been fixed. I've been running the cross_fuzz test for 30 minutes without crashing.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.