Closed
Bug 1330513
Opened 7 years ago
Closed 7 years ago
Null-deref in [@ GetUnit] with Animation options composite: add and fill: forwards
Categories
(Core :: DOM: Animation, defect, P1)
Core
DOM: Animation
Tracking
()
RESOLVED
FIXED
mozilla53
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | unaffected |
| firefox52 | --- | unaffected |
| firefox53 | --- | fixed |
People
(Reporter: truber, Assigned: hiro)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase)
Attachments
(3 files)
The attached testcase causes a nullptr dereference in mozilla-central rev 63ad56438630.
==12848==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9f9b3c2495 bp 0x7ffe5b212630 sp 0x7ffe5b212540 T0)
#0 0x7f9f9b3c2494 in GetUnit /home/worker/workspace/build/src/layout/style/nsCSSValue.h:629:38
#1 0x7f9f9b3c2494 in mozilla::StyleAnimationValue::Add(nsCSSPropertyID, mozilla::StyleAnimationValue const&, mozilla::StyleAnimationValue&&) /home/worker/workspace/build/src/layout/style/StyleAnimationValue.cpp:787
#2 0x7f9f973837c0 in mozilla::dom::KeyframeEffectReadOnly::CompositeValue(nsCSSPropertyID, mozilla::StyleAnimationValue const&, mozilla::StyleAnimationValue const&, mozilla::dom::CompositeOperation) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:333:14
#3 0x7f9f97383e51 in mozilla::dom::KeyframeEffectReadOnly::CompositeValue(nsCSSPropertyID, RefPtr<mozilla::AnimValuesStyleRule> const&, mozilla::StyleAnimationValue const&, mozilla::dom::CompositeOperation) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:395:10
#4 0x7f9f9735a050 in mozilla::dom::KeyframeEffectReadOnly::ComposeStyle(RefPtr<mozilla::AnimValuesStyleRule>&, nsCSSPropertyIDSet const&) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:524:7
|
Reporter | |
Comment 1•7 years ago
|
||
|
Assignee | |
Comment 2•7 years ago
|
||
Hmm, the StyleAnimationValue for the filter has a valid unit, eUnit_Filter, but mCSSValueList is nullptr.
Flags: needinfo?(hikezoe)
See Also: → 1330190
|
|
Assignee | |
Comment 3•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=b797d8606cba6c0cd70cc22d824d78b7abe41a97
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → hikezoe
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•7 years ago
|
Priority: -- → P1
| Comment hidden (mozreview-request) |
|
||
Comment 5•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8826058 [details] Bug 1330513- Check that mCSSValueList is null in case of filter and shadow in StyleAnimationValue::Add(). https://reviewboard.mozilla.org/r/104102/#review104840 ::: dom/animation/test/crashtests/1330513-1.html:5 (Diff revision 1) > +<!DOCTYPE html> > +<html> > +<body id=a></body> > +<script> > +a.animate([{"filter": "grayscale(28%)"}], {fill:"forwards", composite:"add"}); Don't we need to call document.getElementById('a') first to get the body element? ::: dom/animation/test/crashtests/crashtests.list:19 (Diff revision 1) > pref(dom.animations-api.core.enabled,true) load 1304886-1.html > pref(dom.animations-api.core.enabled,true) load 1322382-1.html > skip-if(stylo) pref(dom.animations-api.core.enabled,true) load 1322291-1.html # bug 1323733 > asserts-if(stylo,0-5) pref(dom.animations-api.core.enabled,true) load 1323114-1.html # bug 1324690 > asserts-if(stylo,0-5) pref(dom.animations-api.core.enabled,true) load 1323114-2.html # bug 1324690 > +skip-if(stylo) pref(dom.animations-api.core.enabled,true) load 1330513-1.html # bug 1311257 r/1311257/1330513
Attachment #8826058 -
Flags: review?(boris.chiou) → review+
|
|
Assignee | |
Comment 6•7 years ago
|
||
(In reply to Boris Chiou [:boris] from comment #5) > Comment on attachment 8826058 [details] > Bug 1330513- Check that mCSSValueList is null in case of filter and shadow > in StyleAnimationValue::Add(). > > https://reviewboard.mozilla.org/r/104102/#review104840 > > ::: dom/animation/test/crashtests/1330513-1.html:5 > (Diff revision 1) > > +<!DOCTYPE html> > > +<html> > > +<body id=a></body> > > +<script> > > +a.animate([{"filter": "grayscale(28%)"}], {fill:"forwards", composite:"add"}); > > Don't we need to call document.getElementById('a') first to get the body > element? It's named access on the window object. https://html.spec.whatwg.org/#named-access-on-the-window-object But I will replace it with getElementById(). > ::: dom/animation/test/crashtests/crashtests.list:19 > (Diff revision 1) > > pref(dom.animations-api.core.enabled,true) load 1304886-1.html > > pref(dom.animations-api.core.enabled,true) load 1322382-1.html > > skip-if(stylo) pref(dom.animations-api.core.enabled,true) load 1322291-1.html # bug 1323733 > > asserts-if(stylo,0-5) pref(dom.animations-api.core.enabled,true) load 1323114-1.html # bug 1324690 > > asserts-if(stylo,0-5) pref(dom.animations-api.core.enabled,true) load 1323114-2.html # bug 1324690 > > +skip-if(stylo) pref(dom.animations-api.core.enabled,true) load 1330513-1.html # bug 1311257 > > r/1311257/1330513 The comment is for skip-if(stylo), that means we will drop the skip-if once bug 1311257 is fixed. Thanks for the quick review!
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
Pushed by hiikezoe@mozilla-japan.org: https://hg.mozilla.org/integration/autoland/rev/0a4f47afa494 Check that mCSSValueList is null in case of filter and shadow in StyleAnimationValue::Add(). r=boris
|
||
Comment 10•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/0a4f47afa494
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox53:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
|
||
Updated•7 years ago
|
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•