Closed
Bug 1403225
Opened 7 years ago
Closed 7 years ago
SEGV /builds/worker/workspace/build/src/dom/smil/nsSMILCSSValueType.cpp:365:30 in AddOrAccumulate(nsSMILValue&, nsSMILValue const&, mozilla::dom::CompositeOperation, unsigned long)
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
DUPLICATE
of bug 1402547
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase)
Attachments
(1 file)
|
187 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 20170925-5f3f19824efa.
==11269==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe3dcb02068 bp 0x7ffeefc69a60 sp 0x7ffeefc697e0 T0)
==11269==The signal is caused by a READ memory access.
==11269==Hint: address points to the zero page.
#0 0x7fe3dcb02067 in AddOrAccumulate(nsSMILValue&, nsSMILValue const&, mozilla::dom::CompositeOperation, unsigned long) /builds/worker/workspace/build/src/dom/smil/nsSMILCSSValueType.cpp:365:30
#1 0x7fe3dcb01f2b in nsSMILCSSValueType::SandwichAdd(nsSMILValue&, nsSMILValue const&) const /builds/worker/workspace/build/src/dom/smil/nsSMILCSSValueType.cpp:422:10
#2 0x7fe3dcaf8ae7 in nsSMILAnimationFunction::ComposeResult(nsISMILAttr const&, nsSMILValue&) /builds/worker/workspace/build/src/dom/smil/nsSMILAnimationFunction.cpp:271:22
#3 0x7fe3dcaf525d in nsSMILCompositor::ComposeAttribute(bool&) /builds/worker/workspace/build/src/dom/smil/nsSMILCompositor.cpp:108:29
#4 0x7fe3dcaf2b6a in nsSMILAnimationController::DoSample(bool) /builds/worker/workspace/build/src/dom/smil/nsSMILAnimationController.cpp:455:17
#5 0x7fe3dd7fd50b in Resample /builds/worker/workspace/build/src/obj-firefox/dist/include/nsSMILAnimationController.h:74:21
#6 0x7fe3dd7fd50b in FlushResampleRequests /builds/worker/workspace/build/src/obj-firefox/dist/include/nsSMILAnimationController.h:90
#7 0x7fe3dd7fd50b in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4160
#8 0x7fe3d975964d in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:557:5
#9 0x7fe3d975964d in nsDocument::FlushPendingNotifications(mozilla::FlushType) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8377
#10 0x7fe3d858be9b in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:703:14
#11 0x7fe3d858e125 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:632:5
#12 0x7fe3d858ed8c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:488:14
#13 0x7fe3d6d9086d in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
#14 0x7fe3d975f67d in nsDocument::DoUnblockOnload() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9205:18
#15 0x7fe3d975f241 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9127:9
#16 0x7fe3d9738599 in nsDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5599:3
#17 0x7fe3d97d92c2 in applyImpl<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
#18 0x7fe3d97d92c2 in apply<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
#19 0x7fe3d97d92c2 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
#20 0x7fe3d6be2bec in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
#21 0x7fe3d6be8a0c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10
#22 0x7fe3d798e571 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#23 0x7fe3d78f044b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#24 0x7fe3d78f044b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#25 0x7fe3d78f044b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#26 0x7fe3dd08fbff in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#27 0x7fe3e11f77b1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
#28 0x7fe3e13d81bb in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4701:22
#29 0x7fe3e13d9dd8 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4865:8
#30 0x7fe3e13db20b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4960:21
#31 0x4ebfe3 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
#32 0x4ebfe3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309
#33 0x7fe3f494882f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#34 0x41db38 in _start (/home/forb1dden/builds/mc-asan/firefox+0x41db38)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/smil/nsSMILCSSValueType.cpp:365:30 in AddOrAccumulate(nsSMILValue&, nsSMILValue const&, mozilla::dom::CompositeOperation, unsigned long)
==11269==ABORTINGFlags: in-testsuite?
|
Reporter | |
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•