Closed
Bug 1418477
Opened 7 years ago
Closed 7 years ago
crash at null in [@ unum_setAttribute_60]
Categories
(Core :: Internationalization, defect)
Tracking
()
RESOLVED
FIXED
mozilla59
People
(Reporter: tsmith, Assigned: m_kato)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase)
Attachments
(3 files)
==75968==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5f18af8433 bp 0x7ffe937dd090 sp 0x7ffe937dcfe0 T0)
==75968==The signal is caused by a READ memory access.
==75968==Hint: address points to the zero page.
#0 0x7f5f18af8432 in unum_setAttribute_60 /src/intl/icu/source/i18n/unum.cpp:571:20
#1 0x7f5f184bce00 in ICUUtils::LocalizeNumber(double, ICUUtils::LanguageTagIterForContent&, nsTSubstring<char16_t>&) /src/intl/unicharutil/util/ICUUtils.cpp:108:5
#2 0x7f5f1f8f9415 in nsNumberControlFrame::SetValueOfAnonTextControl(nsTSubstring<char16_t> const&) /src/layout/forms/nsNumberControlFrame.cpp:665:5
#3 0x7f5f1f8f83d6 in nsNumberControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /src/layout/forms/nsNumberControlFrame.cpp:397:3
#4 0x7f5f1f4818fa in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /src/layout/base/nsCSSFrameConstructor.cpp:4351:26
#5 0x7f5f1f474149 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /src/layout/base/nsCSSFrameConstructor.cpp:11172:3
#6 0x7f5f1f48ba09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /src/layout/base/nsCSSFrameConstructor.cpp:4207:9
#7 0x7f5f1f4963bb in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /src/layout/base/nsCSSFrameConstructor.cpp:6370:3
#8 0x7f5f1f473936 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) /src/layout/base/nsCSSFrameConstructor.cpp:10944:5
#9 0x7f5f1f4a481c in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind, TreeMatchContext*) /src/layout/base/nsCSSFrameConstructor.cpp:7797:3
#10 0x7f5f1f3c1135 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /src/layout/base/RestyleManager.cpp:1414:27
#11 0x7f5f1f438eda in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:1159:9
#12 0x7f5f1f3f718b in ProcessPendingRestyles /src/layout/base/ServoRestyleManager.cpp:1235:3
#13 0x7f5f1f3f718b in ProcessPendingRestyles /src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
#14 0x7f5f1f3f718b in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4220
#15 0x7f5f1b239690 in FlushPendingNotifications /src/obj-firefox/dist/include/nsIPresShell.h:571:5
#16 0x7f5f1b239690 in nsDocument::FlushPendingNotifications(mozilla::FlushType, mozilla::FlushTarget) /src/dom/base/nsDocument.cpp:8550
#17 0x7f5f1a045edd in nsDocLoader::DocLoaderIsEmpty(bool) /src/uriloader/base/nsDocLoader.cpp:704:14
#18 0x7f5f1a048242 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /src/uriloader/base/nsDocLoader.cpp:633:5
#19 0x7f5f1a048e9c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /src/uriloader/base/nsDocLoader.cpp:489:14
#20 0x7f5f185a46a0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /src/netwerk/base/nsLoadGroup.cpp:629:28
#21 0x7f5f1b23f4ed in nsDocument::DoUnblockOnload() /src/dom/base/nsDocument.cpp:9379:18
#22 0x7f5f1b23f0b1 in nsDocument::UnblockOnload(bool) /src/dom/base/nsDocument.cpp:9301:9
#23 0x7f5f1b218d89 in nsDocument::DispatchContentLoadedEvents() /src/dom/base/nsDocument.cpp:5666:3
#24 0x7f5f1b2ba412 in applyImpl<nsDocument, void (nsDocument::*)()> /src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
#25 0x7f5f1b2ba412 in apply<nsDocument, void (nsDocument::*)()> /src/obj-firefox/dist/include/nsThreadUtils.h:1148
#26 0x7f5f1b2ba412 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /src/obj-firefox/dist/include/nsThreadUtils.h:1192
#27 0x7f5f183fa3b6 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1037:14
#28 0x7f5f18414d38 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:513:10
#29 0x7f5f191eef11 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21
#30 0x7f5f1914f68b in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10
#31 0x7f5f1914f68b in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319
#32 0x7f5f1914f68b in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299
#33 0x7f5f1ec4f23f in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:159:27
#34 0x7f5f22d84fb1 in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30
#35 0x7f5f22f7d000 in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4685:22
#36 0x7f5f22f7ebd5 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4847:8
#37 0x7f5f22f7ff86 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4942:21
#38 0x4ebd1c in do_main /src/browser/app/nsBrowserApp.cpp:231:22
#39 0x4ebd1c in main /src/browser/app/nsBrowserApp.cpp:304
#40 0x7f5f35f4582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#41 0x41d3f8 in _start (firefox+0x41d3f8)Flags: in-testsuite?
|
Assignee | |
Updated•7 years ago
|
Component: Localization → JavaScript: Internationalization API
|
||
Comment 1•7 years ago
|
||
unum_open(...) [1] returns a null-pointer on failure which doesn't seem to be handled in [2]. Not a "JavaScript: Internationalization API" bug, therefore moving to "Core: Internationalization". [1] http://icu-project.org/apiref/icu4c/unum_8h.html#a581f9eb53d6b1b052b751272e1c6b67f [2] https://searchfox.org/mozilla-central/rev/9bab9dc5a9472e3c163ab279847d2249322c206e/intl/unicharutil/util/ICUUtils.cpp#101-102
Component: JavaScript: Internationalization API → Internationalization
|
|
Assignee | |
Comment 2•7 years ago
|
||
Although I don't debug this yet, I think error status isn't successful. But we don't check error status, so this crash might occurs.
Assignee: nobody → m_kato
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
|
||
Comment 5•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8930898 [details] Bug 1418477 - Part 1. Should check error status of unum_open. https://reviewboard.mozilla.org/r/202010/#review207422 Makes sense, thanks.
Attachment #8930898 -
Flags: review?(jfkthame) → review+
|
|
||
Comment 6•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8930899 [details] Bug 1418477 - Part 2. Add crash test. https://reviewboard.mozilla.org/r/202012/#review207424
Attachment #8930899 -
Flags: review?(jfkthame) → review+
Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/autoland/rev/adfc65d1acc6 Part 1. Should check error status of unum_open. r=jfkthame https://hg.mozilla.org/integration/autoland/rev/b43f8e68097f Part 2. Add crash test. r=jfkthame
|
||
Comment 8•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/adfc65d1acc6 https://hg.mozilla.org/mozilla-central/rev/b43f8e68097f
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
|
||
Updated•7 years ago
|
status-firefox57:
--- → wontfix
status-firefox58:
--- → wontfix
status-firefox-esr52:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•