Open Bug 1424031 Opened 2 years ago Updated 2 years ago

crash near null in [@ InternalAList]

Categories

(Core :: SVG, defect, P3)

59 Branch
defect

Tracking

()

Tracking Status
firefox59 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file testcase.html
==55675==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7f079db01be1 bp 0x7fffd30a5e70 sp 0x7fffd30a5d80 T0)
==55675==The signal is caused by a READ memory access.
==55675==Hint: address points to the zero page.
    #0 0x7f079db01be0 in get /src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27
    #1 0x7f079db01be0 in operator-> /src/obj-firefox/dist/include/mozilla/RefPtr.h:319
    #2 0x7f079db01be0 in InternalAList /src/dom/svg/DOMSVGPointList.cpp:205
    #3 0x7f079db01be0 in AttrIsAnimating /src/dom/svg/DOMSVGPointList.cpp:184
    #4 0x7f079db01be0 in ~AutoChangePointNotifier /src/dom/svg/DOMSVGPoint.cpp:43
    #5 0x7f079db01be0 in mozilla::DOMSVGPoint::SetY(float, mozilla::ErrorResult&) /src/dom/svg/DOMSVGPoint.cpp:108
    #6 0x7f079b5bbdc4 in mozilla::dom::SVGPointBinding::set_y(JSContext*, JS::Handle<JSObject*>, mozilla::nsISVGPoint*, JSJitSetterCallArgs) /src/obj-firefox/dom/bindings/SVGPointBinding.cpp:106:9
    #7 0x7f079c6f5189 in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3003:8
    #8 0x7f07a3194041 in CallJSNative /src/js/src/jscntxtinlines.h:291:15
    #9 0x7f07a3194041 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:473
    #10 0x7f07a31966c6 in InternalCall /src/js/src/vm/Interpreter.cpp:522:12
    #11 0x7f07a31966c6 in Call /src/js/src/vm/Interpreter.cpp:541
    #12 0x7f07a31966c6 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /src/js/src/vm/Interpreter.cpp:670
    #13 0x7f07a425070c in SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /src/js/src/vm/NativeObject.cpp:2731:10
    #14 0x7f07a4246b2c in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /src/js/src/vm/NativeObject.cpp:2759:20
    #15 0x7f07a3174cb0 in SetProperty /src/js/src/vm/NativeObject.h:1633:12
    #16 0x7f07a3174cb0 in SetPropertyOperation /src/js/src/vm/Interpreter.cpp:270
    #17 0x7f07a3174cb0 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:2893
    #18 0x7f07a3166810 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:423:12
    #19 0x7f07a31944ce in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:495:15
    #20 0x7f07a3194fd2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:541:10
    #21 0x7f07a3c8e40c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:3036:12
    #22 0x7f079bba82af in mozilla::dom::IdleRequestCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/WindowBinding.cpp:828:8
    #23 0x7f079a4f8caa in Call /src/obj-firefox/dist/include/mozilla/dom/WindowBinding.h:633:12
    #24 0x7f079a4f8caa in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) /src/dom/base/IdleRequest.cpp:74
    #25 0x7f079a33c9f4 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) /src/dom/base/nsGlobalWindowInner.cpp:710:19
    #26 0x7f079a33b418 in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) /src/dom/base/nsGlobalWindowInner.cpp:740:21
    #27 0x7f079757c66e in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1033:14
    #28 0x7f07975983f0 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:508:10
    #29 0x7f079840a99a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21
    #30 0x7f0798361929 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10
    #31 0x7f0798361929 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319
    #32 0x7f0798361929 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299
    #33 0x7f079e7b25ca in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:157:27
    #34 0x7f07a2ec718b in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:865:22
    #35 0x7f0798361929 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10
    #36 0x7f0798361929 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319
    #37 0x7f0798361929 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299
    #38 0x7f07a2ec6b7d in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:691:34
    #39 0x4ee9f5 in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #40 0x4ee9f5 in main /src/browser/app/nsBrowserApp.cpp:280
    #41 0x7f07b5fdc82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #42 0x41e078 in _start (firefox+0x41e078)
Flags: in-testsuite?
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.