Open Bug 1426575 Opened 2 years ago Updated 2 years ago

crash near null in [@ ~AutoChangeLengthNotifier]

Categories

(Core :: SVG, defect, P3)

59 Branch
defect

Tracking

()

Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Attachments

(1 file)

Attached file testcase.html
==31289==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7f33e3f5a21a bp 0x7ffde72c8490 sp 0x7ffde72c8380 T0)
==31289==The signal is caused by a READ memory access.
==31289==Hint: address points to the zero page.
    #0 0x7f33e3f5a219 in get /src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27
    #1 0x7f33e3f5a219 in operator-> /src/obj-firefox/dist/include/mozilla/RefPtr.h:319
    #2 0x7f33e3f5a219 in IsAnimating /src/dom/svg/DOMSVGLengthList.h:98
    #3 0x7f33e3f5a219 in ~AutoChangeLengthNotifier /src/dom/svg/DOMSVGLength.cpp:84
    #4 0x7f33e3f5a219 in mozilla::DOMSVGLength::NewValueSpecifiedUnits(unsigned short, float, mozilla::ErrorResult&) /src/dom/svg/DOMSVGLength.cpp:462
    #5 0x7f33e19cde3c in mozilla::dom::SVGLengthBinding::newValueSpecifiedUnits(JSContext*, JS::Handle<JSObject*>, mozilla::DOMSVGLength*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/SVGLengthBinding.cpp:260:9
    #6 0x7f33e2b6b957 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3040:13
    #7 0x7f33e9649571 in CallJSNative /src/js/src/jscntxtinlines.h:291:15
    #8 0x7f33e9649571 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:473
    #9 0x7f33e9634e5a in CallFromStack /src/js/src/vm/Interpreter.cpp:528:12
    #10 0x7f33e9634e5a in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3098
    #11 0x7f33e961b120 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:423:12
    #12 0x7f33e96499fe in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:495:15
    #13 0x7f33e964a502 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:541:10
    #14 0x7f33ea13ccec in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:3036:12
    #15 0x7f33e24ab03e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #16 0x7f33e3004f83 in Call<nsISupports *> /src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #17 0x7f33e3004f83 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /src/dom/events/JSEventHandler.cpp:215
    #18 0x7f33e2fcb131 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1117:51
    #19 0x7f33e2fcd000 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /src/dom/events/EventListenerManager.cpp:1292:20
    #20 0x7f33e2fb75bf in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:462:16
    #21 0x7f33e2fbaef5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:826:9
    #22 0x7f33e55520f0 in nsDocumentViewer::LoadComplete(nsresult) /src/layout/base/nsDocumentViewer.cpp:1064:7
    #23 0x7f33e88d5e43 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /src/docshell/base/nsDocShell.cpp:7870:21
    #24 0x7f33e88d1d7a in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /src/docshell/base/nsDocShell.cpp:7664:7
    #25 0x7f33e88d9b6f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /src/docshell/base/nsDocShell.cpp
    #26 0x7f33df909fe7 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /src/uriloader/base/nsDocLoader.cpp:1321:3
    #27 0x7f33df9091f1 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /src/uriloader/base/nsDocLoader.cpp:862:14
    #28 0x7f33df905e84 in nsDocLoader::DocLoaderIsEmpty(bool) /src/uriloader/base/nsDocLoader.cpp:751:9
    #29 0x7f33df907ebc in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /src/uriloader/base/nsDocLoader.cpp:633:5
    #30 0x7f33df908ddc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /src/uriloader/base/nsDocLoader.cpp
    #31 0x7f33ddc5cd6a in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /src/netwerk/base/nsLoadGroup.cpp:629:28
    #32 0x7f33e0bdf4a7 in DoUnblockOnload /src/dom/base/nsDocument.cpp:9395:18
    #33 0x7f33e0bdf4a7 in nsDocument::UnblockOnload(bool) /src/dom/base/nsDocument.cpp:9317
    #34 0x7f33e2f457ca in ~LoadBlockingAsyncEventDispatcher /src/dom/events/AsyncEventDispatcher.cpp:125:18
    #35 0x7f33e2f457ca in mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher() /src/dom/events/AsyncEventDispatcher.cpp:123
    #36 0x7f33ddab452c in Release /src/xpcom/threads/nsThreadUtils.cpp:48:1
    #37 0x7f33ddab452c in mozilla::CancelableRunnable::Release() /src/xpcom/threads/nsThreadUtils.cpp:72
    #38 0x7f33dda9c578 in ~nsCOMPtr_base /src/obj-firefox/dist/include/nsCOMPtr.h:313:7
    #39 0x7f33dda9c578 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1043
    #40 0x7f33ddab7f40 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:513:10
    #41 0x7f33de91ca2a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21
    #42 0x7f33de879439 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10
    #43 0x7f33de879439 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319
    #44 0x7f33de879439 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299
    #45 0x7f33e4c4ec9a in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:159:27
    #46 0x7f33e915fe9b in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #47 0x7f33e9372fda in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4685:22
    #48 0x7f33e93753cd in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4847:8
    #49 0x7f33e9376764 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4942:21
    #50 0x4ee80b in do_main /src/browser/app/nsBrowserApp.cpp:231:22
    #51 0x4ee80b in main /src/browser/app/nsBrowserApp.cpp:304
    #52 0x7f33fc57382f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #53 0x41e078 in _start (firefox+0x41e078)
Flags: in-testsuite?
Priority: -- → P3
Regression range: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c3c4c902e9cd&tochange=31879b88cc82

Maybe a regression from bug 620286, which was a change to <tspan> behavior... The testcase does use & modify a <tspan>, at least.
All the code from bug 620286 was removed some years ago.
Too late to fix in 59. Is Nightly (61) still affected?
You need to log in before you can comment on or make changes to this bug.