Closed Bug 1426575 Opened 6 years ago Closed 1 year ago

crash near null in [@ ~AutoChangeLengthNotifier]

Categories

(Core :: SVG, defect, P3)

Product:
Core
Component:
SVG
Version:
59 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox-esr102 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- fixed

People

(Reporter: tsmith, Assigned: longsonr)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

testcase.html
378 bytes, text/html
Details
Bug 1426575 - crashtest r=emilio
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html 
==31289==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7f33e3f5a21a bp 0x7ffde72c8490 sp 0x7ffde72c8380 T0)
==31289==The signal is caused by a READ memory access.
==31289==Hint: address points to the zero page.
    #0 0x7f33e3f5a219 in get /src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27
    #1 0x7f33e3f5a219 in operator-> /src/obj-firefox/dist/include/mozilla/RefPtr.h:319
    #2 0x7f33e3f5a219 in IsAnimating /src/dom/svg/DOMSVGLengthList.h:98
    #3 0x7f33e3f5a219 in ~AutoChangeLengthNotifier /src/dom/svg/DOMSVGLength.cpp:84
    #4 0x7f33e3f5a219 in mozilla::DOMSVGLength::NewValueSpecifiedUnits(unsigned short, float, mozilla::ErrorResult&) /src/dom/svg/DOMSVGLength.cpp:462
    #5 0x7f33e19cde3c in mozilla::dom::SVGLengthBinding::newValueSpecifiedUnits(JSContext*, JS::Handle<JSObject*>, mozilla::DOMSVGLength*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/SVGLengthBinding.cpp:260:9
    #6 0x7f33e2b6b957 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3040:13
    #7 0x7f33e9649571 in CallJSNative /src/js/src/jscntxtinlines.h:291:15
    #8 0x7f33e9649571 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:473
    #9 0x7f33e9634e5a in CallFromStack /src/js/src/vm/Interpreter.cpp:528:12
    #10 0x7f33e9634e5a in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3098
    #11 0x7f33e961b120 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:423:12
    #12 0x7f33e96499fe in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:495:15
    #13 0x7f33e964a502 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:541:10
    #14 0x7f33ea13ccec in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:3036:12
    #15 0x7f33e24ab03e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #16 0x7f33e3004f83 in Call<nsISupports *> /src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #17 0x7f33e3004f83 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /src/dom/events/JSEventHandler.cpp:215
    #18 0x7f33e2fcb131 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1117:51
    #19 0x7f33e2fcd000 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /src/dom/events/EventListenerManager.cpp:1292:20
    #20 0x7f33e2fb75bf in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:462:16
    #21 0x7f33e2fbaef5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:826:9
    #22 0x7f33e55520f0 in nsDocumentViewer::LoadComplete(nsresult) /src/layout/base/nsDocumentViewer.cpp:1064:7
    #23 0x7f33e88d5e43 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /src/docshell/base/nsDocShell.cpp:7870:21
    #24 0x7f33e88d1d7a in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /src/docshell/base/nsDocShell.cpp:7664:7
    #25 0x7f33e88d9b6f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /src/docshell/base/nsDocShell.cpp
    #26 0x7f33df909fe7 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /src/uriloader/base/nsDocLoader.cpp:1321:3
    #27 0x7f33df9091f1 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /src/uriloader/base/nsDocLoader.cpp:862:14
    #28 0x7f33df905e84 in nsDocLoader::DocLoaderIsEmpty(bool) /src/uriloader/base/nsDocLoader.cpp:751:9
    #29 0x7f33df907ebc in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /src/uriloader/base/nsDocLoader.cpp:633:5
    #30 0x7f33df908ddc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /src/uriloader/base/nsDocLoader.cpp
    #31 0x7f33ddc5cd6a in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /src/netwerk/base/nsLoadGroup.cpp:629:28
    #32 0x7f33e0bdf4a7 in DoUnblockOnload /src/dom/base/nsDocument.cpp:9395:18
    #33 0x7f33e0bdf4a7 in nsDocument::UnblockOnload(bool) /src/dom/base/nsDocument.cpp:9317
    #34 0x7f33e2f457ca in ~LoadBlockingAsyncEventDispatcher /src/dom/events/AsyncEventDispatcher.cpp:125:18
    #35 0x7f33e2f457ca in mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher() /src/dom/events/AsyncEventDispatcher.cpp:123
    #36 0x7f33ddab452c in Release /src/xpcom/threads/nsThreadUtils.cpp:48:1
    #37 0x7f33ddab452c in mozilla::CancelableRunnable::Release() /src/xpcom/threads/nsThreadUtils.cpp:72
    #38 0x7f33dda9c578 in ~nsCOMPtr_base /src/obj-firefox/dist/include/nsCOMPtr.h:313:7
    #39 0x7f33dda9c578 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1043
    #40 0x7f33ddab7f40 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:513:10
    #41 0x7f33de91ca2a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21
    #42 0x7f33de879439 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10
    #43 0x7f33de879439 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319
    #44 0x7f33de879439 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299
    #45 0x7f33e4c4ec9a in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:159:27
    #46 0x7f33e915fe9b in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #47 0x7f33e9372fda in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4685:22
    #48 0x7f33e93753cd in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4847:8
    #49 0x7f33e9376764 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4942:21
    #50 0x4ee80b in do_main /src/browser/app/nsBrowserApp.cpp:231:22
    #51 0x4ee80b in main /src/browser/app/nsBrowserApp.cpp:304
    #52 0x7f33fc57382f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #53 0x41e078 in _start (firefox+0x41e078)
Flags: in-testsuite?
Priority: -- → P3
Regression range: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c3c4c902e9cd&tochange=31879b88cc82

Maybe a regression from bug 620286, which was a change to <tspan> behavior... The testcase does use & modify a <tspan>, at least.
Blocks: 620286
status-firefox57: --- → wontfix
status-firefox58: --- → wontfix
status-firefox-esr52: --- → affected
Keywords: regression
All the code from bug 620286 was removed some years ago.
Too late to fix in 59. Is Nightly (61) still affected?
status-firefox59: affectedwontfix
status-firefox61: --- → ?
Severity: normal → S3
Assignee: nobody → longsonr
Status: NEW → ASSIGNED

https://hg.mozilla.org/mozilla-central/rev/633af22d7520

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox112: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
status-firefox110: --- → wontfix
status-firefox111: --- → wontfix
status-firefox-esr102: --- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: