Closed Bug 1494220 Opened 6 years ago Closed 6 years ago

InvalidArrayIndex_CRASH in mozilla::dom::SVGComponentTransferFunctionElement::ComputeAttributes

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1493447

Tracking Flags:

Tracking

Status

firefox64

---

affected

People

(Reporter: nils, Unassigned)

Details

Nils

Reporter

Description

•

6 years ago

The following testcase crashes the latest ASAN build of Firefox.

<script>
function start() {
	o14=window.document;
	o15=window.document.documentElement;
	o15.innerHTML="<svg><set>";
	o29=o15.querySelectorAll('*')[3];
	o182=o29.targetElement;
	o366=o14.createElementNS('http://www.w3.org/2000/svg','filter');
	o366.setAttribute('id','id7');
	o369=o14.createElementNS('http://www.w3.org/2000/svg','feComponentTransfer');
	o370=o14.createElementNS('http://www.w3.org/2000/svg','feFuncA');
	o369.appendChild(o370);
	o366.appendChild(o369);
	o182.appendChild(o366);
	o182.setAttribute('filter','url(#id7)');
	o370.type.baseVal=3;
}
</script>
<body onload="start()"></body>


ASAN output:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==18183==ERROR: AddressSanitizer: ILL on unknown address 0x562898f40b1f (pc 0x562898f40b1f bp 0x7ffdc6f9d630 sp 0x7ffdc6f9d4c0 T0)
    #0 0x562898f40b1e in MOZ_CrashPrintf /builds/worker/workspace/build/src/mfbt/Assertions.cpp
    #1 0x7fcbd201b662 in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/workspace/build/src/xpcom/ds/nsTArray.cpp:26:3
    #2 0x7fcbdb1bdcfa in mozilla::dom::SVGComponentTransferFunctionElement::ComputeAttributes(int, mozilla::gfx::ComponentTransferAttributes&) /builds/worker/workspace/build/src/dom/svg/nsSVGFilters.cpp
    #3 0x7fcbdb0c3443 in mozilla::dom::SVGFEComponentTransferElement::GetPrimitiveDescription(nsSVGFilterInstance*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<bool> const&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&) /builds/worker/workspace/build/src/dom/svg/SVGFEComponentTransferElement.cpp:78:27
    #4 0x7fcbdcf5f0a6 in nsSVGFilterInstance::BuildPrimitives(nsTArray<mozilla::gfx::FilterPrimitiveDescription>&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&, bool) /builds/worker/workspace/build/src/layout/svg/nsSVGFilterInstance.cpp:418:15
    #5 0x7fcbdcf44b7b in nsFilterInstance::BuildPrimitivesForFilter(nsStyleFilter const&, nsIFrame*, bool, nsTArray<mozilla::gfx::FilterPrimitiveDescription>&) /builds/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:347:30
    #6 0x7fcbdcf43272 in nsFilterInstance::BuildPrimitives(nsTArray<nsStyleFilter> const&, nsIFrame*, bool) /builds/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:315:19
    #7 0x7fcbdcf421f1 in nsFilterInstance::nsFilterInstance(nsIFrame*, nsIContent*, mozilla::dom::UserSpaceMetrics const&, nsTArray<nsStyleFilter> const&, bool, nsSVGFilterPaintCallback*, mozilla::gfx::BaseMatrix<double> const&, nsRegion const*, nsRegion const*, nsRect const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const*) /builds/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:243:7
    #8 0x7fcbdcf40754 in nsFilterInstance::GetPostFilterBounds(nsIFrame*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const*, nsRect const*) /builds/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:173:20
    #9 0x7fcbdcf7358a in nsSVGIntegrationUtils::ComputePostEffectsVisualOverflowRect(nsIFrame*, nsRect const&) /builds/worker/workspace/build/src/layout/svg/nsSVGIntegrationUtils.cpp:307:5
    #10 0x7fcbdcac8b6c in nsIFrame::FinishAndStoreOverflow(nsOverflowAreas&, nsSize, nsSize*, nsStyleDisplay const*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7347:9
    #11 0x7fcbdcf889a2 in FinishAndStoreOverflow /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3220:12
    #12 0x7fcbdcf889a2 in nsSVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/svg/nsSVGOuterSVGFrame.cpp:505
    #13 0x7fcbdcc2e3dc in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:940:13
    #14 0x7fcbdc9c407a in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4274:15
    #15 0x7fcbdc9c20ba in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4074:5
    #16 0x7fcbdc9b691f in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3947:9
    #17 0x7fcbdc9ad87c in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2929:5
    #18 0x7fcbdc99f7c7 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2463:7
    #19 0x7fcbdc9937eb in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1297:3
    #20 0x7fcbdc9be93b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:309:11
    #21 0x7fcbdc9b0bd1 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3576:11
    #22 0x7fcbdc9ad8ef in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2926:5
    #23 0x7fcbdc99f7c7 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2463:7
    #24 0x7fcbdc9937eb in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1297:3
    #25 0x7fcbdca1270b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #26 0x7fcbdca0ff0e in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:803:5
    #27 0x7fcbdca1270b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #28 0x7fcbdcb4a8db in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:606:3
    #29 0x7fcbdcb4c449 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:730:3
    #30 0x7fcbdcb519d0 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1120:3
    #31 0x7fcbdc96e318 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:995:14
    #32 0x7fcbdc96ca3b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:338:7
    #33 0x7fcbdc6c272b in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9016:11
    #34 0x7fcbdc6dd508 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9189:24
    #35 0x7fcbdc6db62c in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4342:11
    #36 0x7fcbdc651a07 in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:577:5
    #37 0x7fcbdc651a07 in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1930
    #38 0x7fcbdc663701 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:325:13
    #39 0x7fcbdc663701 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:300
    #40 0x7fcbdc663221 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:318:5
    #41 0x7fcbdc666501 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:756:5
    #42 0x7fcbdc666501 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:672
    #43 0x7fcbdc665c58 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:572:9
    #44 0x7fcbdd12d6d8 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:78:16
    #45 0x7fcbd3e16d1b in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #46 0x7fcbd3b8daf0 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #47 0x7fcbd33776a5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2248:25
    #48 0x7fcbd33733d9 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2175:17
    #49 0x7fcbd337551d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5
    #50 0x7fcbd3376247 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15
    #51 0x7fcbd2166897 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1166:14
    #52 0x7fcbd216f415 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #53 0x7fcbd3380d23 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #54 0x7fcbd328375c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #55 0x7fcbd328375c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #56 0x7fcbd328375c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #57 0x7fcbdbf73463 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #58 0x7fcbe043a02e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
    #59 0x7fcbd328375c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #60 0x7fcbd328375c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #61 0x7fcbd328375c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #62 0x7fcbe0439153 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34
    #63 0x562898ecdb91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #64 0x562898ecdb91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #65 0x7fcbf4303b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #66 0x562898dfcf3c in _start (/home/nils/fuzzer3/firefox/firefox+0x2cf3c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ILL /builds/worker/workspace/build/src/mfbt/Assertions.cpp in MOZ_CrashPrintf
==18183==ABORTING
[Parent 18035, Gecko_IOThread] WARNING: pipe error (106): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 356

###!!! [Parent][MessageChannel] Error: (msgtype=0x190084,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

AddressSanitizerAddressSanitizer:DEADLYSIGNAL
:DEADLYSIGNAL
=================================================================
=================================================================
==18108==ERROR: AddressSanitizer: ILL on unknown address 0x7f638cb7a7da (pc 0x7f638cb7a7da bp 0x7f6386259280 sp 0x7f6386259250 T2)
==18170==ERROR: AddressSanitizer: ILL on unknown address 0x7fdee6e7a7da (pc 0x7fdee6e7a7da bp 0x7fdee0519280 sp 0x7fdee0519250 T2)
    #0 0x7f638cb7a7d9 in AnnotateMozCrashReason /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:40:19
    #1 0x7f638cb7a7d9 in AssertLinkThread /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:577
    #2 0x7f638cb7a7d9 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2649
    #3 0x7f638cb8053f in non-virtual thunk to mozilla::ipc::ProcessLink::OnChannelError() /builds/worker/workspace/build/src/ipc/glue/MessageLink.cpp:397:12
    #4 0x7f638cb096a7 in event_persist_closure /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1580:9
    #5 0x7f638cb096a7 in event_process_active_single_queue /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1639
    #6 0x7f638cb01545 in event_process_active /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c
    #7 0x7f638cb01545 in event_base_loop /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1961
    #0 0x7fdee6e7a7d9 in AnnotateMozCrashReason /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:40:19
    #1 0x7fdee6e7a7d9 in AssertLinkThread /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:577
    #2 0x7fdee6e7a7d9 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2649
    #3 0x7fdee6e8053f in non-virtual thunk to mozilla::ipc::ProcessLink::OnChannelError() /builds/worker/workspace/build/src/ipc/glue/MessageLink.cpp:397:12
    #8 0x7f638ca8b013 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_libevent.cc:373:7
    #9 0x7f638ca8375c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #10 0x7f638ca8375c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #11 0x7f638ca8375c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #12 0x7f638cace804 in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #13 0x7f638ca9b9cd in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:44:13
    #14 0x7f63aec3e6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #4 0x7fdee6e096a7 in event_persist_closure /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1580:9
    #5 0x7fdee6e096a7 in event_process_active_single_queue /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1639
    #6 0x7fdee6e01545 in event_process_active /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c
    #7 0x7fdee6e01545 in event_base_loop /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1961
    #8 0x7fdee6d8b013 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_libevent.cc:373:7
    #9 0x7fdee6d8375c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #10 0x7fdee6d8375c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #11 0x7fdee6d8375c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #15 0x7f63adc1788e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ILL /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:40:19 in AnnotateMozCrashReason
Thread T2 (Chrome_~dThread) created by T0 (Web Content) here:
    #12 0x7fdee6dce804 in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #13 0x7fdee6d9b9cd in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:44:13
    #14 0x7fdf08efe6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #15 0x7fdf07ed788e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ILL /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:40:19 in AnnotateMozCrashReason
Thread T2 (Chrome_~dThread) created by T0 (WebExtensions) here:
    #0 0x55b3b3eb073d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f638ca983c2 in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:131:14
    #2 0x7f638ca983c2 in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:142
    #3 0x7f638cacdf3f in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7f638cad2e5d in Run /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/child_thread.cc:27:12
    #5 0x7f638cad2e5d in ChildProcess::ChildProcess(ChildThread*) /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/child_process.cc:20
    #6 0x7f638cb82a6f in mozilla::ipc::ProcessChild::ProcessChild(int) /builds/worker/workspace/build/src/ipc/glue/ProcessChild.cpp:24:5
    #7 0x7f6399c39011 in ContentProcess /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/ContentProcess.h:31:7
    #8 0x7f6399c39011 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:707
    #9 0x55b3b3ef7b91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #10 0x55b3b3ef7b91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #11 0x7f63adb17b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

==18108==ABORTING
    #0 0x55b60fe1f73d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7fdee6d983c2 in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:131:14
    #2 0x7fdee6d983c2 in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:142
    #3 0x7fdee6dcdf3f in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7fdee6dd2e5d in Run /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/child_thread.cc:27:12
    #5 0x7fdee6dd2e5d in ChildProcess::ChildProcess(ChildThread*) /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/child_process.cc:20
    #6 0x7fdee6e82a6f in mozilla::ipc::ProcessChild::ProcessChild(int) /builds/worker/workspace/build/src/ipc/glue/ProcessChild.cpp:24:5
    #7 0x7fdef3f39011 in ContentProcess /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/ContentProcess.h:31:7
    #8 0x7fdef3f39011 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:707
    #9 0x55b60fe66b91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #10 0x55b60fe66b91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #11 0x7fdf07dd7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

==18170==ABORTING

Robert Longson [:longsonr]

Updated

•

6 years ago

Group: layout-core-security, core-security

Status: NEW → RESOLVED

Closed: 6 years ago

Resolution: --- → DUPLICATE

Daniel Veditz [:dveditz]

Updated

•

1 year ago

Group: core-security, layout-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

InvalidArrayIndex_CRASH in mozilla::dom::SVGComponentTransferFunctionElement::ComputeAttributes

Categories

(Core :: SVG, defect)

Tracking

()

People

(Reporter: nils, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated