Closed Bug 1511248 Opened 6 years ago Closed 6 years ago

Crash @ GetExistingSlots /builds/worker/workspace/build/src/dom/base/nsINode.h:1933:12

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1510633
Tracking Flags:
Tracking Status
firefox65 --- affected

People

(Reporter: geeknik, Unassigned)

Details

(Keywords: csectype-nullptr, nightly-community) 

While playing a Tom Segura video (https://www.youtube.com/watch?v=UIs-v-B5t7g) on the YouTube internet web site with Firefox Nightly Build ID 20181129095546, a tab crash which produced the following stack trace interrupted our hearty laughter: 


==3399==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f8f2b2f6632 bp 0x7ffc94fa6560 sp 0x7ffc94fa6540 T0)
==3399==The signal is caused by a READ memory access.
==3399==Hint: address points to the zero page.
    #0 0x7f8f2b2f6631 in GetExistingSlots /builds/worker/workspace/build/src/dom/base/nsINode.h:1933:12
    #1 0x7f8f2b2f6631 in nsINode::RemoveMutationObserver(nsIMutationObserver*) /builds/worker/workspace/build/src/dom/base/nsINode.h:1088
    #2 0x7f8f2b33e824 in mozilla::dom::ShadowRoot::Unattach() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:187:14
    #3 0x7f8f2b260920 in mozilla::dom::Element::UnattachShadow() /builds/worker/workspace/build/src/dom/base/Element.cpp:1348:15
    #4 0x7f8f2e45102b in operator() /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:4704:15
    #5 0x7f8f2e45102b in mozilla::detail::RunnableFunction<mozilla::dom::HTMLMediaElement::UnbindFromTree(bool, bool)::$_7>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:577
    #6 0x7f8f2b04a5ac in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5682:15
    #7 0x7f8f2e4fee6d in nsHTMLDocument::cycleCollection::Unlink(void*) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:194:1
    #8 0x7f8f27ed3aa5 in nsCycleCollector::CollectWhite() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3473:26
    #9 0x7f8f27ed6af4 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3844:24
    #10 0x7f8f27edb654 in nsCycleCollector_collectSlice(js::SliceBudget&, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4427:21
    #11 0x7f8f2b5587f5 in nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1580:3
    #12 0x7f8f2b5594c2 in ICCRunnerFired(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1639:3
    #13 0x7f8f2801cf94 in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2440:14
    #14 0x7f8f2801cf94 in mozilla::IdleTaskRunner::Run() /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:63
    #15 0x7f8f28063249 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1244:14
    #16 0x7f8f2806a1e1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
    #17 0x7f8f28fe99b0 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #18 0x7f8f28f3b62f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #19 0x7f8f28f3b62f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #20 0x7f8f28f3b62f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #21 0x7f8f2ff1be4a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #22 0x7f8f340cb9bf in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:951:22
    #23 0x7f8f28f3b62f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #24 0x7f8f28f3b62f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #25 0x7f8f28f3b62f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #26 0x7f8f340cb248 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:777:34
    #27 0x55c9870173d4 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #28 0x55c9870173d4 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #29 0x7f8f3fbfe412 in __libc_start_main (/lib64/libc.so.6+0x24412)
    #30 0x55c986f3caa8 in _start (/home/geeknik/firefox/firefox+0x29aa8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsINode.h:1933:12 in GetExistingSlots
==3399==ABORTING
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.