Closed Bug 1544461 Opened 1 year ago Closed 9 months ago

Assertion failure: !mTable (Tear-off objects remain in hashtable at shutdown.), at /builds/worker/workspace/build/src/dom/svg/SVGAttrTearoffTable.h:29

Categories

(Core :: SVG, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- fixed
firefox68 --- fixed

People

(Reporter: jkratzer, Assigned: birtles)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 6c9e7cba261d.

Assertion failure: !mTable (Tear-off objects remain in hashtable at shutdown.), at /builds/worker/workspace/build/src/dom/svg/SVGAttrTearoffTable.h:29

rax = 0x00005568fabfae20 rdx = 0x0000000000000000
rcx = 0x00007f06557b46ae rbx = 0x0000000000000001
rsi = 0x00007f06607a28b0 rdi = 0x00007f06607a1680
rbp = 0x00007ffd54e862e0 rsp = 0x00007ffd54e862e0
r8 = 0x00007f06607a28b0 r9 = 0x00007f06618ff740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007f06607a0718 r13 = 0x00000000000000d0
r14 = 0x00007f06607a5628 r15 = 0x00007f066016b800
rip = 0x00007f0651ac5a0f
OS|Linux|0.0.0 Linux 4.18.0-17-generic #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::SVGAttrTearoffTable<mozilla::SVGAnimatedTransformList, mozilla::dom::DOMSVGAnimatedTransformList>::~SVGAttrTearoffTable()|hg:hg.mozilla.org/mozilla-central:dom/svg/SVGAttrTearoffTable.h:6c9e7cba261d72303c39d9f3a9bb45b91fa1fd3e|29|0x16
0|1|libc-2.27.so|__libc_secure_getenv|||0x191
0|2|libc-2.27.so|exit|||0x1a
0|3|libc-2.27.so|__libc_start_main|||0xee
0|4|firefox-bin|_start|||0x29

Flags: in-testsuite?

Jason, is this something you can still reproduce with this test case? I just tried and failed (using a loader document that does window.open("testcase.html"), since the test seems to rely on window.close()).

Flags: needinfo?(jkratzer)

:heycam, I can no longer reproduce this using the latest nightly. It appears to have been fixed sometime in the following range:

Start: 839cdad764d741ab4438b6feabeec749a22b34d5 (20190517093040)
End: c94c54aff4669f52cebc76ddad34a76f4fafd03b (20190517162438)
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=839cdad764d741ab4438b6feabeec749a22b34d5&tochange=c94c54aff4669f52cebc76ddad34a76f4fafd03b

Flags: needinfo?(jkratzer)

Given that this was effectively a memory-leak with the testcase that used a WebAnimations API (element.animate(....)), this was probably fixed by bug 1552387.1552387

Status: NEW → RESOLVED
Closed: 9 months ago
Depends on: 1552387
Priority: -- → P3
Resolution: --- → FIXED
Assignee: nobody → brian
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.