Open Bug 1547178 Opened 11 months ago Updated 8 months ago

crash near null in [@ mozilla::BackgroundClipRenderingObserver::GetReferencedElementWithoutObserving]

Categories

(Core :: SVG, defect, P3)

Unspecified
Android
defect

Tracking

()

Tracking Status
firefox68 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file testcase.html

Test case requires: dom.allow_scripts_to_close_windows=true

eip = 0xc2288c6b   esp = 0xca4fc8e0   ebp = 0xca4fc8f8   ebx = 0xc98e0dd4
esi = 0xa83edce0   edi = 0xa83edce0   eax = 0x00000000   ecx = 0xa83edce0
edx = 0xca51f600   efl = 0x00210286
OS|Android|0.0.0 Linux 4.4.124+ #1 SMP PREEMPT Sun Nov 4 14:31:25 UTC 2018 i686
CPU|x86|GenuineIntel family 6 model 6 stepping 3|4
GPU|||
Crash|SIGSEGV|0x18|13
13|0|libxul.so|nsINode::AsElement()|hg:hg.mozilla.org/mozilla-central:dom/base/Element.h:7e40e33da3da2640e965a153254594a234231f76|1987|0x0
13|1|libxul.so|mozilla::BackgroundClipRenderingObserver::GetReferencedElementWithoutObserving()|hg:hg.mozilla.org/mozilla-central:layout/svg/SVGObserverUtils.cpp:7e40e33da3da2640e965a153254594a234231f76|473|0xe
13|2|libxul.so|mozilla::SVGRenderingObserver::StopObserving()|hg:hg.mozilla.org/mozilla-central:layout/svg/SVGObserverUtils.cpp:7e40e33da3da2640e965a153254594a234231f76|107|0x9
13|3|libxul.so|mozilla::BackgroundClipRenderingObserver::~BackgroundClipRenderingObserver()|hg:hg.mozilla.org/mozilla-central:layout/svg/SVGObserverUtils.cpp:7e40e33da3da2640e965a153254594a234231f76|470|0x1f
13|4|libxul.so|mozilla::BackgroundClipRenderingObserver::Release()|hg:hg.mozilla.org/mozilla-central:layout/svg/SVGObserverUtils.cpp:7e40e33da3da2640e965a153254594a234231f76|482|0x64
13|5|libxul.so|void mozilla::FramePropertyDescriptor<mozilla::BackgroundClipRenderingObserver>::Destruct<&(void ReleaseValue<mozilla::BackgroundClipRenderingObserver>(mozilla::BackgroundClipRenderingObserver*))>(void*)|hg:hg.mozilla.org/mozilla-central:layout/base/FrameProperties.h:7e40e33da3da2640e965a153254594a234231f76|92|0x8
13|6|libxul.so|mozilla::FrameProperties::PropertyValue::DestroyValueFor(nsIFrame const*)|hg:hg.mozilla.org/mozilla-central:layout/base/FrameProperties.h:7e40e33da3da2640e965a153254594a234231f76|0|0x2
13|7|libxul.so|mozilla::FrameProperties::DeleteAll(nsIFrame const*)|hg:hg.mozilla.org/mozilla-central:layout/base/FrameProperties.h:7e40e33da3da2640e965a153254594a234231f76|270|0xf
13|8|libxul.so|nsIFrame::DeleteAllProperties()|hg:hg.mozilla.org/mozilla-central:layout/generic/nsIFrame.h:7e40e33da3da2640e965a153254594a234231f76|3621|0x21
13|9|libxul.so|nsFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrame.cpp:7e40e33da3da2640e965a153254594a234231f76|846|0x8
13|10|libxul.so|nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:7e40e33da3da2640e965a153254594a234231f76|287|0xf
13|11|libxul.so|nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrameList.cpp:7e40e33da3da2640e965a153254594a234231f76|51|0x13
13|12|libxul.so|nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:7e40e33da3da2640e965a153254594a234231f76|214|0x14
13|13|libxul.so|nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineBox.cpp:7e40e33da3da2640e965a153254594a234231f76|372|0x16
13|14|libxul.so|nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:7e40e33da3da2640e965a153254594a234231f76|327|0x1a
13|15|libxul.so|nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsLineBox.cpp:7e40e33da3da2640e965a153254594a234231f76|372|0x16
13|16|libxul.so|nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBlockFrame.cpp:7e40e33da3da2640e965a153254594a234231f76|327|0x1a
13|17|libxul.so|nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrameList.cpp:7e40e33da3da2640e965a153254594a234231f76|51|0x13
13|18|libxul.so|nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:7e40e33da3da2640e965a153254594a234231f76|214|0x14
13|19|libxul.so|nsCanvasFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsCanvasFrame.cpp:7e40e33da3da2640e965a153254594a234231f76|216|0x16
13|20|libxul.so|nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrameList.cpp:7e40e33da3da2640e965a153254594a234231f76|51|0x13
13|21|libxul.so|nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:7e40e33da3da2640e965a153254594a234231f76|214|0x14
13|22|libxul.so|nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsFrameList.cpp:7e40e33da3da2640e965a153254594a234231f76|51|0x13
13|23|libxul.so|nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:7e40e33da3da2640e965a153254594a234231f76|214|0x14
13|24|libxul.so|nsIFrame::Destroy()|hg:hg.mozilla.org/mozilla-central:layout/generic/nsIFrame.h:7e40e33da3da2640e965a153254594a234231f76|656|0x16
13|25|libxul.so|nsFrameManager::Destroy()|hg:hg.mozilla.org/mozilla-central:layout/base/nsFrameManager.cpp:7e40e33da3da2640e965a153254594a234231f76|53|0x9
13|26|libxul.so|mozilla::PresShell::Destroy()|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:7e40e33da3da2640e965a153254594a234231f76|1341|0x13
13|27|libxul.so|nsDocumentViewer::DestroyPresShell()|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:7e40e33da3da2640e965a153254594a234231f76|4164|0x10
13|28|libxul.so|nsDocumentViewer::Hide()|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:7e40e33da3da2640e965a153254594a234231f76|2248|0x8
13|29|libxul.so|nsDocShell::SetVisibility(bool)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:7e40e33da3da2640e965a153254594a234231f76|5580|0x6
13|30|libxul.so|nsFrameLoader::Hide()|hg:hg.mozilla.org/mozilla-central:dom/base/nsFrameLoader.cpp:7e40e33da3da2640e965a153254594a234231f76|1124|0x15
13|31|libxul.so|nsHideViewer::Run()|hg:hg.mozilla.org/mozilla-central:layout/generic/nsSubDocumentFrame.cpp:7e40e33da3da2640e965a153254594a234231f76|934|0x10
13|32|libxul.so|nsContentUtils::RemoveScriptBlocker()|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:7e40e33da3da2640e965a153254594a234231f76|5265|0x13
13|33|libxul.so|mozilla::dom::Document::EndUpdate()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:7e40e33da3da2640e965a153254594a234231f76|4928|0x5
13|34|libxul.so|mozAutoDocUpdate::~mozAutoDocUpdate()|hg:hg.mozilla.org/mozilla-central:dom/base/mozAutoDocUpdate.h:7e40e33da3da2640e965a153254594a234231f76|34|0x13
13|35|libxul.so|nsINode::RemoveChildNode(nsIContent*, bool)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:7e40e33da3da2640e965a153254594a234231f76|1784|0x16
13|36|libxul.so|nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:7e40e33da3da2640e965a153254594a234231f76|503|0x1c
13|37|libxul.so|mozilla::dom::Node_Binding::removeChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:9f085c530b3defe17fd8b5917cb5830c8783fde4aac20324010c15e288330cbc482c676dd603592279010ddc67b21f7ed73c51375ec33abd26e0349a85e7dfbc/dom/bindings/NodeBinding.cpp:|1154|0x17
13|38|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:7e40e33da3da2640e965a153254594a234231f76|3153|0x22
13|39|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e40e33da3da2640e965a153254594a234231f76|443|0x16
13|40|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e40e33da3da2640e965a153254594a234231f76|535|0xd
13|41|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e40e33da3da2640e965a153254594a234231f76|590|0x17
13|42|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e40e33da3da2640e965a153254594a234231f76|594|0x7
13|43|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e40e33da3da2640e965a153254594a234231f76|423|0x7
13|44|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e40e33da3da2640e965a153254594a234231f76|563|0xd
13|45|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e40e33da3da2640e965a153254594a234231f76|590|0x17
13|46|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e40e33da3da2640e965a153254594a234231f76|606|0x7
13|47|libxul.so|JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:7e40e33da3da2640e965a153254594a234231f76|2573|0x4f
13|48|libxul.so|nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*)|hg:hg.mozilla.org/mozilla-central:js/xpconnect/src/XPCWrappedJSClass.cpp:7e40e33da3da2640e965a153254594a234231f76|965|0x6d
13|49|libxul.so|PrepareAndDispatch(unsigned int, nsXPTCStubBase*, unsigned int*)|hg:hg.mozilla.org/mozilla-central:xpcom/reflect/xptcall/md/unix/xptcstubs_gcc_x86_unix.cpp:7e40e33da3da2640e965a153254594a234231f76|64|0x1c
13|50|libxul.so|mozilla::widget::EventDispatcher::DispatchOnGecko(mozilla::widget::EventDispatcher::ListenersList*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, nsIAndroidEventCallback*)|hg:hg.mozilla.org/mozilla-central:widget/android/EventDispatcher.cpp:7e40e33da3da2640e965a153254594a234231f76|748|0x13
13|51|libxul.so|mozilla::widget::EventDispatcher::DispatchToGecko(mozilla::jni::StringParam const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&)|hg:hg.mozilla.org/mozilla-central:widget/android/EventDispatcher.cpp:7e40e33da3da2640e965a153254594a234231f76|1031|0x24
13|52|libxul.so|mozilla::EnableIf<(!(false))&&(!(false)), void>::Type mozilla::jni::detail::ProxyNativeCall<mozilla::widget::EventDispatcher, mozilla::java::EventDispatcher, false, false, mozilla::jni::StringParam const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&>::Call<false, false, 0u, 1u, 2u>(mozilla::jni::LocalRef<mozilla::java::EventDispatcher> const&, std::__ndk1::integer_sequence<unsigned int, 0u, 1u, 2u>) const|hg:hg.mozilla.org/mozilla-central:widget/android/jni/Natives.h:7e40e33da3da2640e965a153254594a234231f76|413|0x32
13|53|libxul.so|mozilla::jni::detail::ProxyNativeCall<mozilla::widget::EventDispatcher, mozilla::java::EventDispatcher, false, false, mozilla::jni::StringParam const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&>::operator()()|hg:hg.mozilla.org/mozilla-central:widget/android/jni/Natives.h:7e40e33da3da2640e965a153254594a234231f76|472|0xd
13|54|libxul.so|mozilla::detail::RunnableFunction<mozilla::jni::detail::ProxyNativeCall<mozilla::widget::EventDispatcher, mozilla::java::EventDispatcher, false, false, mozilla::jni::StringParam const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&> >::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:7e40e33da3da2640e965a153254594a234231f76|562|0xb
13|55|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:7e40e33da3da2640e965a153254594a234231f76|1180|0x16
13|56|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:7e40e33da3da2640e965a153254594a234231f76|486|0x11
13|57|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:7e40e33da3da2640e965a153254594a234231f76|88|0xd
13|58|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:7e40e33da3da2640e965a153254594a234231f76|315|0x16
13|59|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:7e40e33da3da2640e965a153254594a234231f76|290|0xb
13|60|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:7e40e33da3da2640e965a153254594a234231f76|137|0xe
13|61|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:7e40e33da3da2640e965a153254594a234231f76|270|0x18
13|62|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:7e40e33da3da2640e965a153254594a234231f76|4578|0x10
13|63|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:7e40e33da3da2640e965a153254594a234231f76|4716|0x8
13|64|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:7e40e33da3da2640e965a153254594a234231f76|4797|0xf
13|65|libxul.so|GeckoStart|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAndroidStartup.cpp:7e40e33da3da2640e965a153254594a234231f76|47|0xd
13|66|libxul.so|mozilla::BootstrapImpl::GeckoStart(_JNIEnv*, char**, int, mozilla::StaticXREAppData const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/Bootstrap.cpp:7e40e33da3da2640e965a153254594a234231f76|77|0x11
13|67|libmozglue.so|Java_org_mozilla_gecko_mozglue_GeckoLoader_nativeRun|hg:hg.mozilla.org/mozilla-central:mozglue/android/APKOpen.cpp:7e40e33da3da2640e965a153254594a234231f76|372|0x2a
13|68|libart.so||||0x634318
Flags: in-testsuite?

Triaging as a P2 crash. Andrei or Petru - Care to take a look?

Flags: needinfo?(vlad.baicu)
Flags: needinfo?(petru.lingurar)
Priority: -- → P2

Tried to find some related crashes in crash-stats to better assess it's impact but I was unable to find any.
This seems like a platform issue though, putting it on Chris' radar.

Flags: needinfo?(vlad.baicu)
Flags: needinfo?(petru.lingurar)
Flags: needinfo?(cpeterson)

This does look like a platform issue. I'll send it to the Core::SVG Bugzilla component.

I was not able to reproduce the crash in Windows Firefox, so this is presumably an Android-specific bug.

Component: General → SVG
Flags: needinfo?(cpeterson)
OS: Unspecified → Android
Priority: P2 → --
Product: Firefox for Android → Core

The priority flag is not set for this bug.
:jwatt, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jwatt)
Flags: needinfo?(jwatt)
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.