Closed Bug 1555758 Opened 6 months ago Closed 6 months ago

Assertion failure: GetPrimaryFrame(), at /builds/worker/workspace/build/src/dom/svg/SVGCircleElement.cpp:130

Categories

(Core :: SVG, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- fixed

People

(Reporter: jkratzer, Assigned: violet.bugreport)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 462fc9264901.

Assertion failure: GetPrimaryFrame(), at /builds/worker/workspace/build/src/dom/svg/SVGCircleElement.cpp:130

rax = 0x00005631a7dc6e40   rdx = 0x0000000000000000
rcx = 0x00007f31fb15fd2a   rbx = 0x00007f31ecf56190
rsi = 0x00007f320619f8b0   rdi = 0x00007f320619e680
rbp = 0x00007ffc8043b580   rsp = 0x00007ffc8043b540
r8 = 0x00007f320619f8b0    r9 = 0x00007f3207309740
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007ffc8043b5a0   r13 = 0x00007f31ee83e250
r14 = 0x00007ffc8043b640   r15 = 0x00007ffc8043b5a0
rip = 0x00007f31f7337185
OS|Linux|0.0.0 Linux 4.18.0-17-generic #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::dom::SVGCircleElement::BuildPath(mozilla::gfx::PathBuilder*)|hg:hg.mozilla.org/mozilla-central:dom/svg/SVGCircleElement.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|130|0x33
0|1|libxul.so|mozilla::dom::SVGGeometryElement::GetOrBuildPath(mozilla::gfx::DrawTarget const*, mozilla::gfx::FillRule)|hg:hg.mozilla.org/mozilla-central:dom/svg/SVGGeometryElement.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|102|0x12
0|2|libxul.so|mozilla::dom::SVGGeometryElement::GetOrBuildPathForMeasuring()|hg:hg.mozilla.org/mozilla-central:dom/svg/SVGGeometryElement.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|113|0x16
0|3|libxul.so|mozilla::dom::SVGGeometryElement::GetTotalLength()|hg:hg.mozilla.org/mozilla-central:dom/svg/SVGGeometryElement.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|152|0xc
0|4|libxul.so|mozilla::dom::SVGGeometryElement_Binding::getTotalLength|s3:gecko-generated-sources:cbc6fcb2c79782dc856536bf075d40588c1f8b68811125cb23a93d30cf73d2739e7d2e45183c17c5f02c8c5ce53a90a72162bdf97f20c88123a356f008d18af2/dom/bindings/SVGGeometryElementBinding.cpp:|73|0x8
0|5|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|3165|0x24
0|6|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|448|0x16
0|7|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|540|0x12
0|8|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|595|0xd
0|9|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|599|0x13
0|10|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|425|0xb
0|11|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|568|0xf
0|12|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|595|0xd
0|13|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|611|0x5
0|14|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|2654|0x1c
0|15|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:9ca8646d8042e9b4b76d2e1b358b984be17743b71b832c0897d61bb500e0fecbe38fa54273dc522878c87fcb2c9bfd274a8190c7bc56fbbb58cb3ca68462e527/dom/bindings/EventListenerBinding.cpp:|52|0x5
0|16|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|17|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|1036|0x1e
0|18|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|1239|0x19
0|19|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|351|0x6
0|20|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|551|0x12
0|21|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|1048|0x1a
0|22|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|1105|0x25
0|23|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|6662|0x14
0|24|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|6462|0x18
0|25|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|1315|0x64
0|26|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|874|0x2a
0|27|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|712|0x15
0|28|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|600|0x16
0|29|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|568|0x17
0|30|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|8746|0x20
0|31|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|8678|0x5
0|32|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|5160|0xd
0|33|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|1174|0x13
0|34|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|295|0x15
0|35|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|1176|0x15
0|36|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|486|0x11
0|37|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|88|0xa
0|38|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|315|0x17
0|39|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|290|0x8
0|40|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|137|0xd
0|41|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|911|0x11
0|42|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|238|0x5
0|43|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|315|0x17
0|44|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|290|0x8
0|45|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|749|0xc
0|46|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|56|0x14
0|47|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|263|0x11
0|48|libc-2.27.so||||0x21b97
0|49|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:462fc926490158a7609e7a6ff6a8a0c9a6e01a48|184|0x5
Flags: in-testsuite?
Flags: needinfo?(violet.bugreport)
Regressed by: 1383650

It turns out the BuildPath() method will still be exposed by DOM
API via getTotalLength(). So we need to fallback to GetComputedStyleNoFlush()
to handle display:none problem.

BuildPath() being affected also means GetStrokeWidth(), etc. will also
be indirectly exposed to DOM API in some obscure cases. Let's add a utility
to handle the fallback.

Flags: needinfo?(violet.bugreport)
Assignee: nobody → violet.bugreport
Status: NEW → ASSIGNED
Pushed by violet.bugreport@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/4ab1e25f7904
Fallback to GetComputedStyleNoFlush for BuildPath r=longsonr,emilio
Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.