Status

()

defect
RESOLVED FIXED
3 months ago
2 months ago

People

(Reporter: tsmith, Assigned: violet.bugreport)

Tracking

(Blocks 1 bug, Regression, {crash, testcase})

unspecified
mozilla69
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox67 unaffected, firefox68 unaffected, firefox69 fixed)

Details

(crash signature)

Attachments

(2 attachments)

Posted file testcase.html

The fuzzers first started hitting this on 2019-05-28 (m-c 20190528-5cc220ddf028)

Report from: m-c 20190530-462fc9264901

==91264==ERROR: AddressSanitizer: stack-overflow on address 0x7fff76a82fa0 (pc 0x7f12e857f7c6 bp 0x7fff76a83090 sp 0x7fff76a82fa0 T0)
    #0 0x7f12e857f7c5 in mozilla::SVGAnimatedLength::GetPixelsPerUnit(mozilla::dom::SVGElement*, unsigned char) const /src/dom/svg/SVGAnimatedLength.cpp:181
    #1 0x7f12e86b5704 in GetAnimValue /src/dom/svg/SVGAnimatedLength.h:122:23
    #2 0x7f12e86b5704 in mozilla::dom::SVGViewportElement::GetLength(unsigned char) /src/dom/svg/SVGViewportElement.cpp:219
    #3 0x7f12e857f14b in mozilla::dom::SVGElementMetrics::GetAxisLength(unsigned char) const /src/dom/svg/SVGAnimatedLength.cpp:129:30
    #4 0x7f12e857f9fc in GetPixelsPerUnit /src/dom/svg/SVGAnimatedLength.cpp:220:23
    #5 0x7f12e857f9fc in mozilla::SVGAnimatedLength::GetPixelsPerUnit(mozilla::dom::SVGElement*, unsigned char) const /src/dom/svg/SVGAnimatedLength.cpp:182
    #6 0x7f12e86b5704 in GetAnimValue /src/dom/svg/SVGAnimatedLength.h:122:23
    #7 0x7f12e86b5704 in mozilla::dom::SVGViewportElement::GetLength(unsigned char) /src/dom/svg/SVGViewportElement.cpp:219
    #8 0x7f12e857f14b in mozilla::dom::SVGElementMetrics::GetAxisLength(unsigned char) const /src/dom/svg/SVGAnimatedLength.cpp:129:30
    #9 0x7f12e857f9fc in GetPixelsPerUnit /src/dom/svg/SVGAnimatedLength.cpp:220:23
    #10 0x7f12e857f9fc in mozilla::SVGAnimatedLength::GetPixelsPerUnit(mozilla::dom::SVGElement*, unsigned char) const /src/dom/svg/SVGAnimatedLength.cpp:182
    #11 0x7f12e86b5704 in GetAnimValue /src/dom/svg/SVGAnimatedLength.h:122:23
    #12 0x7f12e86b5704 in mozilla::dom::SVGViewportElement::GetLength(unsigned char) /src/dom/svg/SVGViewportElement.cpp:219
    #13 0x7f12e857f14b in mozilla::dom::SVGElementMetrics::GetAxisLength(unsigned char) const /src/dom/svg/SVGAnimatedLength.cpp:129:30
    #14 0x7f12e857f9fc in GetPixelsPerUnit /src/dom/svg/SVGAnimatedLength.cpp:220:23
    #15 0x7f12e857f9fc in mozilla::SVGAnimatedLength::GetPixelsPerUnit(mozilla::dom::SVGElement*, unsigned char) const /src/dom/svg/SVGAnimatedLength.cpp:182
    #16 0x7f12e86b5704 in GetAnimValue /src/dom/svg/SVGAnimatedLength.h:122:23
    #17 0x7f12e86b5704 in mozilla::dom::SVGViewportElement::GetLength(unsigned char) /src/dom/svg/SVGViewportElement.cpp:219
    #18 0x7f12e857f14b in mozilla::dom::SVGElementMetrics::GetAxisLength(unsigned char) const /src/dom/svg/SVGAnimatedLength.cpp:129:30
    #19 0x7f12e857f9fc in GetPixelsPerUnit /src/dom/svg/SVGAnimatedLength.cpp:220:23
    #20 0x7f12e857f9fc in mozilla::SVGAnimatedLength::GetPixelsPerUnit(mozilla::dom::SVGElement*, unsigned char) const /src/dom/svg/SVGAnimatedLength.cpp:182
    #21 0x7f12e86b5704 in GetAnimValue /src/dom/svg/SVGAnimatedLength.h:122:23
    #22 0x7f12e86b5704 in mozilla::dom::SVGViewportElement::GetLength(unsigned char) /src/dom/svg/SVGViewportElement.cpp:219
    #23 0x7f12e857f14b in mozilla::dom::SVGElementMetrics::GetAxisLength(unsigned char) const /src/dom/svg/SVGAnimatedLength.cpp:129:30
    #24 0x7f12e857f9fc in GetPixelsPerUnit /src/dom/svg/SVGAnimatedLength.cpp:220:23
...
Flags: in-testsuite?
Flags: needinfo?(violet.bugreport)
Regressed by: 1554568
Flags: needinfo?(violet.bugreport)
Assignee: nobody → violet.bugreport
Status: NEW → ASSIGNED
Crash Signature: [@ nsINode::GetFlattenedTreeParentNode]
Pushed by violet.bugreport@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/b6fa96d10a09
Check IsInner() to ensure it is an outer svg r=longsonr
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.