Closed
Bug 1560179
Opened 5 years ago
Closed 5 years ago
AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/svg/SVGImageElement.cpp:270:3 in mozilla::dom::SVGImageElement::BuildPath(mozilla::gfx::PathBuilder*)
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
mozilla69
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox67 | --- | unaffected |
| firefox68 | --- | unaffected |
| firefox69 | --- | fixed |
People
(Reporter: jkratzer, Assigned: violet.bugreport)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: crash, regression, testcase)
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 19cf79b6f07d.
=================================================================
==849==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f0abd0a9a3a bp 0x7ffc9e55a860 sp 0x7ffc9e55a860 T0)
==849==The signal is caused by a WRITE memory access.
==849==Hint: address points to the zero page.
#0 0x7f0abd0a9a39 in mozilla::dom::SVGImageElement::BuildPath(mozilla::gfx::PathBuilder*) /builds/worker/workspace/build/src/dom/svg/SVGImageElement.cpp:270:3
#1 0x7f0abd0a090a in mozilla::dom::SVGGeometryElement::GetOrBuildPath(mozilla::gfx::DrawTarget const*, mozilla::gfx::FillRule) /builds/worker/workspace/build/src/dom/svg/SVGGeometryElement.cpp:103:23
#2 0x7f0abd0a0db1 in mozilla::dom::SVGGeometryElement::GetOrBuildPathForMeasuring() /builds/worker/workspace/build/src/dom/svg/SVGGeometryElement.cpp:114:10
#3 0x7f0abf131dbc in SVGTextFrame::GetTextPath(nsIFrame*) /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:4621:36
#4 0x7f0abf132b40 in SVGTextFrame::DoTextPathLayout() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:4683:25
#5 0x7f0abf137af5 in SVGTextFrame::DoGlyphPositioning() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:4964:3
#6 0x7f0abf167faa in nsSVGContainerFrame::ReflowSVGNonDisplayText(nsIFrame*) /builds/worker/workspace/build/src/layout/svg/nsSVGContainerFrame.cpp:113:40
#7 0x7f0abf11b96d in nsSVGDisplayContainerFrame::ReflowSVG() /builds/worker/workspace/build/src/layout/svg/nsSVGContainerFrame.cpp:333:11
#8 0x7f0abf1af1b1 in nsSVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/svg/nsSVGOuterSVGFrame.cpp:454:14
#9 0x7f0abee0d581 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:877:13
#10 0x7f0abeb6c21e in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4343:15
#11 0x7f0abeb6a3f2 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4145:5
#12 0x7f0abeb5ec2d in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4030:9
#13 0x7f0abeb5570b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3062:5
#14 0x7f0abeb46fbd in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2601:7
#15 0x7f0abeb3ab14 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1341:3
#16 0x7f0abeb66f24 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:297:11
#17 0x7f0abeb59228 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3667:11
#18 0x7f0abeb55775 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3059:5
#19 0x7f0abeb46fbd in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2601:7
#20 0x7f0abeb3ab14 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1341:3
#21 0x7f0abebada12 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:894:14
#22 0x7f0abebab8c7 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:730:5
#23 0x7f0abebada12 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:894:14
#24 0x7f0abed006d9 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:562:3
#25 0x7f0abed01eb0 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:675:3
#26 0x7f0abed09ed4 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1077:3
#27 0x7f0abeb21173 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:933:14
#28 0x7f0abeb1fd38 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:307:7
#29 0x7f0abe856d92 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9285:11
#30 0x7f0abe877b40 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9455:24
#31 0x7f0abe874c22 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4233:11
#32 0x7f0abe9a06a7 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/PresShell.h:1459:5
#33 0x7f0abe9a06a7 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1016
#34 0x7f0ac183daf3 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6682:20
#35 0x7f0ac183cc0c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6482:7
#36 0x7f0ac1842617 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#37 0x7f0ab62fbcd5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1337:3
#38 0x7f0ab62fa8ca in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:896:14
#39 0x7f0ab62f4f10 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
#40 0x7f0ab62f8785 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:618:5
#41 0x7f0ab62fa414 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#42 0x7f0ab3a3e721 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
#43 0x7f0ab7bd3ac8 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:10536:18
#44 0x7f0ab7bd3ac8 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10468
#45 0x7f0ab7c08fd5 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:6983:3
#46 0x7f0ab7d213ab in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
#47 0x7f0ab7d213ab in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130
#48 0x7f0ab7d213ab in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176
#49 0x7f0ab36b6e75 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#50 0x7f0ab36f7b33 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1215:14
#51 0x7f0ab36ff8f4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#52 0x7f0ab4b08b7f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#53 0x7f0ab49dface in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#54 0x7f0ab49dface in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#55 0x7f0ab49dface in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#56 0x7f0abe0f1563 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#57 0x7f0ac273781e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#58 0x7f0ab49dface in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#59 0x7f0ab49dface in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#60 0x7f0ab49dface in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#61 0x7f0ac2736361 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
#62 0x564309d10eb3 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#63 0x564309d10eb3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
#64 0x7f0ad8408b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/svg/SVGImageElement.cpp:270:3 in mozilla::dom::SVGImageElement::BuildPath(mozilla::gfx::PathBuilder*)
==849==ABORTING
Flags: in-testsuite?
|
||
Comment 1•5 years ago
|
||
Do we need to revert bug 1556147?
|
Assignee | |
Comment 2•5 years ago
|
||
(In reply to Robert Longson [:longsonr] from comment #1)
Do we need to revert bug 1556147?
No, this one is a real bug discovered by bug 1556147.
href of textPath should not accept <image> https://svgwg.org/svg2-draft/text.html#TextPathElementHrefAttribute
Flags: needinfo?(violet.bugreport)
|
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → violet.bugreport
Status: NEW → ASSIGNED
|
|
||
Comment 3•5 years ago
|
||
Ahh yes. Looks like Image elements probably should not be eSHAPE nodes.
|
|
Assignee | |
Comment 4•5 years ago
|
||
|
||
Updated•5 years ago
|
Keywords: regression
Pushed by violet.bugreport@gmail.com: https://hg.mozilla.org/integration/autoland/rev/74e7a89b8d26 Image should not accept eSHAPE r=longsonr
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox69:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
|
||
Updated•5 years ago
|
status-firefox67:
--- → unaffected
status-firefox68:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
|
||
Updated•4 years ago
|
Blocks: asan-maintenance
|
|
||
Updated•2 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•