Closed Bug 1577191 Opened 5 years ago Closed 5 years ago

Crash [@ decltype (static_cast<mozilla::dom::Element*>(&{parm#1})) mozilla::dom::Element::FromNode<nsINode>]

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- fixed

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

Attached file test_0921.html

Testcase found while fuzzing mozilla-central rev 546d1fd47c9a.

rax = 0x0000000000000000   rdx = 0x00007f33786a4530
rcx = 0x0000000000000000   rbx = 0x00007f337869b040
rsi = 0x0000000000000001   rdi = 0x0000000000000000
rbp = 0x00007ffdcb960290   rsp = 0x00007ffdcb960228
r8 = 0x00007f3378660f70    r9 = 0x00007f33a888d0e0
r10 = 0x0000000000000000   r11 = 0x0000000000000001
r12 = 0x0000000000000001   r13 = 0x0000000000000001
r14 = 0x0000000000000001   r15 = 0x00007f33a718ca28
rip = 0x00007f3396f4db3b
OS|Linux|0.0.0 Linux 5.0.0-25-generic #26~18.04.1-Ubuntu SMP Thu Aug 1 13:51:02 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x1c|0
0|0|libxul.so|decltype (static_cast<mozilla::dom::Element*>(&{parm#1})) mozilla::dom::Element::FromNode<nsINode>(nsINode&)|hg:hg.mozilla.org/mozilla-central:dom/base/Element.h:546d1fd47c9a48b6919848b2c6f28359460731eb|185|0x0
0|1|libxul.so|mozilla::dom::Element::UnbindFromTree(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Element.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|1805|0xe
0|2|libxul.so|nsXULElement::UnbindFromTree(bool)|hg:hg.mozilla.org/mozilla-central:dom/xul/nsXULElement.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|758|0xc
0|3|libxul.so|nsXBLBinding::UnbindAnonymousContent(mozilla::dom::Document*, nsIContent*, bool)|hg:hg.mozilla.org/mozilla-central:dom/xbl/nsXBLBinding.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|191|0xf
0|4|libxul.so|nsXBLBinding::~nsXBLBinding()|hg:hg.mozilla.org/mozilla-central:dom/xbl/nsXBLBinding.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|103|0x20
0|5|libxul.so|nsXBLBinding::cycleCollection::DeleteCycleCollectable(void*)|hg:hg.mozilla.org/mozilla-central:dom/xbl/nsXBLBinding.h:546d1fd47c9a48b6919848b2c6f28359460731eb|52|0x14
0|6|libxul.so|SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|2429|0xd
0|7|libxul.so|SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|2459|0xc
0|8|libxul.so|void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|941|0x12
0|9|libxul.so|nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|2624|0xf
0|10|libxul.so|AsyncFreeSnowWhite::Run()|hg:hg.mozilla.org/mozilla-central:js/xpconnect/src/XPCJSRuntime.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|146|0x8
0|11|libxul.so|IdleRunnableWrapper::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|331|0x11
0|12|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|1225|0x15
0|13|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|486|0x11
0|14|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|88|0xa
0|15|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:546d1fd47c9a48b6919848b2c6f28359460731eb|315|0x17
0|16|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:546d1fd47c9a48b6919848b2c6f28359460731eb|290|0x8
0|17|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|137|0xd
0|18|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|276|0xe
0|19|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|4573|0x11
0|20|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|4711|0x8
0|21|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|4792|0x5
0|22|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|213|0x22
0|23|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|295|0xf
0|24|libc-2.27.so||||0x21b97
0|25|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:546d1fd47c9a48b6919848b2c6f28359460731eb|184|0x5
Flags: in-testsuite?

Fixed already in the last patch of bug 1554498 (on autoland now). These crashes were all over the place in ccov builds, I still can't believe the patch got through autoland as it did.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
See Also: → 1554498

I'm thinking it might be good to land the testcase here still if it allows us to catch the issue faster than the once-daily (or thereabouts) ccov builds.

Assignee: nobody → emilio
Flags: needinfo?(emilio)
Target Milestone: --- → mozilla70

Done :)

Flags: needinfo?(emilio)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: