Closed Bug 1609786 Opened 5 years ago Closed 5 years ago

AddressSanitizer: SEGV /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/atomic_base.h:524:16 in fetch_sub

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla74
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- fixed

People

(Reporter: jkratzer, Assigned: boris)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

testcase.html
195 bytes, text/html
Details
Bug 1609786 - Make the empty svg path valid.
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 7e0886a94d70.

==17526==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fc108fb2ca8 bp 0x7ffd9b30d050 sp 0x7ffd9b30d050 T0)
==17526==The signal is caused by a WRITE memory access.
==17526==Hint: address points to the zero page.
    #0 0x7fc108fb2ca7 in fetch_sub /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/atomic_base.h:524:16
    #1 0x7fc108fb2ca7 in operator-- /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefCounted.h:128:23
    #2 0x7fc108fb2ca7 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefCounted.h:191:27
    #3 0x7fc108fb2ca7 in ReleaseValue<mozilla::gfx::Path> /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:511:19
    #4 0x7fc108fb2ca7 in void mozilla::FramePropertyDescriptor<mozilla::gfx::Path>::Destruct<&(void ReleaseValue<mozilla::gfx::Path>(mozilla::gfx::Path*))>(void*) /builds/worker/workspace/build/src/layout/base/FrameProperties.h:91:5
    #5 0x7fc108fb4253 in mozilla::FrameProperties::DeleteAll(nsIFrame const*) /builds/worker/workspace/build/src/layout/base/FrameProperties.h:269:12
    #6 0x7fc1091f73c8 in DeleteAllProperties /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3685:44
    #7 0x7fc1091f73c8 in nsFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:889:3
    #8 0x7fc1091423e7 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:288:22
    #9 0x7fc10932066d in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsLineBox.cpp:380:14
    #10 0x7fc109141b31 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:417:3
    #11 0x7fc1092518fc in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:51:12
    #12 0x7fc10914219e in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:215:11
    #13 0x7fc10918d8b5 in nsCanvasFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:231:21
    #14 0x7fc1092518fc in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:51:12
    #15 0x7fc10914219e in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:215:11
    #16 0x7fc1092518fc in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:51:12
    #17 0x7fc10914219e in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:215:11
    #18 0x7fc10900aaec in Destroy /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:655:5
    #19 0x7fc10900aaec in nsFrameManager::Destroy() /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:53:17
    #20 0x7fc108f4babb in mozilla::PresShell::Destroy() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1358:22
    #21 0x7fc10902d7d8 in nsDocumentViewer::DestroyPresShell() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:4111:15
    #22 0x7fc10901f0a6 in nsDocumentViewer::Destroy() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1836:5
    #23 0x7fc10902f85a in nsDocumentViewer::Show() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2145:17
    #24 0x7fc1090c82d8 in nsPresContext::EnsureVisible() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:1637:25
    #25 0x7fc108f66796 in mozilla::PresShell::UnsuppressAndInvalidate() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:3737:54
    #26 0x7fc1090267b1 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1194:18
    #27 0x7fc10bb69247 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6117:20
    #28 0x7fc10bb683f5 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5900:7
    #29 0x7fc10bb6ce5f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #30 0x7fc10326f9c0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1347:3
    #31 0x7fc10326e94c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:906:14
    #32 0x7fc10326ac20 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:726:9
    #33 0x7fc10326d453 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:614:5
    #34 0x7fc10326e4dc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #35 0x7fc100b0ffb7 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:604:22
    #36 0x7fc100b131c7 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:511:10
    #37 0x7fc1047d4a1f in mozilla::dom::Document::DoUnblockOnload() /builds/worker/workspace/build/src/dom/base/Document.cpp:10701:18
    #38 0x7fc10478abdc in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10633:9
    #39 0x7fc1047afeec in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7310:3
    #40 0x7fc10487bc04 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1164:12
    #41 0x7fc10487bc04 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1170:12
    #42 0x7fc10487bc04 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1216:13
    #43 0x7fc100888c88 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #44 0x7fc100893a9c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #45 0x7fc101ad144f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
    #46 0x7fc1019cace7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #47 0x7fc1019cace7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #48 0x7fc1019cace7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #49 0x7fc108a70458 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #50 0x7fc10c3785af in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:272:30
    #51 0x7fc10c58c10b in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4605:22
    #52 0x7fc10c58e062 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4742:8
    #53 0x7fc10c58f5a3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4823:21
    #54 0x555e2de1e8df in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:217:22
    #55 0x555e2de1e8df in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:339:16
    #56 0x7fc1231dfb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #57 0x555e2dd73ebc in _start (/home/user/builds/mc-asan/firefox+0x9bebc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/atomic_base.h:524:16 in fetch_sub
Flags: in-testsuite?

Looks like the cache on nsIFrame for motion-path.

Assignee: nobody → boris.chiou
Flags: needinfo?(boris.chiou)
Priority: -- → P3
Flags: needinfo?(boris.chiou)
Priority: P3 → P2

Per SVG2 spec, the EBNF allows the path data string to be empty.
An empty path data string disables rendering of the path.
Therefore, we make offset-path: path(' ') to be offset-path: none
and clip-path: path(' ') to be clip-path: none.

Attachment #9122519 - Attachment description: Bug 1609786 - Make the empty svg path valid but treat it as none. → Bug 1609786 - Make the empty svg path valid.
Pushed by bchiou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1ef31cd775e6 Make the empty svg path valid. r=emilio
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/21417 for changes under testing/web-platform/tests
Upstream web-platform-tests status checks passed, PR will merge once commit reaches central.

https://hg.mozilla.org/mozilla-central/rev/1ef31cd775e6

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox74: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
Upstream PR merged by moz-wptsync-bot
status-firefox72: --- → wontfix
status-firefox73: --- → wontfix
status-firefox-esr68: --- → wontfix
Flags: in-testsuite? → in-testsuite+
Regressions: 1764936
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: