1683907 - Assertion failure: mPathVertices.IsEmpty() (have vertices but no path), at /builds/worker/checkouts/gecko/dom/svg/SVGMotionSMILAnimationFunction.cpp:306

Status: VERIFIED FIXED

(Core :: SVG, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 8d8d3ecf368f (built with --enable-debug).

Assertion failure: mPathVertices.IsEmpty() (have vertices but no path), at /builds/worker/checkouts/gecko/dom/svg/SVGMotionSMILAnimationFunction.cpp:306

    #0 0x7f4779c6b209 in mozilla::SVGMotionSMILAnimationFunction::GetValues(mozilla::SMILAttr const&, FallibleTArray<mozilla::SMILValue>&) /builds/worker/checkouts/gecko/dom/svg/SVGMotionSMILAnimationFunction.cpp:306:5
    #1 0x7f477a047557 in mozilla::SMILAnimationFunction::ComposeResult(mozilla::SMILAttr const&, mozilla::SMILValue&) /builds/worker/checkouts/gecko/dom/smil/SMILAnimationFunction.cpp:192:17
    #2 0x7f477a046779 in mozilla::SMILCompositor::ComposeAttribute(bool&) /builds/worker/checkouts/gecko/dom/smil/SMILCompositor.cpp:97:29
    #3 0x7f477a0452e3 in mozilla::SMILAnimationController::DoSample(bool) /builds/worker/checkouts/gecko/dom/smil/SMILAnimationController.cpp:416:17
    #4 0x7f477a6d9f14 in Resample /builds/worker/workspace/obj-build/dist/include/mozilla/SMILAnimationController.h:73:21
    #5 0x7f477a6d9f14 in FlushResampleRequests /builds/worker/workspace/obj-build/dist/include/mozilla/SMILAnimationController.h:86:5
    #6 0x7f477a6d9f14 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4184:46
    #7 0x7f47779ed35b in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1421:5
    #8 0x7f47779ed35b in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10374:16
    #9 0x7f47770285bf in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:702:14
    #10 0x7f477702989d in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:640:5
    #11 0x7f477702a07c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
    #12 0x7f4775f960f6 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:616:22
    #13 0x7f4775f97603 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:523:10
    #14 0x7f47779f00f1 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11107:18
    #15 0x7f47779cf4d0 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11037:9
    #16 0x7f47779dfa0d in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7600:3
    #17 0x7f4777a50996 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #18 0x7f4777a50996 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #19 0x7f4777a50996 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #20 0x7f4775df3122 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #21 0x7f4775df919f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:459:16
    #22 0x7f4775df779a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:739:26
    #23 0x7f4775df6844 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:598:15
    #24 0x7f4775df69f7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:382:36
    #25 0x7f4775dfca46 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:123:37
    #26 0x7f4775dfca46 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #27 0x7f4775e0e035 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
    #28 0x7f4775e140ea in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #29 0x7f477671b5d6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #30 0x7f4776687a93 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #31 0x7f47766879ad in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #32 0x7f47766879ad in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #33 0x7f477a3fe458 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #34 0x7f477bc06033 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #35 0x7f477671c4b9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #36 0x7f4776687a93 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #37 0x7f47766879ad in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #38 0x7f47766879ad in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #39 0x7f477bc05c18 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #40 0x55737b822e07 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #41 0x55737b822e07 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18
    #42 0x7f478c9f30b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201222215026-be30820869d8.
The bug appears to have been introduced in the following build range:

Start: 0acb34a4e5f35fe24be33cb1fff95502bf2e386a (20201001233508)
End: 9c9602e64e194e376d9849828ce71616ef659272 (20201001234057)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0acb34a4e5f35fe24be33cb1fff95502bf2e386a&tochange=9c9602e64e194e376d9849828ce71616ef659272

Comment 2

[Robert Longson [:longsonr]]

Attachment: Bug 1683907 - use the same logic for rendering and bounds checking

Comment 3

[Pulsebot]

Pushed by longsonr@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/aff217971e94
use the same logic for rendering and bounds checking r=emilio

Comment 4

[Robert Longson [:longsonr]]

https://treeherder.mozilla.org/jobs?repo=try&revision=bf578ed7059825d4f1bafd33d03015080c6319ee

Comment 5

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/aff217971e94

Comment 6

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201226213351-48f46a7eada9.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.