Closed
Bug 557187
Opened 15 years ago
Closed 15 years ago
nsSMILTimeValueSpec::HandleDeletedInstanceTime reads freed memory
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 554141
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | - |
People
(Reporter: jseward, Unassigned)
Details
(Keywords: valgrind)
Observed on a valgrind-mochitest run of m-c 40205:81f9b6d0ae9c (Sat
Apr 03 11:19:50 2010 -0400):
Invalid read of size 1
at 0x5D23DD0: nsSMILTimeValueSpec::HandleDeletedInstanceTime(nsSMILInstanceTime&) (nsSMILTimeValueSpec.cpp:222)
by 0x5D1C51A: nsSMILInstanceTime::HandleDeletedInterval() (nsSMILInstanceTime.cpp:161)
by 0x5D1C8D0: nsSMILInterval::NotifyDeleting() (nsSMILInterval.cpp:82)
by 0x5D23611: nsSMILTimedElement::~nsSMILTimedElement() (nsSMILTimedElement.cpp:152)
by 0x5D155AF: nsSVGSetElement::~nsSVGSetElement() (nsSVGAnimationElement.h:57)
by 0x5962A8B: nsNodeUtils::LastRelease(nsINode*) (nsNodeUtils.cpp:274)
by 0x59559AA: nsGenericElement::Release() (nsGenericElement.cpp:4178)
by 0x60F902C: nsXPCOMCycleCollectionParticipant::Unroot(void*) (nsCycleCollectionParticipant.cpp:74)
by 0x613FB8B: nsCycleCollector::CollectWhite() (nsCycleCollector.cpp:1868)
by 0x613FBED: nsCycleCollector::FinishCollection() (nsCycleCollector.cpp:2708)
by 0x555FD54: XPCCycleCollectGCCallback(JSContext*, JSGCStatus) (nsXPConnect.cpp:405)
by 0x6B80E50: js_GC (jsgc.cpp:3383)
Address 0x1a48c988 is 8 bytes inside a block of size 112 free'd
at 0x4C2513D: free (vg_replace_malloc.c:366)
by 0x5D238C8: nsSMILTimedElement::~nsSMILTimedElement() (mozalloc.h:246)
by 0x5D155AF: nsSVGSetElement::~nsSVGSetElement() (nsSVGAnimationElement.h:57)
by 0x5962A8B: nsNodeUtils::LastRelease(nsINode*) (nsNodeUtils.cpp:274)
by 0x59559AA: nsGenericElement::Release() (nsGenericElement.cpp:4178)
by 0x60F902C: nsXPCOMCycleCollectionParticipant::Unroot(void*) (nsCycleCollectionParticipant.cpp:74)
by 0x613FB8B: nsCycleCollector::CollectWhite() (nsCycleCollector.cpp:1868)
by 0x613FBED: nsCycleCollector::FinishCollection() (nsCycleCollector.cpp:2708)
by 0x555FD54: XPCCycleCollectGCCallback(JSContext*, JSGCStatus) (nsXPConnect.cpp:405)
by 0x6B80E50: js_GC (jsgc.cpp:3383)
by 0x555F585: nsXPConnect::Collect() (nsXPConnect.cpp:479)
by 0x6141222: nsCycleCollector::Collect(unsigned int) (nsCycleCollector.cpp:2520)
This was reported whilst running
content/smil/test/test_smilMappedAttrFromBy.xhtml
However, I cannot reproduce it atm. Re-running just that test does
not trigger it. Nor does running the entire tree content/smil/test.
I will add further details if I can find a way to repro it. I wonder
if this indicates that it depends on when the cycle collector runs.
For test methodology details see bug 549224. Summary details:
changeset as above, x86_64-Linux, gcc-4.3.4, release build, -O2 -g,
DISPLAY is 1024x768x16 vnc server.
FTR, command line I used is similar to this:
(TEST_PATH=content/smil/test \
DISPLAY=:1.0 \
make -C ff-opt mochitest-plain \
EXTRA_TEST_ARGS='--close-when-done --debugger=vTRUNK \
--debugger-args="--tool=memcheck --smc-check=all \
--suppressions=/home/sewardj/MOZ/mochitest-mc.supp \
--error-limit=no --stats=yes --trace-children=yes \
--child-silent-after-fork=yes \
'--trace-children-skip=/usr/bin/hg,/bin/rm,*/bin/certutil,*/bin/pk12util,*/bin/ssltunnel' \
--track-origins=no --log-socket=127.0.0.1:1500"') 2>&1 \
| tee logfile
|
||
Comment 1•15 years ago
|
||
Probably related to bug 554141 / bug 549715.
|
||
Updated•15 years ago
|
blocking2.0: --- → ?
blocking2.0: ? → -
|
||
Comment 2•15 years ago
|
||
Based on the stack trace above, this appears to be a dupe of bug 554141 as dholbert suggested.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•