Closed Bug 761021 Opened 12 years ago Closed 12 years ago

cross_fuzz crash in mozilla::SVGStringList::GetValue

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: cpeterson, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-014afbd0-bde8-4687-9168-a03d72120603 . ============================================================= Also these crash reports: bp-e0ee69cd-46bd-4b13-a51e-9aba22120603 bp-ba260e94-2602-4b98-9552-874972120603 STR: 1. Load "cross_fuzz" browser stress test: http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_msie_randomized_seed.html 2. Wait 5-10 minutes. AR: Crash in mozilla::SVGStringList::GetValue(). I was able to reproduce this same cross_fuzz crash 3 times today. Frame Module Signature Source 0 XUL mozilla::SVGStringList::GetValue nsTArray.h:192 1 XUL nsAttrValue::ToString nsAttrValue.cpp:601 2 XUL nsGenericElement::GetAttr nsGenericElement.cpp:5427 3 XUL nsDOMAttribute::GetValue nsDOMAttribute.cpp:160 4 XUL nsDOMAttribute::SetMap nsDOMAttribute.cpp:93 5 XUL RemoveMapRef nsDOMAttributeMap.cpp:40 6 XUL PL_DHashTableEnumerate pldhash.cpp:715 Frame Module Signature Source 0 XUL mozilla::SVGStringList::GetValue nsTArray.h:192 1 XUL nsAttrValue::ToString nsAttrValue.cpp:601 2 XUL nsGenericElement::CopyInnerTo nsGenericElement.cpp:5120 3 XUL nsSVGSVGElement::Clone nsSVGSVGElement.cpp:193 4 XUL nsNodeUtils::CloneAndAdopt nsNodeUtils.cpp:438 5 XUL nsNodeUtils::CloneAndAdopt nsNodeUtils.cpp:559 6 XUL nsNodeUtils::CloneAndAdopt nsNodeUtils.cpp:559 7 XUL nsDocument::ImportNode nsNodeUtils.h:272 8 XUL nsIDOMDocument_ImportNode dom_quickstubs.cpp:3391 9 XUL js::InvokeKernel jscntxtinlines.h:395 10 XUL js::Invoke jsinterp.h:125
Depends on: 761507
I imagine the patch in bug 761507 will fix this.
Is this fixed now?
I think this crash has been fixed. I've been running the cross_fuzz test for 30 minutes without crashing.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.