cross_fuzz crash in mozilla::SVGStringList::GetValue

RESOLVED FIXED

Status

()

Core
SVG
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: cpeterson, Unassigned)

Tracking

({crash})

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

(Reporter)

Description

5 years ago
This bug was filed from the Socorro interface and is 
report bp-014afbd0-bde8-4687-9168-a03d72120603 .
============================================================= 

Also these crash reports:
bp-e0ee69cd-46bd-4b13-a51e-9aba22120603
bp-ba260e94-2602-4b98-9552-874972120603

STR:
1. Load "cross_fuzz" browser stress test:
http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_msie_randomized_seed.html

2. Wait 5-10 minutes.

AR:
Crash in mozilla::SVGStringList::GetValue(). I was able to reproduce this same cross_fuzz crash 3 times today.

Frame 	Module 	Signature 	Source
0 	XUL 	mozilla::SVGStringList::GetValue 	nsTArray.h:192
1 	XUL 	nsAttrValue::ToString 	nsAttrValue.cpp:601
2 	XUL 	nsGenericElement::GetAttr 	nsGenericElement.cpp:5427
3 	XUL 	nsDOMAttribute::GetValue 	nsDOMAttribute.cpp:160
4 	XUL 	nsDOMAttribute::SetMap 	nsDOMAttribute.cpp:93
5 	XUL 	RemoveMapRef 	nsDOMAttributeMap.cpp:40
6 	XUL 	PL_DHashTableEnumerate 	pldhash.cpp:715 

Frame 	Module 	Signature 	Source
0 	XUL 	mozilla::SVGStringList::GetValue 	nsTArray.h:192
1 	XUL 	nsAttrValue::ToString 	nsAttrValue.cpp:601
2 	XUL 	nsGenericElement::CopyInnerTo 	nsGenericElement.cpp:5120
3 	XUL 	nsSVGSVGElement::Clone 	nsSVGSVGElement.cpp:193
4 	XUL 	nsNodeUtils::CloneAndAdopt 	nsNodeUtils.cpp:438
5 	XUL 	nsNodeUtils::CloneAndAdopt 	nsNodeUtils.cpp:559
6 	XUL 	nsNodeUtils::CloneAndAdopt 	nsNodeUtils.cpp:559
7 	XUL 	nsDocument::ImportNode 	nsNodeUtils.h:272
8 	XUL 	nsIDOMDocument_ImportNode 	dom_quickstubs.cpp:3391
9 	XUL 	js::InvokeKernel 	jscntxtinlines.h:395
10 	XUL 	js::Invoke 	jsinterp.h:125
(Reporter)

Comment 1

5 years ago
More cross_fuzz crashes in SVGStringList:
bp-662dbd9b-d917-4986-a302-3e11a2120604
bp-2649ea70-9eda-4178-bc43-a07582120604
bp-e0ee69cd-46bd-4b13-a51e-9aba22120603
(Reporter)

Comment 2

5 years ago
bp-4f8b4882-d9ad-45b8-a655-fc1f02120604

Updated

5 years ago
Depends on: 761507

Comment 3

5 years ago
I imagine the patch in bug 761507 will fix this.

Comment 4

5 years ago
Is this fixed now?
(Reporter)

Comment 5

5 years ago
I think this crash has been fixed. I've been running the cross_fuzz test for 30 minutes without crashing.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.