Last Comment Bug 761021 - cross_fuzz crash in mozilla::SVGStringList::GetValue
: cross_fuzz crash in mozilla::SVGStringList::GetValue
Status: RESOLVED FIXED
: crash
Product: Core
Classification: Components
Component: SVG (show other bugs)
: unspecified
: All Mac OS X
: -- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
http://lcamtuf.coredump.cx/cross_fuzz...
Depends on: 761507
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-03 13:27 PDT by Chris Peterson [:cpeterson]
Modified: 2012-06-08 12:07 PDT (History)
0 users
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Chris Peterson [:cpeterson] 2012-06-03 13:27:16 PDT
This bug was filed from the Socorro interface and is 
report bp-014afbd0-bde8-4687-9168-a03d72120603 .
============================================================= 

Also these crash reports:
bp-e0ee69cd-46bd-4b13-a51e-9aba22120603
bp-ba260e94-2602-4b98-9552-874972120603

STR:
1. Load "cross_fuzz" browser stress test:
http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_msie_randomized_seed.html

2. Wait 5-10 minutes.

AR:
Crash in mozilla::SVGStringList::GetValue(). I was able to reproduce this same cross_fuzz crash 3 times today.

Frame 	Module 	Signature 	Source
0 	XUL 	mozilla::SVGStringList::GetValue 	nsTArray.h:192
1 	XUL 	nsAttrValue::ToString 	nsAttrValue.cpp:601
2 	XUL 	nsGenericElement::GetAttr 	nsGenericElement.cpp:5427
3 	XUL 	nsDOMAttribute::GetValue 	nsDOMAttribute.cpp:160
4 	XUL 	nsDOMAttribute::SetMap 	nsDOMAttribute.cpp:93
5 	XUL 	RemoveMapRef 	nsDOMAttributeMap.cpp:40
6 	XUL 	PL_DHashTableEnumerate 	pldhash.cpp:715 

Frame 	Module 	Signature 	Source
0 	XUL 	mozilla::SVGStringList::GetValue 	nsTArray.h:192
1 	XUL 	nsAttrValue::ToString 	nsAttrValue.cpp:601
2 	XUL 	nsGenericElement::CopyInnerTo 	nsGenericElement.cpp:5120
3 	XUL 	nsSVGSVGElement::Clone 	nsSVGSVGElement.cpp:193
4 	XUL 	nsNodeUtils::CloneAndAdopt 	nsNodeUtils.cpp:438
5 	XUL 	nsNodeUtils::CloneAndAdopt 	nsNodeUtils.cpp:559
6 	XUL 	nsNodeUtils::CloneAndAdopt 	nsNodeUtils.cpp:559
7 	XUL 	nsDocument::ImportNode 	nsNodeUtils.h:272
8 	XUL 	nsIDOMDocument_ImportNode 	dom_quickstubs.cpp:3391
9 	XUL 	js::InvokeKernel 	jscntxtinlines.h:395
10 	XUL 	js::Invoke 	jsinterp.h:125
Comment 1 Chris Peterson [:cpeterson] 2012-06-04 00:32:23 PDT
More cross_fuzz crashes in SVGStringList:
bp-662dbd9b-d917-4986-a302-3e11a2120604
bp-2649ea70-9eda-4178-bc43-a07582120604
bp-e0ee69cd-46bd-4b13-a51e-9aba22120603
Comment 2 Chris Peterson [:cpeterson] 2012-06-04 08:46:54 PDT
bp-4f8b4882-d9ad-45b8-a655-fc1f02120604
Comment 3 Robert Longson 2012-06-05 10:41:37 PDT
I imagine the patch in bug 761507 will fix this.
Comment 4 Robert Longson 2012-06-07 22:56:03 PDT
Is this fixed now?
Comment 5 Chris Peterson [:cpeterson] 2012-06-08 12:07:46 PDT
I think this crash has been fixed. I've been running the cross_fuzz test for 30 minutes without crashing.

Note You need to log in before you can comment on or make changes to this bug.