761507 - Crash with adoptNode, requiredExtensions

Status: VERIFIED FIXED

(Core :: SVG, defect)

Description

[Jesse Ruderman]

Attachment: testcase (crashes Firefox when loaded)

Might be related to bug 761499, whose testcase is a subset of this one.

Comment 1

[Jesse Ruderman]

Attachment: stack trace

Comment 2

[Robert Longson [:longsonr]]

Attachment: patch

Comment 3

[Daniel Holbert [:dholbert]]

Comment on attachment 630218 [details] [diff] [review]
patch

Cool -- so this keeps these attributes' values (stored in the node's property-table) alive when we move their nodes between documents.

Looks like none of these values have document pointers or node pointers or anything like that, so this looks fine.

r=me.

Comment 4

[Robert Longson [:longsonr]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/ec7c7be7c70d

Comment 5

[Robert Longson [:longsonr]]

Comment on attachment 630218 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 
User impact if declined: 
Testing completed (on m-c, etc.): 
Risk to taking this patch (and alternatives if risky): 
String or UUID changes made by this patch:

Comment 6

[Robert Longson [:longsonr]]

Comment on attachment 630218 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #):754592 
User impact if declined: crashes when using svg elements together with adoptNode
Testing completed (on m-c, etc.): landing with reftest
Risk to taking this patch (and alternatives if risky): low risk as the code paths are already exercised elsewhere. Could back out bug 754592 as an alternative.
String or UUID changes made by this patch: none

Comment 7

[Bob Clary [:bc] (inactive)]

crash automation hit this testcase on Aurora, Nightly with

Operating system: Windows NT
                  6.1.7601 Service Pack 1
CPU: x86
     GenuineIntel family 6 model 37 stepping 1
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
Crash address: 0xffffffffdddddddd

Thread 0 (crashed)
 0  xul.dll!nsTArray_base<nsTArrayDefaultAllocator>::Length() [nsTArray.h : 192 + 0x5]
    eip = 0x683aa89c   esp = 0x0025b6b8   ebp = 0x0025b6bc   ebx = 0x00000001
    esi = 0x00000000   edi = 0x03f300f8   eax = 0x05b148b8   ecx = 0xdddddddd
    edx = 0x00000001   efl = 0x00010202

nsTArray_base<nsTArrayDefaultAllocator>::Length() | mozilla::SVGStringList::GetValue(nsAString_internal&) mozilla::SVGAttrValueWrapper::ToString(mozilla::SVGStringList const*, nsAString_internal&) nsAttrValue::ToString(nsAString_internal&) nsGenericElement::GetAttr(int, nsIAtom*, nsAString_internal&) nsGenericElement::GetAttribute(nsAString_internal const&, nsAString_internal&)

A couple of the crashes showed ABORT: Tear-off objects remain in hashtable at shutdown.: 'mTable.Count() == 0'

Comment 8

[Daniel Holbert [:dholbert]]

See also bug 760996, an ASAN bug that might be a dupe of this (or at least might be fixed by this).

Comment 9

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/ec7c7be7c70d

Comment 12

[Al Billings [:abillings - ex-MoCo]]

Verified with testcase. 6/6 Trunk build crashes and 6/7 nightly trunk does not.

Comment 13

[Alex Keybl [:akeybl]]

Comment on attachment 630218 [details] [diff] [review]
patch

[Triage Comment]
Early enough in the cycle to take a forward regression fix here. Approved for Aurora 15.

Comment 14

[Robert Longson [:longsonr]]

Daniel, can you land this on Aurora for me please?

Comment 15

[Daniel Holbert [:dholbert]]

Sure.

Comment 16

[Daniel Holbert [:dholbert]]

Pushed to aurora:
  https://hg.mozilla.org/releases/mozilla-aurora/rev/3f11ba211a4b