Closed
Bug 798010
Opened 12 years ago
Closed 12 years ago
segfault with svg and markers
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
DUPLICATE
of bug 795734
Tracking | Status | |
---|---|---|
firefox16 | --- | unaffected |
firefox17 | --- | unaffected |
firefox18 | + | fixed |
firefox19 | + | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: miaubiz, Assigned: jwatt)
References
Details
(8 keywords, Whiteboard: [asan][fix in bug 807213][adv-main18-] exposed by DLBI timing changes?)
Attachments
(3 files)
==7237== ERROR: AddressSanitizer crashed on unknown address 0x7fff00000000 (pc 0x7fffedad854d sp 0x7fffffff3820 bp 0x100000000000 T0) AddressSanitizer can not provide additional info. ABORTING #0 0x7fffedad854d in nsRect /builds/slave/try-lnx64/build/gfx/src/nsRect.h:33 when I load: <html> <head> <script> onload = function() { el0=document.createElementNS('http://www.w3.org/2000/svg', 'svg') el0.setAttribute('marker-start', 'url(#el1)') document.body.appendChild(el0) el1=document.createElementNS('http://www.w3.org/2000/svg', 'filter') el1.setAttribute('id','el1') document.body.appendChild(el1) document.body.offsetTop el1.appendChild(document.createElement('div')) document.body.offsetTop el1.setAttribute('X', 'X') } </script> </head> <body> </body> </html>
sometimes I see this: ==29028== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fffc4b37098 at pc 0x7fffedadebf8 bp 0x7fffffff3850 sp 0x7fffffff3848 READ of size 4 at 0x7fffc4b37098 thread T0 #0 0x7fffedadebf7 in nsRegion::Or(nsRegion const&, nsRegion const&) /builds/slave/try-lnx64/build/gfx/src/nsRegion.cpp:776 #1 0x7fffef4d1d52 in nsRegion /builds/slave/try-lnx64/build/layout/svg/nsSVGOuterSVGFrame.h:150 #2 0x7fffef4d22ac in nsSVGUtils::InvalidateAndScheduleReflowSVG(nsIFrame*) /builds/slave/try-lnx64/build/layout/svg/nsSVGUtils.cpp:572 #3 0x7fffee431e8c in nsGenericElement::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAttrValue const&, nsAttrValue&, unsigned char, bool, bool, bool) /builds/slave/try-lnx64/build/content/base/src/nsGenericElement.cpp:2054 #4 0x7fffee43152c in nsGenericElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) /builds/slave/try-lnx64/build/content/base/src/nsGenericElement.cpp:1956 #5 0x7fffee42a287 in nsGenericElement::SetAttr(int, nsIAtom*, nsAString_internal const&, bool) /builds/slave/try-lnx64/build/content/base/src/nsGenericElement.h:80 0x7fffc4b37098 is located 24 bytes to the right of 8192-byte region [0x7fffc4b35080,0x7fffc4b37080) allocated by thread T0 here: #0 0x42a900 in __interceptor_malloc ??:0 #1 0x7ffff5739a4c in PL_ArenaAllocate /builds/slave/try-lnx64/build/nsprpub/lib/ds/plarena.c:200
Updated•12 years ago
|
Attachment #668125 -
Attachment mime type: text/plain → text/html
Comment 3•12 years ago
|
||
Comment on attachment 668125 [details]
testcase (WARNING: crashes nightly)
Confirmed to crash my linux 64-bit nightly. Doesn't seem to affect Aurora on my machine, though.
Attachment #668125 -
Attachment description: repro → testcase (WARNING: crashes nightly)
Updated•12 years ago
|
status-firefox18:
--- → affected
tracking-firefox18:
--- → ?
Comment 4•12 years ago
|
||
Last good nightly: 2012-09-28 First bad nightly: 2012-09-29 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=895f66c4eada&tochange=c09a0c022b2e Looks like a regression triggered by DLBI.
Comment 5•12 years ago
|
||
In a debug build, this triggers: ###!!! ABORT: Passed bad frame!: 'aFrame->IsFrameOfType(nsIFrame::eSVG) && !(aFrame->GetStateBits() & NS_STATE_IS_OUTER_SVG)', file /mozilla/layout/svg/nsSVGUtils.cpp, line 385
Comment 6•12 years ago
|
||
Some context from gdb, for the frame "aFrame" that we're asserting about: gdb) p aFrame $5 = (nsSVGOuterSVGFrame *) 0x7fc9fd1043d8 (gdb) p/x aFrame->mState $6 = 0x2060000111000 (gdb) p/x aFrame->mState & (1 << 20) $7 = 0x100000 NOTE: That 1 << 20 up three is NS_STATE_IS_OUTER_SVG. So that's presumably the part of the assertion that's failing: !(aFrame->GetStateBits() & NS_STATE_IS_OUTER_SVG)
Updated•12 years ago
|
Keywords: reproducible
Updated•12 years ago
|
Comment 8•12 years ago
|
||
Debug build stack trace: http://pastebin.mozilla.org/1861135 Jonathan: Do you have any ideas here? The stack trace isn't familiar to me at all. It appears that there's an SVG rendering observer on an nsSVGOuterSVGFrame, which isn't expected apparently. I can't see how DLBI would have affected this, apart from changing timings of when SVG rendering observers get invalidated (though this doesn't look like one of those changes either).
Updated•12 years ago
|
Whiteboard: [asan]
Updated•12 years ago
|
Assignee: nobody → jwatt
status-firefox19:
--- → affected
Updated•12 years ago
|
Assignee: jwatt → nobody
status-firefox19:
affected → ---
Whiteboard: [asan] → [asan] exposed by DLBI timing changes?
Updated•12 years ago
|
Assignee: nobody → jwatt
Updated•12 years ago
|
status-firefox19:
--- → affected
tracking-firefox19:
--- → +
Assignee | ||
Comment 10•12 years ago
|
||
I have a fix for this in bug 807213.
Whiteboard: [asan] exposed by DLBI timing changes? → [asan][fix in bug 807213] exposed by DLBI timing changes?
Assignee | ||
Comment 11•12 years ago
|
||
The fix in bug 807213 has now landed for 19, 18 and 17.
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox17:
--- → fixed
Flags: in-testsuite?
Keywords: verifyme
Resolution: --- → FIXED
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Comment 12•12 years ago
|
||
Did this affect Firefox 16?
Whiteboard: [asan][fix in bug 807213] exposed by DLBI timing changes? → [asan][adv-track-main17+][fix in bug 807213] exposed by DLBI timing changes?
Assignee | ||
Updated•12 years ago
|
Updated•12 years ago
|
Flags: sec-bounty?
Updated•12 years ago
|
Flags: sec-bounty? → sec-bounty-
Resolution: FIXED → DUPLICATE
Updated•12 years ago
|
Whiteboard: [asan][adv-track-main17+][fix in bug 807213] exposed by DLBI timing changes? → [asan][fix in bug 807213][adv-main18-] exposed by DLBI timing changes?
Updated•12 years ago
|
Group: core-security
Updated•3 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•