Closed
Bug 1403225
Opened 7 years ago
Closed 7 years ago
SEGV /builds/worker/workspace/build/src/dom/smil/nsSMILCSSValueType.cpp:365:30 in AddOrAccumulate(nsSMILValue&, nsSMILValue const&, mozilla::dom::CompositeOperation, unsigned long)
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
DUPLICATE
of bug 1402547
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase)
Attachments
(1 file)
187 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 20170925-5f3f19824efa. ==11269==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe3dcb02068 bp 0x7ffeefc69a60 sp 0x7ffeefc697e0 T0) ==11269==The signal is caused by a READ memory access. ==11269==Hint: address points to the zero page. #0 0x7fe3dcb02067 in AddOrAccumulate(nsSMILValue&, nsSMILValue const&, mozilla::dom::CompositeOperation, unsigned long) /builds/worker/workspace/build/src/dom/smil/nsSMILCSSValueType.cpp:365:30 #1 0x7fe3dcb01f2b in nsSMILCSSValueType::SandwichAdd(nsSMILValue&, nsSMILValue const&) const /builds/worker/workspace/build/src/dom/smil/nsSMILCSSValueType.cpp:422:10 #2 0x7fe3dcaf8ae7 in nsSMILAnimationFunction::ComposeResult(nsISMILAttr const&, nsSMILValue&) /builds/worker/workspace/build/src/dom/smil/nsSMILAnimationFunction.cpp:271:22 #3 0x7fe3dcaf525d in nsSMILCompositor::ComposeAttribute(bool&) /builds/worker/workspace/build/src/dom/smil/nsSMILCompositor.cpp:108:29 #4 0x7fe3dcaf2b6a in nsSMILAnimationController::DoSample(bool) /builds/worker/workspace/build/src/dom/smil/nsSMILAnimationController.cpp:455:17 #5 0x7fe3dd7fd50b in Resample /builds/worker/workspace/build/src/obj-firefox/dist/include/nsSMILAnimationController.h:74:21 #6 0x7fe3dd7fd50b in FlushResampleRequests /builds/worker/workspace/build/src/obj-firefox/dist/include/nsSMILAnimationController.h:90 #7 0x7fe3dd7fd50b in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4160 #8 0x7fe3d975964d in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:557:5 #9 0x7fe3d975964d in nsDocument::FlushPendingNotifications(mozilla::FlushType) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8377 #10 0x7fe3d858be9b in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:703:14 #11 0x7fe3d858e125 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:632:5 #12 0x7fe3d858ed8c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:488:14 #13 0x7fe3d6d9086d in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28 #14 0x7fe3d975f67d in nsDocument::DoUnblockOnload() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9205:18 #15 0x7fe3d975f241 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9127:9 #16 0x7fe3d9738599 in nsDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5599:3 #17 0x7fe3d97d92c2 in applyImpl<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12 #18 0x7fe3d97d92c2 in apply<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148 #19 0x7fe3d97d92c2 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192 #20 0x7fe3d6be2bec in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14 #21 0x7fe3d6be8a0c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10 #22 0x7fe3d798e571 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #23 0x7fe3d78f044b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #24 0x7fe3d78f044b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #25 0x7fe3d78f044b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #26 0x7fe3dd08fbff in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27 #27 0x7fe3e11f77b1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30 #28 0x7fe3e13d81bb in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4701:22 #29 0x7fe3e13d9dd8 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4865:8 #30 0x7fe3e13db20b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4960:21 #31 0x4ebfe3 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22 #32 0x4ebfe3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309 #33 0x7fe3f494882f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #34 0x41db38 in _start (/home/forb1dden/builds/mc-asan/firefox+0x41db38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/smil/nsSMILCSSValueType.cpp:365:30 in AddOrAccumulate(nsSMILValue&, nsSMILValue const&, mozilla::dom::CompositeOperation, unsigned long) ==11269==ABORTING
Flags: in-testsuite?
Reporter | ||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•