Tyson Smith [:tsmith] Reporter
	Description • 6 years ago

Reduced with m-c:
BuildID=20180723154916
SourceStamp=ff3fab43d24dfdaa8971d92cc4caaf4dc9f54dba

==30555==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f97b686621e bp 0x7fff8caf26b0 sp 0x7fff8caf2420 T0)
==30555==The signal is caused by a READ memory access.
==30555==Hint: address points to the zero page.
    #0 0x7f97b686621d in get src/obj-firefox/dist/include/mozilla/RefPtr.h:296:27
    #1 0x7f97b686621d in operator-> src/obj-firefox/dist/include/mozilla/RefPtr.h:328
    #2 0x7f97b686621d in OwnerDoc src/dom/base/nsINode.h:616
    #3 0x7f97b686621d in mozilla::dom::IDTracker::Reset(nsIContent*, nsIURI*, bool, bool) src/dom/base/IDTracker.cpp:38
    #4 0x7f97ba895a8d in mozilla::dom::SVGAnimationElement::UpdateHrefTarget(nsIContent*, nsTSubstring<char16_t> const&) src/dom/svg/SVGAnimationElement.cpp:421:15
    #5 0x7f97ba8957a3 in mozilla::dom::SVGAnimationElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/dom/svg/SVGAnimationElement.cpp:191:7
    #6 0x7f97b6af6401 in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) src/dom/base/nsINode.cpp:1388:14
    #7 0x7f97b6afe485 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:2280:14
    #8 0x7f97b73ccc21 in ReplaceChild src/obj-firefox/dist/include/nsINode.h:1802:12
    #9 0x7f97b73ccc21 in mozilla::dom::Node_Binding::replaceChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/NodeBinding.cpp:1016
    #10 0x7f97b9071875 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3311:13
    #11 0x7f97bf3a896e in CallJSNative src/js/src/vm/Interpreter.cpp:444:15
    #12 0x7f97bf3a896e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:532
    #13 0x7f97bf39331a in CallFromStack src/js/src/vm/Interpreter.cpp:589:12
    #14 0x7f97bf39331a in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3237
    #15 0x7f97bf37928a in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:12
    #16 0x7f97bf3a9244 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:556:15
    #17 0x7f97bf3aa7d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:602:10
    #18 0x7f97bffb66aa in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2888:12
    #19 0x7f97b880d73c in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
    #20 0x7f97b97f6bd5 in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #21 0x7f97b97f451a in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
    #22 0x7f97b97ba077 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1115:52
    #23 0x7f97b97bbe99 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1322:20
    #24 0x7f97b97a612b in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:393:5
    #25 0x7f97b97a612b in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:418
    #26 0x7f97b97a491c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:635:16
    #27 0x7f97b97a9fb6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1110:9
    #28 0x7f97bbb62581 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1169:7
    #29 0x7f97be64acef in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7037:21
    #30 0x7f97be6470d4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6830:7
    #31 0x7f97be64e8bf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
    #32 0x7f97b55febc7 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1309:3
    #33 0x7f97b55fdc67 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:852:14
    #34 0x7f97b55fa868 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:741:9
    #35 0x7f97b55fc83a in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:627:5
    #36 0x7f97b55fd83c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #37 0x7f97b3a08bb5 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28
    #38 0x7f97b6a3203a in DoUnblockOnload src/dom/base/nsDocument.cpp:8277:18
    #39 0x7f97b6a3203a in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8199
    #40 0x7f97b6a140e5 in nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5098:3
    #41 0x7f97b6ae3f24 in applyImpl<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1168:12
    #42 0x7f97b6ae3f24 in apply<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1174
    #43 0x7f97b6ae3f24 in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1219
    #44 0x7f97b37e739e in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #45 0x7f97b381410f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1166:14
    #46 0x7f97b381af38 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #47 0x7f97b474325a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #48 0x7f97b469856c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #49 0x7f97b469856c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #50 0x7f97b469856c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #51 0x7f97bb4be02a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #52 0x7f97bf0da47f in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:938:22
    #53 0x7f97b469856c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #54 0x7f97b469856c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #55 0x7f97b469856c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #56 0x7f97bf0d9d4a in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:764:34
    #57 0x4f2284 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #58 0x4f2284 in main src/browser/app/nsBrowserApp.cpp:287
    #59 0x7f97d2d9482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #60 0x4216b8 in _start (firefox+0x4216b8)

	Emilio Cobos Álvarez (:emilio) Assignee
	Comment 1 • 6 years ago

Looks like a regression from my recent <svg:use> changes.

	Emilio Cobos Álvarez (:emilio) Assignee
	Comment 2 • 6 years ago

That being said, I need a test-case :)

	Tyson Smith [:tsmith] Reporter
	Comment 3 • 6 years ago

oops sorry about that :)

	Emilio Cobos Álvarez (:emilio) Assignee
	Comment 4 • 6 years ago

We were passing aParent instead of this to the ID tracker.

This was unnecessary, since the document is definitely setup by this time, but
it was also assuming we had a parent which is not true.

Also it was claiming stuff about it only being used to get the composed doc,
which is false since bug 1163105.

	Phabricator Automation
	Comment 5 • 6 years ago

Comment on attachment 8994365 [details]
Bug 1477853: Make SVGAnimationElement not dumb. r=heycam

Cameron McCormack (:heycam) has approved the revision.

https://phabricator.services.mozilla.com/D2308

	Pulsebot
	Comment 6 • 6 years ago

Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d3a864ec0836
Don't assume that SVGAnimationElement has a parent on bind. r=heycam

	Raul Gurzau (:RaulG)
	Comment 7 • 6 years ago
bugherder

https://hg.mozilla.org/mozilla-central/rev/d3a864ec0836