Assertion failure: !mTable (Tear-off objects remain in hashtable at shutdown.), at /builds/worker/workspace/build/src/dom/svg/SVGAttrTearoffTable.h:29
Categories
(Core :: SVG, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox-esr68 | --- | fixed |
firefox68 | --- | fixed |
People
(Reporter: jkratzer, Assigned: birtles)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
(deleted),
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 6c9e7cba261d.
Assertion failure: !mTable (Tear-off objects remain in hashtable at shutdown.), at /builds/worker/workspace/build/src/dom/svg/SVGAttrTearoffTable.h:29
rax = 0x00005568fabfae20 rdx = 0x0000000000000000
rcx = 0x00007f06557b46ae rbx = 0x0000000000000001
rsi = 0x00007f06607a28b0 rdi = 0x00007f06607a1680
rbp = 0x00007ffd54e862e0 rsp = 0x00007ffd54e862e0
r8 = 0x00007f06607a28b0 r9 = 0x00007f06618ff740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007f06607a0718 r13 = 0x00000000000000d0
r14 = 0x00007f06607a5628 r15 = 0x00007f066016b800
rip = 0x00007f0651ac5a0f
OS|Linux|0.0.0 Linux 4.18.0-17-generic #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::SVGAttrTearoffTable<mozilla::SVGAnimatedTransformList, mozilla::dom::DOMSVGAnimatedTransformList>::~SVGAttrTearoffTable()|hg:hg.mozilla.org/mozilla-central:dom/svg/SVGAttrTearoffTable.h:6c9e7cba261d72303c39d9f3a9bb45b91fa1fd3e|29|0x16
0|1|libc-2.27.so|__libc_secure_getenv|||0x191
0|2|libc-2.27.so|exit|||0x1a
0|3|libc-2.27.so|__libc_start_main|||0xee
0|4|firefox-bin|_start|||0x29
Comment 1•5 years ago
|
||
Jason, is this something you can still reproduce with this test case? I just tried and failed (using a loader document that does window.open("testcase.html")
, since the test seems to rely on window.close()
).
Reporter | ||
Comment 2•5 years ago
|
||
:heycam, I can no longer reproduce this using the latest nightly. It appears to have been fixed sometime in the following range:
Start: 839cdad764d741ab4438b6feabeec749a22b34d5 (20190517093040)
End: c94c54aff4669f52cebc76ddad34a76f4fafd03b (20190517162438)
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=839cdad764d741ab4438b6feabeec749a22b34d5&tochange=c94c54aff4669f52cebc76ddad34a76f4fafd03b
Comment 3•5 years ago
|
||
Given that this was effectively a memory-leak with the testcase that used a WebAnimations API (element.animate(....)
), this was probably fixed by bug 1552387.1552387
Updated•5 years ago
|
Comment hidden (Intermittent Failures Robot) |
Description
•