==75968==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5f18af8433 bp 0x7ffe937dd090 sp 0x7ffe937dcfe0 T0) ==75968==The signal is caused by a READ memory access. ==75968==Hint: address points to the zero page. #0 0x7f5f18af8432 in unum_setAttribute_60 /src/intl/icu/source/i18n/unum.cpp:571:20 #1 0x7f5f184bce00 in ICUUtils::LocalizeNumber(double, ICUUtils::LanguageTagIterForContent&, nsTSubstring<char16_t>&) /src/intl/unicharutil/util/ICUUtils.cpp:108:5 #2 0x7f5f1f8f9415 in nsNumberControlFrame::SetValueOfAnonTextControl(nsTSubstring<char16_t> const&) /src/layout/forms/nsNumberControlFrame.cpp:665:5 #3 0x7f5f1f8f83d6 in nsNumberControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /src/layout/forms/nsNumberControlFrame.cpp:397:3 #4 0x7f5f1f4818fa in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /src/layout/base/nsCSSFrameConstructor.cpp:4351:26 #5 0x7f5f1f474149 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /src/layout/base/nsCSSFrameConstructor.cpp:11172:3 #6 0x7f5f1f48ba09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /src/layout/base/nsCSSFrameConstructor.cpp:4207:9 #7 0x7f5f1f4963bb in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /src/layout/base/nsCSSFrameConstructor.cpp:6370:3 #8 0x7f5f1f473936 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) /src/layout/base/nsCSSFrameConstructor.cpp:10944:5 #9 0x7f5f1f4a481c in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind, TreeMatchContext*) /src/layout/base/nsCSSFrameConstructor.cpp:7797:3 #10 0x7f5f1f3c1135 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /src/layout/base/RestyleManager.cpp:1414:27 #11 0x7f5f1f438eda in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /src/layout/base/ServoRestyleManager.cpp:1159:9 #12 0x7f5f1f3f718b in ProcessPendingRestyles /src/layout/base/ServoRestyleManager.cpp:1235:3 #13 0x7f5f1f3f718b in ProcessPendingRestyles /src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44 #14 0x7f5f1f3f718b in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4220 #15 0x7f5f1b239690 in FlushPendingNotifications /src/obj-firefox/dist/include/nsIPresShell.h:571:5 #16 0x7f5f1b239690 in nsDocument::FlushPendingNotifications(mozilla::FlushType, mozilla::FlushTarget) /src/dom/base/nsDocument.cpp:8550 #17 0x7f5f1a045edd in nsDocLoader::DocLoaderIsEmpty(bool) /src/uriloader/base/nsDocLoader.cpp:704:14 #18 0x7f5f1a048242 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /src/uriloader/base/nsDocLoader.cpp:633:5 #19 0x7f5f1a048e9c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /src/uriloader/base/nsDocLoader.cpp:489:14 #20 0x7f5f185a46a0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /src/netwerk/base/nsLoadGroup.cpp:629:28 #21 0x7f5f1b23f4ed in nsDocument::DoUnblockOnload() /src/dom/base/nsDocument.cpp:9379:18 #22 0x7f5f1b23f0b1 in nsDocument::UnblockOnload(bool) /src/dom/base/nsDocument.cpp:9301:9 #23 0x7f5f1b218d89 in nsDocument::DispatchContentLoadedEvents() /src/dom/base/nsDocument.cpp:5666:3 #24 0x7f5f1b2ba412 in applyImpl<nsDocument, void (nsDocument::*)()> /src/obj-firefox/dist/include/nsThreadUtils.h:1142:12 #25 0x7f5f1b2ba412 in apply<nsDocument, void (nsDocument::*)()> /src/obj-firefox/dist/include/nsThreadUtils.h:1148 #26 0x7f5f1b2ba412 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /src/obj-firefox/dist/include/nsThreadUtils.h:1192 #27 0x7f5f183fa3b6 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1037:14 #28 0x7f5f18414d38 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:513:10 #29 0x7f5f191eef11 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21 #30 0x7f5f1914f68b in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10 #31 0x7f5f1914f68b in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319 #32 0x7f5f1914f68b in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299 #33 0x7f5f1ec4f23f in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:159:27 #34 0x7f5f22d84fb1 in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30 #35 0x7f5f22f7d000 in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4685:22 #36 0x7f5f22f7ebd5 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4847:8 #37 0x7f5f22f7ff86 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4942:21 #38 0x4ebd1c in do_main /src/browser/app/nsBrowserApp.cpp:231:22 #39 0x4ebd1c in main /src/browser/app/nsBrowserApp.cpp:304 #40 0x7f5f35f4582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #41 0x41d3f8 in _start (firefox+0x41d3f8)

unum_open(...) [1] returns a null-pointer on failure which doesn't seem to be handled in [2]. Not a "JavaScript: Internationalization API" bug, therefore moving to "Core: Internationalization". [1] http://icu-project.org/apiref/icu4c/unum_8h.html#a581f9eb53d6b1b052b751272e1c6b67f [2] https://searchfox.org/mozilla-central/rev/9bab9dc5a9472e3c163ab279847d2249322c206e/intl/unicharutil/util/ICUUtils.cpp#101-102

Although I don't debug this yet, I think error status isn't successful. But we don't check error status, so this crash might occurs.

Comment on attachment 8930898 [details] Bug 1418477 - Part 1. Should check error status of unum_open. https://reviewboard.mozilla.org/r/202010/#review207422 Makes sense, thanks.

Comment on attachment 8930899 [details] Bug 1418477 - Part 2. Add crash test. https://reviewboard.mozilla.org/r/202012/#review207424

Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/autoland/rev/adfc65d1acc6 Part 1. Should check error status of unum_open. r=jfkthame https://hg.mozilla.org/integration/autoland/rev/b43f8e68097f Part 2. Add crash test. r=jfkthame

https://hg.mozilla.org/mozilla-central/rev/adfc65d1acc6 https://hg.mozilla.org/mozilla-central/rev/b43f8e68097f