Closed
Bug 1615502
Opened 4 years ago
Closed 4 years ago
crash near null in [@ mozilla::a11y::HTMLLIAccessible::HTMLLIAccessible]
Categories
(Core :: Disability Access APIs, defect, P1)
Core
Disability Access APIs
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox73 | --- | unaffected |
| firefox74 | --- | unaffected |
| firefox75 | blocking | verified |
People
(Reporter: tsmith, Assigned: eeejay)
References
(Blocks 1 open bug, Regression)
Details
(5 keywords)
Crash Data
Attachments
(2 files)
Found with m-c 20200213-51dbdcd6e874
==79382==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7fc4dbbbb508 bp 0x7fff9b359370 sp 0x7fff9b359370 T0)
==79382==The signal is caused by a READ memory access.
==79382==Hint: address points to the zero page.
#0 0x7fc4dbbbb507 in get /src/obj-firefox/dist/include/mozilla/RefPtr.h:286:27
#1 0x7fc4dbbbb507 in operator-> /src/obj-firefox/dist/include/mozilla/RefPtr.h:316:12
#2 0x7fc4dbbbb507 in nsIFrame::StyleList() const /src/layout/style/nsStyleStructList.h:36:1
#3 0x7fc4de8e7749 in mozilla::a11y::HTMLLIAccessible::HTMLLIAccessible(nsIContent*, mozilla::a11y::DocAccessible*) /src/accessible/html/HTMLListAccessible.cpp:41:46
#4 0x7fc4de887c80 in operator() /src/accessible/base/MarkupMap.h:241:1
#5 0x7fc4de887c80 in $_15::__invoke(mozilla::dom::Element*, mozilla::a11y::Accessible*) /src/accessible/base/MarkupMap.h:241:1
#6 0x7fc4de8638df in nsAccessibilityService::CreateAccessible(nsINode*, mozilla::a11y::Accessible*, bool*) /src/accessible/base/nsAccessibilityService.cpp:923:13
#7 0x7fc4de8618b7 in mozilla::a11y::TreeWalker::Next() /src/accessible/base/TreeWalker.cpp:187:27
#8 0x7fc4de8bd3b9 in mozilla::a11y::DocAccessible::CacheChildrenInSubtree(mozilla::a11y::Accessible*, mozilla::a11y::Accessible**) /src/accessible/generic/DocAccessible.cpp:2415:39
#9 0x7fc4de8bd4d9 in mozilla::a11y::DocAccessible::CacheChildrenInSubtree(mozilla::a11y::Accessible*, mozilla::a11y::Accessible**) /src/accessible/generic/DocAccessible.cpp:2424:7
#10 0x7fc4de8bca8c in mozilla::a11y::DocAccessible::DoInitialUpdate() /src/accessible/generic/DocAccessible.cpp:1596:3
#11 0x7fc4de8478eb in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /src/accessible/base/NotificationController.cpp:634:16
#12 0x7fc4dba9838d in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:1974:12
#13 0x7fc4dbaa78e6 in TickDriver /src/layout/base/nsRefreshDriver.cpp:374:13
#14 0x7fc4dbaa78e6 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:351:7
#15 0x7fc4dbaa747c in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:368:5
#16 0x7fc4dbaa6490 in RunRefreshDrivers /src/layout/base/nsRefreshDriver.cpp:820:5
#17 0x7fc4dbaa6490 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:740:16
#18 0x7fc4dbaa582b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /src/layout/base/nsRefreshDriver.cpp:635:9
#19 0x7fc4dc21b419 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /src/layout/ipc/VsyncChild.cpp:64:16
#20 0x7fc4d5329fb0 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:187:54
#21 0x7fc4d4d66e20 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5806:32
#22 0x7fc4d4610842 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2215:25
#23 0x7fc4d460b4a4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2137:9
#24 0x7fc4d460d76f in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1976:3
#25 0x7fc4d460e670 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:2007:13
#26 0x7fc4d33bcbd8 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1220:14
#27 0x7fc4d33c7a3c in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:481:10
#28 0x7fc4d461c6ef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:87:21
#29 0x7fc4d4515077 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#30 0x7fc4d4515077 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308:3
#31 0x7fc4d4515077 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290:3
#32 0x7fc4db611c58 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
#33 0x7fc4df132226 in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:943:20
#34 0x7fc4d4515077 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#35 0x7fc4d4515077 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308:3
#36 0x7fc4d4515077 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290:3
#37 0x7fc4df1318cf in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:778:34
#38 0x5565569c01f3 in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#39 0x5565569c01f3 in main /src/browser/app/nsBrowserApp.cpp:303:18
#40 0x7fc4f5e5db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#41 0x556556915cbc in _start (/home/worker/builds/m-c-20200213214257-fuzzing-asan-opt/firefox+0x9bcbc)
Flags: in-testsuite?
|
Reporter | |
Comment 1•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/zTC8QkL_DED-0VJEvE9vZQ/index.html
|
||
Comment 2•4 years ago
|
||
Regression introduced by bug 895323. For display: contents, the frame will be null and we don't null check there. Sorry; I should've caught that in review. :(
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Updated•4 years ago
|
status-firefox-esr68:
--- → unaffected
|
||
Updated•4 years ago
|
tracking-firefox75:
--- → blocking
|
||
Updated•4 years ago
|
Severity: normal → major
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → eitan
|
|
Assignee | |
Comment 3•4 years ago
|
||
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5ed0397d324b Support list items with display:contents. r=Jamie
|
||
Comment 5•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
|
||
Updated•4 years ago
|
Flags: qe-verify+
|
||
Comment 6•4 years ago
|
||
I tried to reproduce the crash using the same nightly asan opt fuzz build from comment 0 downloaded from treeherder: https://treeherder.mozilla.org/#/jobs?repo=mozilla-central&revision=51dbdcd6e874c5d466f7a163e43973358e06284d&searchStr=asan&selectedJob=288816911 but I was not able to reproduce it. Loading the testcase attached just displays ' * { display: contents } ' but no crash is recorded. Am I missing some steps?
I am trying to verify that the crash does not occur anymore on Firefox 75 beta.
Flags: needinfo?(twsmith)
|
|
Reporter | |
Comment 7•4 years ago
|
||
(In reply to Bogdan Maris [:bogdan_maris], Release Desktop QA from comment #6)
Am I missing some steps?
Did you enable a11y? Setting the environment variable GNOME_ACCESSIBILITY=1 will do it on Linux.
Flags: needinfo?(twsmith)
|
|
||
Comment 8•4 years ago
|
||
Thanks Tyson, I was able to get the crash after setting env GNOME_ACCESSIBILITY=1 and using old nightly build from comment 6. Verified that using a 75.0b7 fuzz asan opt build the crash does not occur anymore and I get * { display: contents } after loading the attached testscase.
Terminal output from old nightly:
==6912==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f15b2b4a508 bp 0x7ffe504981f0 sp 0x7ffe504981f0 T0)
==6912==The signal is caused by a READ memory access.
==6912==Hint: address points to the zero page.
#0 0x7f15b2b4a507 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:286:27
#1 0x7f15b2b4a507 in operator-> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:316:12
#2 0x7f15b2b4a507 in nsIFrame::StyleList() const /builds/worker/workspace/build/src/layout/style/nsStyleStructList.h:36:1
#3 0x7f15b5876749 in mozilla::a11y::HTMLLIAccessible::HTMLLIAccessible(nsIContent*, mozilla::a11y::DocAccessible*) /builds/worker/workspace/build/src/accessible/html/HTMLListAccessible.cpp:41:46
#4 0x7f15b5816c80 in operator() /builds/worker/workspace/build/src/accessible/base/MarkupMap.h:241:1
#5 0x7f15b5816c80 in $_15::__invoke(mozilla::dom::Element*, mozilla::a11y::Accessible*) /builds/worker/workspace/build/src/accessible/base/MarkupMap.h:241:1
#6 0x7f15b57f28df in nsAccessibilityService::CreateAccessible(nsINode*, mozilla::a11y::Accessible*, bool*) /builds/worker/workspace/build/src/accessible/base/nsAccessibilityService.cpp:923:13
#7 0x7f15b57f08b7 in mozilla::a11y::TreeWalker::Next() /builds/worker/workspace/build/src/accessible/base/TreeWalker.cpp:187:27
#8 0x7f15b584c3b9 in mozilla::a11y::DocAccessible::CacheChildrenInSubtree(mozilla::a11y::Accessible*, mozilla::a11y::Accessible**) /builds/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:2415:39
#9 0x7f15b584c4d9 in mozilla::a11y::DocAccessible::CacheChildrenInSubtree(mozilla::a11y::Accessible*, mozilla::a11y::Accessible**) /builds/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:2424:7
#10 0x7f15b584ba8c in mozilla::a11y::DocAccessible::DoInitialUpdate() /builds/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:1596:3
#11 0x7f15b57d68eb in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/workspace/build/src/accessible/base/NotificationController.cpp:634:16
#12 0x7f15b2a2738d in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1974:12
#13 0x7f15b2a368e6 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:374:13
#14 0x7f15b2a368e6 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:351:7
#15 0x7f15b2a3647c in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:368:5
#16 0x7f15b2a35490 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:820:5
#17 0x7f15b2a35490 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:740:16
#18 0x7f15b2a3482b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:635:9
#19 0x7f15b31aa419 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:64:16
#20 0x7f15ac2b8fb0 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:187:54
#21 0x7f15abcf5e20 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5806:32
#22 0x7f15ab59f842 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2215:25
#23 0x7f15ab59a4a4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2137:9
#24 0x7f15ab59c76f in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1976:3
#25 0x7f15ab59d670 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2007:13
#26 0x7f15aa34bbd8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
#27 0x7f15aa356a3c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:481:10
#28 0x7f15ab5ab6ef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
#29 0x7f15ab4a4077 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#30 0x7f15ab4a4077 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#31 0x7f15ab4a4077 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#32 0x7f15b25a0c58 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#33 0x7f15b60c1226 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:943:20
#34 0x7f15ab4a4077 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#35 0x7f15ab4a4077 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#36 0x7f15ab4a4077 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#37 0x7f15b60c08cf in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:778:34
#38 0x55906ff741f3 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#39 0x55906ff741f3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
#40 0x7f15cd129b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#41 0x55906fec9cbc in _start (/home/bogdan.maris/Documents/Asan1/firefox/firefox+0x9bcbc)
|
||
Comment 9•4 years ago
|
||
Please specify a root cause for this bug. See :tmaity for more information.
Root Cause: --- → ?
You need to log in
before you can comment on or make changes to this bug.
Description
•