Closed Bug 1332143 Opened 3 years ago Closed 3 years ago

crash near null [@GetRootScrollFrame]

Categories

(Core :: Disability Access APIs, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1330765
Tracking Status
firefox53 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Attachments

(2 files)

Attached file log.txt
Requires fuzzPriv extension to reproduce:
https://github.com/MozillaSecurity/funfuzz/tree/master/dom/extension

This seems to be timing related. e10s was disabled. 

==19614==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f7583f57e42 bp 0x7ffd67294020 sp 0x7ffd67294000 T0)
    #0 0x7f7583f57e41 in GetRootScrollFrame /home/worker/workspace/build/src/layout/base/PresShell.cpp:2384:25
    #1 0x7f7583f57e41 in nsIPresShell::GetRootScrollFrameAsScrollable() const /home/worker/workspace/build/src/layout/base/PresShell.cpp:2397
    #2 0x7f75850ae038 in RemoveScrollListener /home/worker/workspace/build/src/accessible/generic/DocAccessible-inl.h:115:28
    #3 0x7f75850ae038 in mozilla::a11y::DocAccessible::RemoveEventListeners() /home/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:568
    #4 0x7f75850ac9f4 in mozilla::a11y::DocAccessible::Shutdown() /home/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:442:3
    #5 0x7f7585009011 in mozilla::a11y::DocManager::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/accessible/base/DocManager.cpp:386:7
    #6 0x7f758500947c in non-virtual thunk to mozilla::a11y::DocManager::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/accessible/base/DocManager.cpp:357:13
    #7 0x7f7581eb6d7d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1136:16
    #8 0x7f7581eb88fc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1318:20
...
see log.txt
Attached file test_case.html
I suspect this is a dup of bug 1330765. I can reproduce this only after reverting that patch.
Tyson, can you still reproduce? I think we can close this.
Flags: needinfo?(twsmith)
I can no longer reproduce this issue.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(twsmith)
Resolution: --- → DUPLICATE
Duplicate of bug: 1330765
You need to log in before you can comment on or make changes to this bug.