Closed Bug 1370723 Opened 3 years ago Closed 3 years ago

Crash near null [@ mozilla::a11y::NotificationController::Shutdown]

Categories

(Core :: Disability Access APIs, defect, P1, critical)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1330765

People

(Reporter: tsmith, Assigned: eeejay)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Attachments

(1 file)

Attached file test_case.html
This test case requires fuzzPriv extension is required. It can be found here https://github.com/MozillaSecurity/domfuzz/tree/master/dom/extension

e10s was disabled when this assertion was discovered.

==60467==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000003d (pc 0x7f4b0a107a7f bp 0x7fffc9122c10 sp 0x7fffc9122be0 T0)
==60467==The signal is caused by a READ memory access.
==60467==Hint: address points to the zero page.
    #0 0x7f4b0a107a7e in IsDefunct src/accessible/generic/Accessible.h:864:35
    #1 0x7f4b0a107a7e in mozilla::a11y::NotificationController::Shutdown() src/accessible/base/NotificationController.cpp:90
    #2 0x7f4b0a18dfe9 in mozilla::a11y::DocAccessible::Shutdown() src/accessible/generic/DocAccessible.cpp:444:30
    #3 0x7f4b0a18e3b6 in mozilla::a11y::DocAccessible::Shutdown() src/accessible/generic/DocAccessible.cpp:465:27
    #4 0x7f4b0a0eff32 in mozilla::a11y::DocManager::ClearDocCache() src/accessible/base/DocManager.cpp:552:15
    #5 0x7f4b0a0efcef in mozilla::a11y::DocManager::Shutdown() src/accessible/base/DocManager.cpp:220:3
    #6 0x7f4b0a137577 in nsAccessibilityService::Shutdown() src/accessible/base/nsAccessibilityService.cpp:1328:15
    #7 0x7f4b0a0ee9fc in RemoveFromXPCDocumentCache src/accessible/base/DocManager.cpp:98:5
    #8 0x7f4b0a0ee9fc in mozilla::a11y::DocManager::NotifyOfDocumentShutdown(mozilla::a11y::DocAccessible*, nsIDocument*) src/accessible/base/DocManager.cpp:116
    #9 0x7f4b0a18e855 in mozilla::a11y::DocAccessible::Shutdown() src/accessible/generic/DocAccessible.cpp:500:20
    #10 0x7f4b0a10ce72 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) src/accessible/base/NotificationController.cpp:761:17
    #11 0x7f4b078de045 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1791:12
    #12 0x7f4b078eca85 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:301:7
    #13 0x7f4b078ec742 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:322:5
    #14 0x7f4b078eee3b in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:754:5
    #15 0x7f4b078eee3b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:667
    #16 0x7f4b078ea147 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() src/layout/base/nsRefreshDriver.cpp:513:20
    #17 0x7f4b00fff41e in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1321:14
    #18 0x7f4b0100b858 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:472:10
    #19 0x7f4b01dd7c91 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:96:21
    #20 0x7f4b01d34d90 in RunInternal src/ipc/chromium/src/base/message_loop.cc:238:10
    #21 0x7f4b01d34d90 in RunHandler src/ipc/chromium/src/base/message_loop.cc:231
    #22 0x7f4b01d34d90 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:211
    #23 0x7f4b0724b68f in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:156:27
    #24 0x7f4b0a90bce1 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:283:30
    #25 0x7f4b0aadc334 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4569:22
    #26 0x7f4b0aaddea0 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4749:8
    #27 0x7f4b0aadf1f1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4844:21
    #28 0x4eb5a3 in do_main src/browser/app/nsBrowserApp.cpp:236:22
    #29 0x4eb5a3 in main src/browser/app/nsBrowserApp.cpp:309
    #30 0x7f4b1c99382f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #31 0x41d0f8 in _start (m-c-1496772615-asan-opt/firefox+0x41d0f8)
I cannot reproduce it these days. Eitan, I'm curious if this one might have been fixed by one of your recent patches (the shutdown's one)?
Flags: needinfo?(eitan)
Priority: -- → P1
I cannot reproduce this. Tyson, do you still see this issue?
Flags: needinfo?(eitan) → needinfo?(twsmith)
(In reply to Eitan Isaacson [:eeejay] from comment #2)
> I cannot reproduce this. Tyson, do you still see this issue?

I can't reproduce this either. Any idea what fixed it?
Flags: needinfo?(twsmith)
Assignee: nobody → eitan
I think this may have been bug 1385372. I'll see if I can reproduce with that patch reverted.
FYI: Be sure to use the latest prefs.js[1] file for legacy addons support (needed for fuzzPriv)

[1] https://github.com/MozillaSecurity/ffpuppet/tree/master/prefs
We're getting a few of these in recent betas.
Crash Signature: [@ nsIPresShell::RemoveRefreshObserverInternal]
Keywords: stale-bug
(In reply to David Bolter [:davidb] (NeedInfo me for attention) from comment #6)
> We're getting a few of these in recent betas.

We haven't encountered this crash in the recent beta. Current beta is 56.0b10, this last appeared in 56.0b6 if i'm reading the stats correctly.
So I was wrong about bug 1385372. After a bout with mozregression I got this:
First good revision: f76c3424121755776ab7e442de0a0eba5858932f
Last bad revision: 4e2b30513c88f35f6092c47453eef144b3343a84
Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4e2b30513c88f35f6092c47453eef144b3343a84&tochange=f76c3424121755776ab7e442de0a0eba5858932f

Looks like this specific case was fixed in bug 1330765.

This doesn't explain the crashes that are as late as 56.0b6, but the fact that we aren't encountering them in the latest beta keeps me hopeful. The crash signature is very generic, and not specific to this test case.
OK cool thanks. Let's dupe this and I'll track the new signature elsewhere.
Status: NEW → RESOLVED
Crash Signature: [@ nsIPresShell::RemoveRefreshObserverInternal]
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1330765
You need to log in before you can comment on or make changes to this bug.