Closed Bug 1380153 Opened 3 years ago Closed 3 years ago

crash near null in [@ mozilla::a11y::IDRefsIterator::IDRefsIterator]

Categories

(Core :: Disability Access APIs, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox-esr52 --- fixed
firefox54 --- wontfix
firefox55 --- fixed
firefox56 --- fixed

People

(Reporter: tsmith, Assigned: eeejay)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file test_case.html
Found on m-c
BuildID=20170711160010
SourceStamp=6fec4855b5345eb63fef57089e61829b88f5f4eb

==49135==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7ff2f3690022 bp 0x7ffcd3febeb0 sp 0x7ffcd3febeb0 T0)
==49135==The signal is caused by a READ memory access.
==49135==Hint: address points to the zero page.
    #0 0x7ff2f3690021 in GetBoolFlag dom/base/nsINode.h:1592:12
    #1 0x7ff2f3690021 in IsInUncomposedDoc dom/base/nsINode.h:536
    #2 0x7ff2f3690021 in mozilla::a11y::IDRefsIterator::IDRefsIterator(mozilla::a11y::DocAccessible*, nsIContent*, nsIAtom*) accessible/base/AccIterator.cpp:260
    #3 0x7ff2f374489b in mozilla::a11y::DocAccessible::DoARIAOwnsRelocation(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2075:18
    #4 0x7ff2f36b141c in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) accessible/base/NotificationController.cpp:811:18
    #5 0x7ff2f04c6f77 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1854:12
    #6 0x7ff2f04d6855 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) layout/base/nsRefreshDriver.cpp:298:7
    #7 0x7ff2f04d6512 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:319:5
    #8 0x7ff2f04d8bbb in RunRefreshDrivers layout/base/nsRefreshDriver.cpp:761:5
    #9 0x7ff2f04d8bbb in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:674
    #10 0x7ff2f04d3f17 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() layout/base/nsRefreshDriver.cpp:520:20
    #11 0x7ff2e9884875 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1437:14
    #12 0x7ff2e988aaa8 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:489:10
    #13 0x7ff2ea69ce41 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:97:21
    #14 0x7ff2ea5f90e0 in RunInternal ipc/chromium/src/base/message_loop.cc:320:10
    #15 0x7ff2ea5f90e0 in RunHandler ipc/chromium/src/base/message_loop.cc:313
    #16 0x7ff2ea5f90e0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:293
    #17 0x7ff2efe2737f in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:27
    #18 0x7ff2f3ed2db1 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:287:30
    #19 0x7ff2f40ad5e4 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4595:22
    #20 0x7ff2f40af1ed in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4778:8
    #21 0x7ff2f40b061b in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4873:21
    #22 0x4eb613 in do_main browser/app/nsBrowserApp.cpp:237:22
    #23 0x4eb613 in main browser/app/nsBrowserApp.cpp:310
    #24 0x7ff3068d782f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #25 0x41d168 in _start (/home/user/workspace/browsers/m-c-1499788810-asan-opt/firefox+0x41d168)
See Also: → 1380172
This crash also goes away with the patch in bug 1376825.
See Also: → 1376825
Priority: -- → P1
Assignee: nobody → eitan
Depends on: 1376825
See Also: 1376825
This should be fixed in nightly after bug 1376825 landed, could you confirm?
Flags: needinfo?(twsmith)
I can no longer reproduce this issue on m-c.
Changeset: 16ffc1d05422a81099ce8b9b59de66dde4c8b2f0
Build ID: 20170728132457
Flags: needinfo?(twsmith)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.