Closed Bug 1380172 Opened 3 years ago Closed 3 years ago

crash near null in [@ InsertIterator::Next()]

Categories

(Core :: Disability Access APIs, defect)

defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1376825

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file test_case.html
Found on m-c
BuildID=20170711160010
SourceStamp=6fec4855b5345eb63fef57089e61829b88f5f4eb

This test case requires the fuzzPriv extension.

This bug seem very similar to bug 1380153 (looking at the test case)

==64472==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000f0 (pc 0x7fd149f86969 bp 0x7ffe649bac50 sp 0x7ffe649bac20 T0)
==64472==The signal is caused by a READ memory access.
==64472==Hint: address points to the zero page.
    #0 0x7fd149f86968 in GetAccessible obj-firefox/dist/include/mozilla/a11y/DocAccessible.h:237:21
    #1 0x7fd149f86968 in mozilla::a11y::DocAccessible::GetAccessibleOrContainer(nsINode*) const accessible/generic/DocAccessible.cpp:1253
    #2 0x7fd149fb472d in AccessibleOrTrueContainer accessible/generic/DocAccessible-inl.h:30:27
    #3 0x7fd149fb472d in InsertIterator::Next() accessible/generic/DocAccessible.cpp:1812
    #4 0x7fd149fb4ea3 in mozilla::a11y::DocAccessible::ProcessContentInserted(mozilla::a11y::Accessible*, nsTArray<nsCOMPtr<nsIContent> > const*) accessible/generic/DocAccessible.cpp:1871:13
    #5 0x7fd149f227a7 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) accessible/base/NotificationController.cpp:727:16
    #6 0x7fd146d38f77 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1854:12
    #7 0x7fd146d48855 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) layout/base/nsRefreshDriver.cpp:298:7
    #8 0x7fd146d48512 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:319:5
    #9 0x7fd146d4abbb in RunRefreshDrivers layout/base/nsRefreshDriver.cpp:761:5
    #10 0x7fd146d4abbb in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:674
    #11 0x7fd146d45f17 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() layout/base/nsRefreshDriver.cpp:520:20
    #12 0x7fd1400f6875 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1437:14
    #13 0x7fd1400fcaa8 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:489:10
    #14 0x7fd140f0ee41 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:97:21
    #15 0x7fd140e6b0e0 in RunInternal ipc/chromium/src/base/message_loop.cc:320:10
    #16 0x7fd140e6b0e0 in RunHandler ipc/chromium/src/base/message_loop.cc:313
    #17 0x7fd140e6b0e0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:293
    #18 0x7fd14669937f in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:27
    #19 0x7fd14a744db1 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:287:30
    #20 0x7fd14a91f5e4 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4595:22
    #21 0x7fd14a9211ed in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4778:8
    #22 0x7fd14a92261b in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4873:21
    #23 0x4eb613 in do_main browser/app/nsBrowserApp.cpp:237:22
    #24 0x4eb613 in main browser/app/nsBrowserApp.cpp:310
    #25 0x7fd15d14982f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #26 0x41d168 in _start (m-c-1499788810-asan-opt/firefox+0x41d168)
This stack looks identical to bug 1376825. The patch there fixes this test case as well, it seems.
I'm going to go ahead and call this a dup.

This test case will trigger bug 1380199 on debug builds..
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1376825
You need to log in before you can comment on or make changes to this bug.