Closed
Bug 1402999
Opened 7 years ago
Closed 6 years ago
crash near null in [@ mozilla::a11y::DocAccessible::GetAccessibleOrContainer]
Categories
(Core :: Disability Access APIs, defect, P3)
Core
Disability Access APIs
Tracking
()
RESOLVED
FIXED
mozilla60
People
(Reporter: tsmith, Assigned: eeejay)
References
(Blocks 1 open bug)
Details
(4 keywords)
Crash Data
Attachments
(2 files, 1 obsolete file)
|
261 bytes,
text/html
|
Details | |
|
2.17 KB,
patch
|
Details | Diff | Splinter Review |
==16519==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000f0 (pc 0x7fbba543e289 bp 0x7ffd284308f0 sp 0x7ffd284308c0 T0)
==16519==The signal is caused by a READ memory access.
==16519==Hint: address points to the zero page.
#0 0x7fbba543e288 in GetAccessible /src/obj-firefox/dist/include/mozilla/a11y/DocAccessible.h:239:21
#1 0x7fbba543e288 in mozilla::a11y::DocAccessible::GetAccessibleOrContainer(nsINode*) const /src/accessible/generic/DocAccessible.cpp:1257
#2 0x7fbba5487257 in mozilla::a11y::RootAccessible::ProcessDOMEvent(nsIDOMEvent*) /src/accessible/generic/RootAccessible.cpp:289:21
#3 0x7fbba53dbac1 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /src/accessible/base/NotificationController.cpp:801:25
#4 0x7fbba21a11bc in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:1886:12
#5 0x7fbba21b01eb in TickDriver /src/layout/base/nsRefreshDriver.cpp:337:13
#6 0x7fbba21b01eb in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:307
#7 0x7fbba21afed4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:328:5
#8 0x7fbba21b243b in RunRefreshDrivers /src/layout/base/nsRefreshDriver.cpp:770:5
#9 0x7fbba21b243b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:683
#10 0x7fbba21adb57 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /src/layout/base/nsRefreshDriver.cpp:529:20
#11 0x7fbb9b60033c in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1039:14
#12 0x7fbb9b60615c in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:521:10
#13 0x7fbb9c3ab061 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21
#14 0x7fbb9c30cf2b in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10
#15 0x7fbb9c30cf2b in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319
#16 0x7fbb9c30cf2b in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299
#17 0x7fbba1abd4df in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:158:27
#18 0x7fbba5c1d3c1 in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30
#19 0x7fbba5dfdf0b in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4701:22
#20 0x7fbba5dffb08 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4865:8
#21 0x7fbba5e00f3b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4960:21
#22 0x4ebea3 in do_main /src/browser/app/nsBrowserApp.cpp:236:22
#23 0x4ebea3 in main /src/browser/app/nsBrowserApp.cpp:309
#24 0x7fbbb901d82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#25 0x41d9f8 in _start (firefox+0x41d9f8)Flags: in-testsuite?
|
||
Comment 1•7 years ago
|
||
On debug builds, it hits the below assertion: ASSERTION: No document while accessible is in document?!: 'targetDocument', file /builds/worker/workspace/build/src/accessible/generic/RootAccessible.cpp, line 28 This crash goes back many, many years.
Crash Signature: [@ mozilla::a11y::DocAccessible::GetAccessibleOrContainer]
Has Regression Range: --- → irrelevant
status-firefox56:
--- → wontfix
Keywords: assertion
|
||
Comment 2•7 years ago
|
||
Putting into backlog for now since it's an old issue. I'd rather figured it out though, because a11y tree update problems is never a good thing, yet potentially dangerous. Eitan, ping if you have some free cycles and interested to investigate what's going on here.
Priority: -- → P3
|
Reporter | |
Updated•6 years ago
|
status-firefox59:
--- → affected
status-firefox60:
--- → affected
|
Assignee | |
Comment 3•6 years ago
|
||
This test case tries to put a subtree with an iframe into the same iframe, and then triggers a DOM event on another member of the subtree. The iframe's doc goes supernova, is de-parented, and has no preshell. So by the time we process the event and try to get the owning doc's accessible, it doesn't exist. The current assertion is probably tripped in debug builds, but we really should be returning.
Attachment #8956293 -
Flags: review?(surkov.alexander)
|
|
||
Comment 4•6 years ago
|
||
Comment on attachment 8956293 [details] [diff] [review] Don't process DOM event on dead document. r?surkov Review of attachment 8956293 [details] [diff] [review]: ----------------------------------------------------------------- looks good, could you please put this test case into our crash tests (https://dxr.mozilla.org/mozilla-central/source/accessible/tests/crashtests), thanks! r=me
Attachment #8956293 -
Flags: review?(surkov.alexander) → review+
|
|
Assignee | |
Comment 5•6 years ago
|
||
Added tests.
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8956293 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → eitan
Keywords: checkin-needed
Pushed by aiakab@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/2a0de8aa19f9 Don't process DOM event on dead document. r=surkov
Keywords: checkin-needed
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/2a0de8aa19f9
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
|
||
Comment 8•6 years ago
|
||
Too late for 59 and low volume.
You need to log in
before you can comment on or make changes to this bug.
Description
•