Closed Bug 1402999 Opened 3 years ago Closed 2 years ago

crash near null in [@ mozilla::a11y::DocAccessible::GetAccessibleOrContainer]


(Core :: Disability Access APIs, defect, P3, critical)




Tracking Status
firefox-esr52 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- fixed


(Reporter: tsmith, Assigned: eeejay)


(Blocks 1 open bug)


(4 keywords)

Crash Data


(2 files, 1 obsolete file)

Attached file test_case.html
==16519==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000f0 (pc 0x7fbba543e289 bp 0x7ffd284308f0 sp 0x7ffd284308c0 T0)
==16519==The signal is caused by a READ memory access.
==16519==Hint: address points to the zero page.
    #0 0x7fbba543e288 in GetAccessible  /src/obj-firefox/dist/include/mozilla/a11y/DocAccessible.h:239:21
    #1 0x7fbba543e288 in mozilla::a11y::DocAccessible::GetAccessibleOrContainer(nsINode*) const  /src/accessible/generic/DocAccessible.cpp:1257
    #2 0x7fbba5487257 in mozilla::a11y::RootAccessible::ProcessDOMEvent(nsIDOMEvent*)  /src/accessible/generic/RootAccessible.cpp:289:21
    #3 0x7fbba53dbac1 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp)  /src/accessible/base/NotificationController.cpp:801:25
    #4 0x7fbba21a11bc in nsRefreshDriver::Tick(long, mozilla::TimeStamp)  /src/layout/base/nsRefreshDriver.cpp:1886:12
    #5 0x7fbba21b01eb in TickDriver  /src/layout/base/nsRefreshDriver.cpp:337:13
    #6 0x7fbba21b01eb in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)  /src/layout/base/nsRefreshDriver.cpp:307
    #7 0x7fbba21afed4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp)  /src/layout/base/nsRefreshDriver.cpp:328:5
    #8 0x7fbba21b243b in RunRefreshDrivers  /src/layout/base/nsRefreshDriver.cpp:770:5
    #9 0x7fbba21b243b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp)  /src/layout/base/nsRefreshDriver.cpp:683
    #10 0x7fbba21adb57 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()  /src/layout/base/nsRefreshDriver.cpp:529:20
    #11 0x7fbb9b60033c in nsThread::ProcessNextEvent(bool, bool*)  /src/xpcom/threads/nsThread.cpp:1039:14
    #12 0x7fbb9b60615c in NS_ProcessNextEvent(nsIThread*, bool)  /src/xpcom/threads/nsThreadUtils.cpp:521:10
    #13 0x7fbb9c3ab061 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)  /src/ipc/glue/MessagePump.cpp:97:21
    #14 0x7fbb9c30cf2b in RunInternal  /src/ipc/chromium/src/base/
    #15 0x7fbb9c30cf2b in RunHandler  /src/ipc/chromium/src/base/
    #16 0x7fbb9c30cf2b in MessageLoop::Run()  /src/ipc/chromium/src/base/
    #17 0x7fbba1abd4df in nsBaseAppShell::Run()  /src/widget/nsBaseAppShell.cpp:158:27
    #18 0x7fbba5c1d3c1 in nsAppStartup::Run()  /src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #19 0x7fbba5dfdf0b in XREMain::XRE_mainRun()  /src/toolkit/xre/nsAppRunner.cpp:4701:22
    #20 0x7fbba5dffb08 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)  /src/toolkit/xre/nsAppRunner.cpp:4865:8
    #21 0x7fbba5e00f3b in XRE_main(int, char**, mozilla::BootstrapConfig const&)  /src/toolkit/xre/nsAppRunner.cpp:4960:21
    #22 0x4ebea3 in do_main  /src/browser/app/nsBrowserApp.cpp:236:22
    #23 0x4ebea3 in main  /src/browser/app/nsBrowserApp.cpp:309
    #24 0x7fbbb901d82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #25 0x41d9f8 in _start (firefox+0x41d9f8)
Flags: in-testsuite?
On debug builds, it hits the below assertion:
ASSERTION: No document while accessible is in document?!: 'targetDocument', file /builds/worker/workspace/build/src/accessible/generic/RootAccessible.cpp, line 28

This crash goes back many, many years.
Crash Signature: [@ mozilla::a11y::DocAccessible::GetAccessibleOrContainer]
Has Regression Range: --- → irrelevant
Keywords: assertion
Putting into backlog for now since it's an old issue. I'd rather figured it out though, because a11y tree update problems is never a good thing, yet potentially dangerous.

Eitan, ping if you have some free cycles and interested to investigate what's going on here.
Priority: -- → P3
This test case tries to put a subtree with an iframe into the same iframe, and then triggers a DOM event on another member of the subtree. The iframe's doc goes supernova, is de-parented, and has no preshell. So by the time we process the event and try to get the owning doc's accessible, it doesn't exist. The current assertion is probably tripped in debug builds, but we really should be returning.
Attachment #8956293 - Flags: review?(surkov.alexander)
Comment on attachment 8956293 [details] [diff] [review]
Don't process DOM event on dead document. r?surkov

Review of attachment 8956293 [details] [diff] [review]:

looks good, could you please put this test case into our crash tests (, thanks! r=me
Attachment #8956293 - Flags: review?(surkov.alexander) → review+
Attachment #8956293 - Attachment is obsolete: true
Assignee: nobody → eitan
Keywords: checkin-needed
Pushed by
Don't process DOM event on dead document. r=surkov
Keywords: checkin-needed
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.