Closed Bug 1404431 Opened 3 years ago Closed 2 years ago

crash near null [@ nsAccessibilityService::CreateAccessibleByFrameType]

Categories

(Core :: Disability Access APIs, defect, P2)

Product:
Core
Component:
Disability Access APIs
Version:
52 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1545190
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox66 --- wontfix
firefox67 --- fixed
firefox68 --- fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, regression, testcase, Whiteboard: a11y:crash-tree:aria-owns)

Crash Data

Attachments

(1 file)

test_case.html
408 bytes, text/html
Details
Attached file test_case.html 
This bug may be a dup of bug 1384126 but the stack is bit different so I'll let someone else make that call.

==10986==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x7f6894561cd4 bp 0x7ffe3cf2c010 sp 0x7ffe3cf2bf40 T0)
==10986==The signal is caused by a READ memory access.
==10986==Hint: address points to the zero page.
    #0 0x7f6894561cd3 in GetPrimaryFrame /src/obj-firefox/dist/include/nsIContent.h:912:56
    #1 0x7f6894561cd3 in nsAccessibilityService::CreateAccessibleByFrameType(nsIFrame*, nsIContent*, mozilla::a11y::Accessible*) /src/accessible/base/nsAccessibilityService.cpp:1656
    #2 0x7f689454c4da in nsAccessibilityService::CreateAccessible(nsINode*, mozilla::a11y::Accessible*, bool*) /src/accessible/base/nsAccessibilityService.cpp:1109:18
    #3 0x7f68945bcafb in mozilla::a11y::DocAccessible::DoARIAOwnsRelocation(mozilla::a11y::Accessible*) /src/accessible/generic/DocAccessible.cpp:2095:34
    #4 0x7f689452b0e7 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /src/accessible/base/NotificationController.cpp:818:18
    #5 0x7f68912e9abc in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:1886:12
    #6 0x7f68912f8aeb in TickDriver /src/layout/base/nsRefreshDriver.cpp:337:13
    #7 0x7f68912f8aeb in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:307
    #8 0x7f68912f87d4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:328:5
    #9 0x7f68912fad3b in RunRefreshDrivers /src/layout/base/nsRefreshDriver.cpp:770:5
    #10 0x7f68912fad3b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:683
    #11 0x7f68912f6457 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /src/layout/base/nsRefreshDriver.cpp:529:20
    #12 0x7f688a518f52 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1039:14
    #13 0x7f688a532c28 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:524:10
    #14 0x7f688b2c49c1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21
    #15 0x7f688b22642b in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10
    #16 0x7f688b22642b in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319
    #17 0x7f688b22642b in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299
    #18 0x7f6890c09ecf in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:158:27
    #19 0x7f6894d6c171 in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #20 0x7f6894f5d39b in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4701:22
    #21 0x7f6894f5efb8 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4865:8
    #22 0x7f6894f603eb in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4960:21
    #23 0x4ebfe3 in do_main /src/browser/app/nsBrowserApp.cpp:236:22
    #24 0x4ebfe3 in main /src/browser/app/nsBrowserApp.cpp:309
    #25 0x7f68a7f1582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #26 0x41db38 in _start (firefox+0x41db38)
Flags: in-testsuite?
INFO: Last good revision: e2d2897e4a7449759267bf168e6b37f7b8c3a94b (2016-09-21)
INFO: First bad revision: f0e6cc6360213ba21fd98c887b55fce5c680df68 (2016-09-22)
INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e2d2897e4a7449759267bf168e6b37f7b8c3a94b&tochange=f0e6cc6360213ba21fd98c887b55fce5c680df68

A few a11y-related commits in there:
Bug 1280551 - Documents sometimes load with no child accessibles but all text merged into document, r=yzen
Bug 1303040 - implement shared header for two ProxyAccessible classes. r=tbsaunde
Bug 1206711 - store doc accessible in emulated HWND itself. r=surkov
Bug 1206711 - remove unused ipc bits from DocAccessibleWrap::DoInitialUpdate. r=surkov
Crash Signature: [@ nsAccessibilityService::CreateAccessibleByFrameType]
Has Regression Range: --- → yes
status-firefox56: --- → wontfix
Version: Trunk → 52 Branch
Eitan, could you please make further triaging, whether this a fresh issue or covered by known bugs?
Priority: -- → P2
Whiteboard: a11y:crash-tree:aria-owns
status-firefox62: --- → affected
Updated stack from m-c 20180621-96399298b72f

==10106==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x65f677e46dca bp 0x7f6abfb1c670 sp 0x7f6abfb1c630 T0)
==10106==The signal is caused by a READ memory access.
==10106==Hint: address points to the zero page.
    #0 0x65f677e46dc9 in GetBoolFlag /builds/worker/workspace/build/src/dom/base/nsINode.h:1579:12
    #1 0x65f677e46dc9 in IsInUncomposedDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:631
    #2 0x65f677e46dc9 in GetPrimaryFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIContent.h:701
    #3 0x65f677e46dc9 in operator() /builds/worker/workspace/build/src/accessible/base/MarkupMap.h:379
    #4 0x65f677e46dc9 in $_3::__invoke(mozilla::dom::Element*, mozilla::a11y::Accessible*) /builds/worker/workspace/build/src/accessible/base/MarkupMap.h:379
    #5 0x65f677e0af0a in nsAccessibilityService::CreateAccessible(nsINode*, mozilla::a11y::Accessible*, bool*) /builds/worker/workspace/build/src/accessible/base/nsAccessibilityService.cpp:1172:18
    #6 0x65f677e9844e in mozilla::a11y::DocAccessible::DoARIAOwnsRelocation(mozilla::a11y::Accessible*) /builds/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:2069:34
    #7 0x65f677ddebee in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/workspace/build/src/accessible/base/NotificationController.cpp:852:18
    #8 0x65f674700764 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1868:12
    #9 0x65f674713ea9 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:13
    #10 0x65f674713947 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:320:5
    #11 0x65f674716f8f in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:760:5
    #12 0x65f674716f8f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:673
    #13 0x65f674716a3e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:574:9
    #14 0x65f6751d0b26 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
    #15 0x65f66c3b69ad in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #16 0x65f66c1cf5b7 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28
    #17 0x65f66ba49d8e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2134:25
    #18 0x65f66ba456be in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2064:17
    #19 0x65f66ba47b1d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1910:5
    #20 0x65f66ba48877 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1943:15
    #21 0x65f66a8b7635 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1051:14
    #22 0x65f66a8dc371 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #23 0x65f66ba54064 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
    #24 0x65f66b95911c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #25 0x65f66b95911c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #26 0x65f66b95911c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #27 0x65f67401b486 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #28 0x65f6789e21ce in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:896:22
    #29 0x65f66b95911c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #30 0x65f66b95911c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #31 0x65f66b95911c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #32 0x65f6789e138c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:722:34
    #33 0x4f54c1 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #34 0x4f54c1 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #35 0x65f68dcc606a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #36 0x4248bc in _start (/home/truber/builds/m-c-20180621182210-fuzzing-asan-opt/firefox+0x4248bc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsINode.h:1579:12 in GetBoolFlag
==10106==ABORTING
See Also: → 1545190

Proposing the fix in bug 1545190 for beta. I don't think it will make it to release where Ehsan reproduced this. Unless I am told otherwise?

No crash in 67 beta 14 which has the fix from bug 1545190, same for 68, duping and adjusting flags.

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox67: affectedfixed
status-firefox68: affectedfixed
Resolution: --- → DUPLICATE
Duplicate of bug: 1545190
You need to log in before you can comment on or make changes to this bug.