Closed
Bug 1419911
Opened 7 years ago
Closed 3 years ago
Assertion failure: ipcDoc, at /builds/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:1539
Categories
(Core :: Disability Access APIs, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: a11y:crash-ipc)
Attachments
(1 file)
|
1.80 KB,
text/html
|
Details |
Found while fuzzing mozilla-central rev 8697764fdb68. Testcase wouldn't reproduce for me but it was reduced via an EC2 spot instance. OS|Linux|0.0.0 Linux 4.4.0-1039-aws #48-Ubuntu SMP Wed Oct 11 15:15:01 UTC 2017 x86_64 CPU|amd64|family 6 model 63 stepping 2|8 GPU||| Crash|SIGSEGV|0x0|0 0|0|libxul.so|mozilla::a11y::DocAccessible::DoInitialUpdate|hg:hg.mozilla.org/mozilla-central:accessible/generic/DocAccessible.cpp:8697764fdb68|1539|0x0 0|1|libxul.so|mozilla::a11y::NotificationController::WillRefresh|hg:hg.mozilla.org/mozilla-central:accessible/base/NotificationController.cpp:8697764fdb68|633|0xd 0|2|libxul.so|nsRefreshDriver::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:8697764fdb68|1843|0xd 0|3|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:8697764fdb68|306|0xf 0|4|libxul.so|mozilla::RefreshDriverTimer::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:8697764fdb68|327|0x12 0|5|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:8697764fdb68|769|0x5 0|6|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:8697764fdb68|583|0xc 0|7|libxul.so|mozilla::layout::VsyncChild::RecvNotify|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:8697764fdb68|68|0x9 0|8|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived|s3:gecko-generated-sources:375d0a11c0f73d4058318d5ce2ca6f95774c2ad12c187859ba0bfc07a6e9f17429c4d3628eb03e74766cf642501f10b1ed7f58baddeb4fb20e1277fe9bfed7bd/ipc/ipdl/PVsyncChild.cpp:|155|0xf 0|9|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8697764fdb68|2114|0x6 0|10|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8697764fdb68|2044|0xb 0|11|libxul.so|mozilla::ipc::MessageChannel::RunMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8697764fdb68|1890|0xb 0|12|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:8697764fdb68|1923|0xc 0|13|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:8697764fdb68|1037|0x15 0|14|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:8697764fdb68|513|0x11 0|15|libxul.so|mozilla::dom::ContentChild::ProvideWindowCommon|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:8697764fdb68|323|0xd 0|16|libxul.so|mozilla::dom::TabChild::ProvideWindow|hg:hg.mozilla.org/mozilla-central:dom/ipc/TabChild.cpp:8697764fdb68|1073|0x10 0|17|libxul.so|nsWindowWatcher::OpenWindowInternal|hg:hg.mozilla.org/mozilla-central:toolkit/components/windowwatcher/nsWindowWatcher.cpp:8697764fdb68|856|0x29 0|18|libxul.so|nsWindowWatcher::OpenWindow2|hg:hg.mozilla.org/mozilla-central:toolkit/components/windowwatcher/nsWindowWatcher.cpp:8697764fdb68|447|0x18 0|19|libxul.so|nsGlobalWindowOuter::OpenInternal|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:8697764fdb68|7332|0x2b 0|20|libxul.so|nsGlobalWindowOuter::OpenJS|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:8697764fdb68|5712|0x1b 0|21|libxul.so|nsGlobalWindowOuter::OpenOuter|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:8697764fdb68|5677|0x15 0|22|libxul.so|nsGlobalWindowInner::Open|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowInner.cpp:8697764fdb68|3631|0x17 0|23|libxul.so|mozilla::dom::WindowBinding::open|s3:gecko-generated-sources:fa9d3b5a62bbb7c8516d40865ce3e1a7ded042ef80ad94bc7ff84af35ae3e8742e079b705c675143183d72b61bf28473ebc30a485281408e38d9c5e51dd51741/dom/bindings/WindowBinding.cpp:|2190|0x2d 0|24|libxul.so|mozilla::dom::WindowBinding::genericMethod|s3:gecko-generated-sources:fa9d3b5a62bbb7c8516d40865ce3e1a7ded042ef80ad94bc7ff84af35ae3e8742e079b705c675143183d72b61bf28473ebc30a485281408e38d9c5e51dd51741/dom/bindings/WindowBinding.cpp:|15333|0x9 0|25|libxul.so|js::CallJSNative|hg:hg.mozilla.org/mozilla-central:js/src/jscntxtinlines.h:8697764fdb68|291|0x6 0|26|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:8697764fdb68|473|0xf 0|27|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:8697764fdb68|522|0xd 0|28|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:8697764fdb68|528|0xf 0|29|libxul.so|js::RunScript|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:8697764fdb68|423|0xb 0|30|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:8697764fdb68|495|0xf 0|31|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:8697764fdb68|522|0xd 0|32|libxul.so|js::jit::DoCallFallback|hg:hg.mozilla.org/mozilla-central:js/src/jit/BaselineIC.cpp:8697764fdb68|2544|0x13 0|33|||||0x3324efae7266 0|34|||||0x7f46eee3c2f0 0|35|||||0x3324efad0add 0|36|libxul.so|EnterJit|hg:hg.mozilla.org/mozilla-central:js/src/jit/Jit.cpp:8697764fdb68|101|0x22 0|37|libxul.so|js::RunScript|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:8697764fdb68|408|0xb 0|38|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:8697764fdb68|495|0xf 0|39|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:8697764fdb68|522|0xd 0|40|libxul.so|js::Call|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:8697764fdb68|541|0x5 0|41|libxul.so|JS::Call|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:8697764fdb68|3034|0x1c 0|42|libxul.so|mozilla::dom::Function::Call|s3:gecko-generated-sources:f53b964a4283d4086df86afc37032bd3f0a20813b5469462bf9c399aede90a4edf65565e8eac4fc0d7621f48402d8caa5bcd4746afa0cf7ed3673b89b9f789c5/dom/bindings/FunctionBinding.cpp:|36|0x5 0|43|libxul.so|nsGlobalWindowInner::RunTimeoutHandler|s3:gecko-generated-sources:3bf38a9d8eda96a02ef788091193552c3dc0a2c53e1bb8ddf31a90a5a0570f94ac315c9b7529f8e165b944786498f8084e48757a9b7bfc0162bae7cf40e0f9c9/dist/include/mozilla/dom/FunctionBinding.h:|72|0x23 0|44|libxul.so|mozilla::dom::TimeoutManager::RunTimeout|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutManager.cpp:8697764fdb68|878|0xf 0|45|libxul.so|mozilla::dom::TimeoutExecutor::MaybeExecute|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutExecutor.cpp:8697764fdb68|171|0xf 0|46|libxul.so|mozilla::dom::TimeoutExecutor::Notify|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutExecutor.cpp:8697764fdb68|239|0x5 0|47|libxul.so|nsTimerImpl::Fire|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsTimerImpl.cpp:8697764fdb68|704|0x11 0|48|libxul.so|nsTimerEvent::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TimerThread.cpp:8697764fdb68|286|0x18 0|49|libxul.so|mozilla::ThrottledEventQueue::Inner::ExecuteRunnable|hg:hg.mozilla.org/mozilla-central:xpcom/threads/ThrottledEventQueue.cpp:8697764fdb68|193|0x11 0|50|libxul.so|mozilla::ThrottledEventQueue::Inner::Executor::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/ThrottledEventQueue.cpp:8697764fdb68|79|0xd 0|51|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:8697764fdb68|396|0x1c 0|52|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:8697764fdb68|1037|0x15 0|53|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:8697764fdb68|513|0x11 0|54|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:8697764fdb68|97|0xa 0|55|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8697764fdb68|326|0x17 0|56|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8697764fdb68|319|0x8 0|57|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:8697764fdb68|159|0xd 0|58|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:8697764fdb68|877|0x11 0|59|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:8697764fdb68|269|0x5 0|60|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8697764fdb68|326|0x17 0|61|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:8697764fdb68|319|0x8 0|62|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:8697764fdb68|703|0x8 0|63|firefox|content_process_main|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:8697764fdb68|63|0x14 0|64|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:8697764fdb68|280|0x11 0|65|libc-2.23.so||||0x20830 0|66|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:8697764fdb68|165|0x5
|
Reporter | |
Comment 1•7 years ago
|
||
May also be related to bug 1419808
|
||
Updated•6 years ago
|
Priority: -- → P3
|
|
||
Updated•6 years ago
|
Whiteboard: a11y:crash-ipc
|
||
Comment 2•3 years ago
|
||
I am not able to reproduce this with the attached test case and the fuzzers are no longer hitting this.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•