Open
Bug 1429204
Opened 6 years ago
Updated 2 years ago
Crash near null [@ get]
Categories
(Core :: Disability Access APIs, defect, P2)
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: a11y:crash-willrefresh)
Attachments
(1 file)
|
405 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev ca379fcca95b.
Testcase requires the GNOME_ACCESSIBILITY=1 env variable in order to reproduce.
==14860==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f5e5518f086 bp 0x7ffdad69ba50 sp 0x7ffdad69b760 T0)
==14860==The signal is caused by a READ memory access.
==14860==Hint: address points to the zero page.
#0 0x7f5e5518f085 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27
#1 0x7f5e5518f085 in operator-> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:319
#2 0x7f5e5518f085 in OwnerDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:540
#3 0x7f5e5518f085 in mozilla::a11y::RootAccessible::ProcessDOMEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/accessible/generic/RootAccessible.cpp:285
#4 0x7f5e550d8fb5 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/workspace/build/src/accessible/base/NotificationController.cpp:837:25
#5 0x7f5e51aaa57d in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1862:12
#6 0x7f5e51abaa8f in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:336:13
#7 0x7f5e51abaa8f in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:306
#8 0x7f5e51aba656 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:5
#9 0x7f5e51abcece in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:769:5
#10 0x7f5e51abcece in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:682
#11 0x7f5e51abcace in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:583:9
#12 0x7f5e523aa0cf in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
#13 0x7f5e4b4275b9 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
#14 0x7f5e4b2cbab3 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1812:28
#15 0x7f5e4ae93ede in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2110:25
#16 0x7f5e4ae90f57 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2040:17
#17 0x7f5e4ae9265c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1886:5
#18 0x7f5e4ae92cb8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1919:15
#19 0x7f5e49feaffd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
#20 0x7f5e4a006ab0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
#21 0x7f5e4ae9bffa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#22 0x7f5e4adef999 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#23 0x7f5e4adef999 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#24 0x7f5e4adef999 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#25 0x7f5e5132c61a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#26 0x7f5e55a580bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22
#27 0x7f5e4adef999 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#28 0x7f5e4adef999 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#29 0x7f5e4adef999 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#30 0x7f5e55a57aad in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:701:34
#31 0x4f2dfc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#32 0x4f2dfc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#33 0x7f5e6900682f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#34 0x42243c in _start (/home/forb1dden/builds/mc-asan/firefox+0x42243c)Flags: in-testsuite?
|
||
Comment 1•6 years ago
|
||
not sure how we run into a case when DOM event doesn't have any DOM node event target for events we listen, but we could have a null check here.
Priority: -- → P1
|
|
||
Updated•6 years ago
|
Priority: P1 → P2
|
|
||
Updated•6 years ago
|
Whiteboard: a11y:crash-willrefresh
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•