Closed Bug 1463962 Opened Last year Closed Last year

crash near null in [@ mozilla::a11y::DocAccessible::BindToDocument]

Categories

(Core :: Disability Access APIs, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla64
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- wontfix
firefox63 --- fixed
firefox64 --- fixed

People

(Reporter: tsmith, Assigned: surkov)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: a11y:crash-willrefresh)

Crash Data

Attachments

(2 files)

Attached file testcase.html
==55676==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7fa134712263 bp 0x7ffcc5b79ab0 sp 0x7ffcc5b79a70 T0)
==55676==The signal is caused by a READ memory access.
==55676==Hint: address points to the zero page.
    #0 0x7fa134712262 in operator bool src/obj-firefox/dist/include/nsCOMPtr.h:803:45
    #1 0x7fa134712262 in HasOwnContent src/obj-firefox/dist/include/mozilla/a11y/Accessible.h:895
    #2 0x7fa134712262 in IsNodeMapEntry src/obj-firefox/dist/include/mozilla/a11y/Accessible.h:884
    #3 0x7fa134712262 in mozilla::a11y::DocAccessible::BindToDocument(mozilla::a11y::Accessible*, nsRoleMapEntry const*) src/accessible/generic/DocAccessible.cpp:1274
    #4 0x7fa1346a5b68 in nsAccessibilityService::CreateAccessible(nsINode*, mozilla::a11y::Accessible*, bool*) src/accessible/base/nsAccessibilityService.cpp:1065:19
    #5 0x7fa1346a2c9b in mozilla::a11y::TreeWalker::Next() src/accessible/base/TreeWalker.cpp:183:27
    #6 0x7fa134715c55 in mozilla::a11y::DocAccessible::CacheChildrenInSubtree(mozilla::a11y::Accessible*, mozilla::a11y::Accessible**) src/accessible/generic/DocAccessible.cpp:2321:39
    #7 0x7fa1347151b3 in mozilla::a11y::DocAccessible::DoInitialUpdate() src/accessible/generic/DocAccessible.cpp:1492:3
    #8 0x7fa134682fee in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) src/accessible/base/NotificationController.cpp:666:16
    #9 0x7fa1312b5481 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1868:12
    #10 0x7fa1312c50cb in TickDriver src/layout/base/nsRefreshDriver.cpp:328:13
    #11 0x7fa1312c50cb in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:301
    #12 0x7fa1312c4ca9 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:320:5
    #13 0x7fa1312c77ee in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:760:5
    #14 0x7fa1312c77ee in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:673
    #15 0x7fa1312c73ee in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:574:9
    #16 0x7fa131b6c08f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
    #17 0x7fa12a899184 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #18 0x7fa12a771363 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28
    #19 0x7fa12a2dee9e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25
    #20 0x7fa12a2dbde2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17
    #21 0x7fa12a2dd61c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5
    #22 0x7fa12a2ddc78 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15
    #23 0x7fa1293ea806 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
    #24 0x7fa129406740 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #25 0x7fa12a2e6b3a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #26 0x7fa12a23afd9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #27 0x7fa12a23afd9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #28 0x7fa12a23afd9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #29 0x7fa130d601ba in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #30 0x7fa134fc000b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #31 0x7fa12a23afd9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #32 0x7fa12a23afd9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #33 0x7fa12a23afd9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #34 0x7fa134fbf9d0 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #35 0x4f1875 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #36 0x4f1875 in main src/browser/app/nsBrowserApp.cpp:282
    #37 0x7fa148c7e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #38 0x420f48 in _start (firefox+0x420f48)
Flags: in-testsuite?
Priority: -- → P2
Whiteboard: a11y:crash-willrefresh
See Also: → 1470838
Attached patch patchSplinter Review
Assignee: nobody → surkov.alexander
Attachment #9012005 - Flags: review?(jteh)
Duplicate of this bug: 1470838
Attachment #9012005 - Flags: review?(jteh) → review+
Crash Signature: [@ mozilla::a11y::DocAccessible::BindToDocument]
Pushed by surkov.alexander@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/445d1a7b0504
crash near null in [@ mozilla::a11y::DocAccessible::BindToDocument], r=jamie
https://hg.mozilla.org/mozilla-central/rev/445d1a7b0504
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Is this worth backporting to Beta?
Flags: needinfo?(surkov.alexander)
Flags: in-testsuite?
Flags: in-testsuite+
Comment on attachment 9012005 [details] [diff] [review]
patch

Approval Request Comment
[Feature/Bug causing the regression]:unknown
[User impact if declined]:crashes
[Is this code covered by automated tests?]:yes
[Has the fix been verified in Nightly?]:yes
[Needs manual test from QE? If yes, steps to reproduce]: run a test attached to the bug
[List of other uplifts needed for the feature/fix]:empty
[Is the change risky?]:low risk
[Why is the change risky/not risky?]: a null check
[String changes made/needed]:
Flags: needinfo?(surkov.alexander)
Attachment #9012005 - Flags: approval-mozilla-beta?
Comment on attachment 9012005 [details] [diff] [review]
patch

Crash fix, uplift accepted for 63 beta 11, thanks.
Attachment #9012005 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Duplicate of this bug: 1501086
You need to log in before you can comment on or make changes to this bug.