Closed Bug 1484778 Opened 2 years ago Closed 2 years ago

crash at null in [@ mozilla::a11y::DocAccessible::DispatchScrollingEvent]

Categories

(Core :: Disability Access APIs, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- unaffected
firefox62 --- unaffected
firefox63 --- fixed

People

(Reporter: tsmith, Assigned: eeejay)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

Attached file testcase.html
This may take a few refreshes but it is reliable for me.

==86702==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd3a0e71372 bp 0x7ffd7e22abe0 sp 0x7ffd7e22aaa0 T0)
==86702==The signal is caused by a READ memory access.
==86702==Hint: address points to the zero page.
    #0 0x7fd3a0e71371 in mozilla::a11y::DocAccessible::DispatchScrollingEvent(unsigned int) src/accessible/generic/DocAccessible.cpp:2454:9
    #1 0x7fd3a0e7112a in mozilla::a11y::DocAccessible::ScrollTimerCallback(nsITimer*, void*) src/accessible/generic/DocAccessible.cpp:614:13
    #2 0x7fd393a98ba7 in nsTimerImpl::Fire(int) src/xpcom/threads/nsTimerImpl.cpp:701:7
    #3 0x7fd393a54d1d in nsTimerEvent::Run() src/xpcom/threads/TimerThread.cpp:297:11
    #4 0x7fd393a6c240 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1235:14
    #5 0x7fd393a74fa5 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #6 0x7fd394c52244 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5
    #7 0x7fd394b540cc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #8 0x7fd394b540cc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #9 0x7fd394b540cc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #10 0x7fd39d66eaf6 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #11 0x7fd3a19e2fce in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:937:22
    #12 0x7fd394b540cc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #13 0x7fd394b540cc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #14 0x7fd394b540cc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #15 0x7fd3a19e2082 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:763:34
    #16 0x4f5b01 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #17 0x4f5b01 in main src/browser/app/nsBrowserApp.cpp:287
    #18 0x7fd3b70bc82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #19 0x424edc in _start (firefox+0x424edc)
Flags: in-testsuite?
Is this fallout from the scrolling event work in bug 1479591?
Flags: needinfo?(eitan)
Yup. Looks like it. I'll take this on. Thanks Tyson!
Flags: needinfo?(eitan)
Assignee: nobody → eitan
Attachment #9002830 - Flags: review?(surkov.alexander) → review+
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4746df79fc33
Null-check scroll frame in DispatchScrollingEvent. r=surkov
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/4746df79fc33
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Blocks: 1479591
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.