1494707 - AddressSanitizer: SEGV /builds/worker/workspace/build/src/accessible/base/AccIterator.cpp:41:42 in mozilla::a11y::AccIterator::Next()

Status: RESOLVED FIXED

(Core :: Disability Access APIs, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev ba2b3ed1eb96.

==22620==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f965317d042 bp 0x7ffc0f5508b0 sp 0x7ffc0f550880 T0)
==22620==The signal is caused by a READ memory access.
==22620==Hint: address points to the zero page.
    #0 0x7f965317d041 in mozilla::a11y::AccIterator::Next() /builds/worker/workspace/build/src/accessible/base/AccIterator.cpp:41:42
    #1 0x7f9653215bf8 in mozilla::a11y::TableAccessible::CellInRowAt(mozilla::a11y::Accessible*, int) /builds/worker/workspace/build/src/accessible/generic/TableAccessible.cpp:264:31
    #2 0x7f96532a75c8 in mozilla::a11y::HTMLTableHeaderCellAccessible::NativeRole() const /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:332:29
    #3 0x7f96532b3c4e in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h:26:30
    #4 0x7f96532b3c4e in mozilla::a11y::DocAccessibleChildBase::SerializeTree(mozilla::a11y::Accessible*, nsTArray<mozilla::a11y::AccessibleData>&) /builds/worker/workspace/build/src/accessible/ipc/DocAccessibleChildBase.cpp:60
    #5 0x7f96532b3ed6 in mozilla::a11y::DocAccessibleChildBase::SerializeTree(mozilla::a11y::Accessible*, nsTArray<mozilla::a11y::AccessibleData>&) /builds/worker/workspace/build/src/accessible/ipc/DocAccessibleChildBase.cpp:79:5
    #6 0x7f96532b3ed6 in mozilla::a11y::DocAccessibleChildBase::SerializeTree(mozilla::a11y::Accessible*, nsTArray<mozilla::a11y::AccessibleData>&) /builds/worker/workspace/build/src/accessible/ipc/DocAccessibleChildBase.cpp:79:5
    #7 0x7f96532b43bd in mozilla::a11y::DocAccessibleChildBase::InsertIntoIpcTree(mozilla::a11y::Accessible*, mozilla::a11y::Accessible*, unsigned int) /builds/worker/workspace/build/src/accessible/ipc/DocAccessibleChildBase.cpp:92:3
    #8 0x7f965325d099 in mozilla::a11y::DocAccessible::DoInitialUpdate() /builds/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:1539:17
    #9 0x7f96531a4607 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/workspace/build/src/accessible/base/NotificationController.cpp:666:16
    #10 0x7f964fffa15f in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1875:12
    #11 0x7f965000c951 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:325:13
    #12 0x7f965000c951 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:300
    #13 0x7f965000c471 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:318:5
    #14 0x7f965000f751 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:756:5
    #15 0x7f965000f751 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:672
    #16 0x7f965000eea8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:572:9
    #17 0x7f9650ad3b08 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:78:16
    #18 0x7f96477c0c6b in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #19 0x7f9647537920 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #20 0x7f9646d0c2d5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2248:25
    #21 0x7f9646d08009 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2175:17
    #22 0x7f9646d0a14d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5
    #23 0x7f9646d0ae77 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15
    #24 0x7f9645b0bccf in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1228:14
    #25 0x7f9645b142cd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #26 0x7f9646d15953 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #27 0x7f9646c180cc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #28 0x7f9646c180cc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #29 0x7f9646c180cc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #30 0x7f964f922973 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #31 0x7f9653dd30fe in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
    #32 0x7f9646c180cc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #33 0x7f9646c180cc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #34 0x7f9646c180cc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #35 0x7f9653dd2223 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34
    #36 0x563a593aeb91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #37 0x563a593aeb91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #38 0x7f9667a8ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Comment 1

[Marco Zehe (:MarcoZ)]

I can reproduce this crash by just opening the test case in a Nightly build. Crash report: bp-a173dd71-953e-4c30-ab79-2a9340180928

Taking this since it touches code I worked on in bug 1486668.

Comment 2

[Marco Zehe (:MarcoZ)]

Attachment: Bug 1494707 - Add a null check for a retrieved row accessible in HTMLTableAccessible::CellAt, r=surkov

When checking for an accessible if it is a table row instead of a table cell, when retrieving the actual row at the given index, null check it to make sure we don't pass an invalid accessible to the TableAccessible::CellInRowAt method. I accidentally omitted that null check in the updated patch for bug 1486668.

Comment 3

[Pulsebot]

Pushed by mzehe@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b5a47b972169
Add a null check for a retrieved row accessible in HTMLTableAccessible::CellAt, r=surkov

Comment 4

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/b5a47b972169