Closed Bug 1572811 Opened 3 months ago Closed 3 months ago

crash near null in [@ GetPrevInFlow]

Categories

(Core :: Disability Access APIs, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- fixed

People

(Reporter: tsmith, Assigned: eeejay)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files, 1 obsolete file)

Attached file testcase.html

Reducer with m-c:
BuildID=20190809095611
SourceStamp=36c3240e5cafd7b57146bab3b177bfa47f42bcfa

The attached test case requires "full-screen-api.allow-trusted-requests-only=false"

==58942==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f11f72c64d7 bp 0x7ffc7695a5a0 sp 0x7ffc7695a5a0 T0)
==58942==The signal is caused by a READ memory access.
==58942==Hint: address points to the zero page.
    #0 0x7f11f72c64d6 in GetStateBits src/layout/generic/nsIFrame.h:2045:46
    #1 0x7f11f72c64d6 in GetPrevInFlow src/layout/generic/nsSplittableFrame.cpp:112
    #2 0x7f11f72c64d6 in nsSplittableFrame::FirstInFlow() const src/layout/generic/nsSplittableFrame.cpp:143
    #3 0x7f11f73cd238 in nsTableFrame::GetCellMap() const src/layout/tables/nsTableFrame.cpp:642:37
    #4 0x7f11f9ceec8f in GetEffectiveColSpanAt src/layout/tables/nsTableWrapperFrame.h:168:46
    #5 0x7f11f9ceec8f in mozilla::a11y::HTMLTableAccessible::ColExtentAt(unsigned int, unsigned int) src/accessible/html/HTMLTableAccessible.cpp:621
    #6 0x7f11f9ce81e2 in mozilla::a11y::HTMLTableCellAccessible::ColExtent() const src/accessible/html/HTMLTableAccessible.cpp:175:17
    #7 0x7f11f9cea60a in mozilla::a11y::HTMLTableHeaderCellAccessible::NativeRole() const src/accessible/html/HTMLTableAccessible.cpp:288:53
    #8 0x7f11f9cdc88a in Role src/accessible/generic/Accessible-inl.h:25:30
    #9 0x7f11f9cdc88a in mozilla::a11y::HTMLTextFieldAccessible::ContainerWidget() const src/accessible/html/HTMLFormControlAccessible.cpp:396
    #10 0x7f11f9c8cf74 in mozilla::a11y::Accessible::State() src/accessible/generic/Accessible.cpp:1247:26
    #11 0x7f11f9c14189 in AccTextChangeEvent src/accessible/base/AccEvent.cpp:92:20
    #12 0x7f11f9c14189 in mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*) src/accessible/base/NotificationController.cpp:257
    #13 0x7f11f9c14c1a in mozilla::a11y::TreeMutation::BeforeRemoval(mozilla::a11y::Accessible*, bool) src/accessible/base/EventTree.cpp:86:21
    #14 0x7f11f9cb04ca in mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::Accessible*) src/accessible/generic/DocAccessible.cpp:1982:6
    #15 0x7f11f9ca883a in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) src/accessible/generic/DocAccessible.cpp:2011:5
    #16 0x7f11f9ca895a in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) src/accessible/generic/DocAccessible.cpp:2017:5
    #17 0x7f11f18c778c in nsNodeUtils::NativeAnonymousChildListChange(nsIContent*, bool) src/dom/base/nsNodeUtils.cpp:187:3
    #18 0x7f11f15ebe5f in mozilla::dom::Element::UnbindFromTree(bool) src/dom/base/Element.cpp:1844:7
    #19 0x7f11f4997ce5 in nsGenericHTMLElement::UnbindFromTree(bool) src/dom/html/nsGenericHTMLElement.cpp:461:20
    #20 0x7f11f70cf435 in nsIFrame::DestroyAnonymousContent(nsPresContext*, already_AddRefed<nsIContent>&&) src/layout/generic/nsFrame.cpp:260:14
    #21 0x7f11f6f8b76c in nsIFrame::AutoPostDestroyData::~AutoPostDestroyData() src/layout/generic/nsIFrame.h:639:9
    #22 0x7f11f71494d4 in Destroy src/layout/generic/nsIFrame.h:657:3
    #23 0x7f11f71494d4 in nsFrameList::DestroyFrame(nsIFrame*) src/layout/generic/nsFrameList.cpp:121
    #24 0x7f11f72b885d in nsPlaceholderFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsPlaceholderFrame.cpp:184:11
    #25 0x7f11f72507af in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsLineBox.cpp:386:14
    #26 0x7f11f700c543 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:328:3
    #27 0x7f11f7148949 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
    #28 0x7f11f700cd63 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:215:11
    #29 0x7f11f7148949 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
    #30 0x7f11f700cd63 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:215:11
    #31 0x7f11f7148949 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
    #32 0x7f11f700cd63 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:215:11
    #33 0x7f11f7148949 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
    #34 0x7f11f700cd63 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:215:11
    #35 0x7f11f7148949 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
    #36 0x7f11f700cd63 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:215:11
    #37 0x7f11f7044724 in nsBlockFrame::DoRemoveFrameInternal(nsIFrame*, unsigned int, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:6082:20
    #38 0x7f11f70415d5 in DoRemoveFrame src/layout/generic/nsBlockFrame.h:529:5
    #39 0x7f11f70415d5 in nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) src/layout/generic/nsBlockFrame.cpp:5423
    #40 0x7f11f6eaac65 in RemoveFrame src/layout/base/nsFrameManager.cpp:116:18
    #41 0x7f11f6eaac65 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7709
    #42 0x7f11f6e97ab5 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:8725:7
    #43 0x7f11f6e328f0 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1561:25
    #44 0x7f11f6e3f365 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3108:9
    #45 0x7f11f6dec9b9 in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3190:3
    #46 0x7f11f6dec9b9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4118
    #47 0x7f11f6d763d1 in FlushPendingNotifications src/obj-firefox/dist/include/mozilla/PresShell.h:1445:5
    #48 0x7f11f6d763d1 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1989
    #49 0x7f11f6d86fcf in TickDriver src/layout/base/nsRefreshDriver.cpp:372:13
    #50 0x7f11f6d86fcf in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:349
    #51 0x7f11f6d86990 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:366:5
    #52 0x7f11f6d8a253 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:814:5
    #53 0x7f11f6d8a253 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:734
    #54 0x7f11f6d8951c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:629:9
    #55 0x7f11f766c00b in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
    #56 0x7f11ef331f85 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:187:54
    #57 0x7f11eee805d1 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5637:32
    #58 0x7f11ee6eedd6 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2184:25
    #59 0x7f11ee6e9b3b in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2108:9
    #60 0x7f11ee6ec0f7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1955:3
    #61 0x7f11ee6ecf87 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1986:13
    #62 0x7f11ed4e9060 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #63 0x7f11ed4ef478 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #64 0x7f11ee6f81b4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:110:5
    #65 0x7f11ee5f56e2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #66 0x7f11ee5f56e2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #67 0x7f11ee5f56e2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #68 0x7f11f67f2d09 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #69 0x7f11fa6e553f in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #70 0x7f11ee5f56e2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #71 0x7f11ee5f56e2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #72 0x7f11ee5f56e2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #73 0x7f11fa6e4de6 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #74 0x556e8582bf13 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #75 0x556e8582bf13 in main src/browser/app/nsBrowserApp.cpp:267
Flags: in-testsuite?

Seems like a regression from bug 686400.

Why is ContentRemoved relying on frame tree state? The frame tree is probably mid-destruction at that point.

Flags: needinfo?(eitan)
Regressed by: 686400

Going to try to repro and fix.

Looks like this happens because we stopped removing the accessible subtree earlier.

Flags: needinfo?(eitan)

The thing that is a bit puzzling about this bug is that we get notified via the dom mutation observer of the removed anonymous nodes during the destruction of the frame tree. I guess we should stop using the observer, but maybe more generally should the mutation observer be called during frame reconstruction?

The DOM mutation observer method is called during frame destruction
which is not a good state to be in when constructing and dispatching events.

Pushed by eisaacson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/067d47e20a94
Explicitly check for removed anonymous children in reframe. r=Jamie
Attachment #9085215 - Attachment is obsolete: true
Pushed by eisaacson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b47aa54a3dad
Don't fire text change events if container accessible has no frame. r=Jamie
Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Is this something we can land an automated test for?

I'll just add the test case as a crash test.

Flags: needinfo?(eitan)
Depends on: 1576709
Flags: needinfo?(jteh)
You need to log in before you can comment on or make changes to this bug.