Closed
Bug 1610088
Opened 5 years ago
Closed 2 years ago
use-after-poison in [@ BuildTextRuns]
Categories
(Core :: Disability Access APIs, defect, P3)
Core
Disability Access APIs
Tracking
()
RESOLVED
FIXED
119 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | wontfix |
| firefox-esr91 | --- | wontfix |
| firefox-esr102 | --- | wontfix |
| firefox-esr115 | 119+ | fixed |
| firefox74 | --- | wontfix |
| firefox92 | --- | wontfix |
| firefox93 | --- | wontfix |
| firefox94 | --- | wontfix |
| firefox97 | --- | wontfix |
| firefox98 | --- | wontfix |
| firefox99 | --- | wontfix |
| firefox101 | --- | wontfix |
| firefox102 | --- | wontfix |
| firefox103 | --- | wontfix |
| firefox117 | --- | wontfix |
| firefox118 | --- | wontfix |
| firefox119 | + | fixed |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(5 keywords, Whiteboard: [fixed by maybe 1851787 or 1694573][adv-main119-][adv-ESR115.4-])
Attachments
(2 files)
Reduced with m-c 20200116-7e0886a94d70
Test case requires GNOME_ACCESSIBILITY=1 (testing auto bisect)
Marking as s-s since this does not seem to be due to frame poisoning.
==10712==ERROR: AddressSanitizer: use-after-poison on address 0x6250001f7524 at pc 0x7f4083fa844d bp 0x7fff706efd70 sp 0x7fff706efd68
READ of size 2 at 0x6250001f7524 thread T0 (file:// Content)
#0 0x7f4083fa844c in IsBlock src/layout/generic/nsLineBox.h:211:40
#1 0x7f4083fa844c in BuildTextRuns src/layout/generic/nsTextFrame.cpp:1538:15
#2 0x7f4083fa844c in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) src/layout/generic/nsTextFrame.cpp:2979:7
#3 0x7f4083fb4b1c in nsTextFrame::GetRenderedText(unsigned int, unsigned int, nsIFrame::TextOffsetType, nsIFrame::TrailingWhitespace) src/layout/generic/nsTextFrame.cpp:9767:20
#4 0x7f40868d2796 in nsTextEquivUtils::AppendTextEquivFromTextContent(nsIContent*, nsTSubstring<char16_t>*) src/accessible/base/nsTextEquivUtils.cpp:127:46
#5 0x7f40868d2231 in nsTextEquivUtils::AppendFromDOMNode(nsIContent*, nsTSubstring<char16_t>*) src/accessible/base/nsTextEquivUtils.cpp:271:17
#6 0x7f40868d30d2 in nsTextEquivUtils::AppendFromDOMChildren(nsIContent*, nsTSubstring<char16_t>*) src/accessible/base/nsTextEquivUtils.cpp:262:19
#7 0x7f40868d245c in nsTextEquivUtils::AppendFromDOMNode(nsIContent*, nsTSubstring<char16_t>*) src/accessible/base/nsTextEquivUtils.cpp:294:10
#8 0x7f40868d1c65 in nsTextEquivUtils::AppendTextEquivFromContent(mozilla::a11y::Accessible const*, nsIContent*, nsTSubstring<char16_t>*) src/accessible/base/nsTextEquivUtils.cpp:95:33
#9 0x7f40868d1a2e in nsTextEquivUtils::GetTextEquivFromIDRefs(mozilla::a11y::Accessible const*, nsAtom*, nsTSubstring<char16_t>&) src/accessible/base/nsTextEquivUtils.cpp:64:9
#10 0x7f40868e62cb in mozilla::a11y::Accessible::ARIAName(nsTString<char16_t>&) const src/accessible/generic/Accessible.cpp:1956:17
#11 0x7f40868e6001 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) const src/accessible/generic/Accessible.cpp:135:3
#12 0x7f4086930915 in mozilla::a11y::HTMLFormAccessible::NativeRole() const src/accessible/html/HTMLFormControlAccessible.cpp:40:42
#13 0x7f4086858702 in mozilla::a11y::Accessible::Role() const src/accessible/generic/Accessible-inl.h:25:30
#14 0x7f40869339ca in mozilla::a11y::HTMLTextFieldAccessible::ContainerWidget() const src/accessible/html/HTMLFormControlAccessible.cpp:399:28
#15 0x7f40868ef21a in mozilla::a11y::Accessible::State() src/accessible/generic/Accessible.cpp:1228:26
#16 0x7f408687db5f in mozilla::a11y::AccTextChangeEvent::AccTextChangeEvent(mozilla::a11y::Accessible*, int, nsTSubstring<char16_t> const&, bool, mozilla::a11y::EIsFromUserInput) src/accessible/base/AccEvent.cpp:92:20
#17 0x7f408688f7f5 in mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*) src/accessible/base/NotificationController.cpp:257:38
#18 0x7f4086890356 in mozilla::a11y::TreeMutation::BeforeRemoval(mozilla::a11y::Accessible*, bool) src/accessible/base/EventTree.cpp:86:21
#19 0x7f408690af01 in mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::Accessible*) src/accessible/generic/DocAccessible.cpp:2062:6
#20 0x7f4086904f1a in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) src/accessible/generic/DocAccessible.cpp:2091:5
#21 0x7f4086905027 in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) src/accessible/generic/DocAccessible.cpp:2097:5
#22 0x7f407f4b2302 in mozilla::dom::MutationObservers::NotifyNativeAnonymousChildListChange(nsIContent*, bool) src/dom/base/MutationObservers.cpp:192:3
#23 0x7f407f40bba4 in mozilla::dom::Element::UnbindFromTree(bool) src/dom/base/Element.cpp:1691:7
#24 0x7f40819babd1 in nsGenericHTMLElement::UnbindFromTree(bool) src/dom/html/nsGenericHTMLElement.cpp:414:20
#25 0x7f4083de0d45 in nsIFrame::DestroyAnonymousContent(nsPresContext*, already_AddRefed<nsIContent>&&) src/layout/generic/nsFrame.cpp:262:14
#26 0x7f4083c97038 in nsIFrame::AutoPostDestroyData::~AutoPostDestroyData() src/layout/generic/nsIFrame.h:639:9
#27 0x7f4083d5e9dc in Destroy src/layout/generic/nsIFrame.h:657:3
#28 0x7f4083d5e9dc in nsBlockFrame::DoRemoveOutOfFlowFrame(nsIFrame*) src/layout/generic/nsBlockFrame.cpp:5850:13
#29 0x7f4083d5e036 in nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) src/layout/generic/nsBlockFrame.cpp:5573:5
#30 0x7f4083f7afb0 in nsPlaceholderFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsPlaceholderFrame.cpp:180:11
#31 0x7f4083e3f8fc in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
#32 0x7f4083d3019e in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:215:11
#33 0x7f4083f08687 in nsInlineFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsInlineFrame.cpp:177:21
#34 0x7f4083d61c3f in nsBlockFrame::DoRemoveFrameInternal(nsIFrame*, unsigned int, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:6241:20
#35 0x7f4083d5e1b2 in DoRemoveFrame src/layout/generic/nsBlockFrame.h:528:5
#36 0x7f4083d5e1b2 in nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) src/layout/generic/nsBlockFrame.cpp:5557:5
#37 0x7f4083bf4db2 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7602:5
#38 0x7f4083be8f8c in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:8615:7
#39 0x7f4083bf62b5 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp
#40 0x7f4083bf446d in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7481:9
#41 0x7f4083b5b971 in mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*) src/layout/base/PresShell.cpp:4321:22
#42 0x7f407f4b2e0a in mozilla::dom::MutationObservers::NotifyContentRemoved(nsINode*, nsIContent*, nsIContent*) src/dom/base/MutationObservers.cpp:215:3
#43 0x7f407f677133 in nsINode::RemoveChildNode(nsIContent*, bool) src/dom/base/nsINode.cpp:1870:5
#44 0x7f407f3b3fe9 in mozilla::dom::Document::AdoptNode(nsINode&, mozilla::ErrorResult&) src/dom/base/Document.cpp:9320:17
#45 0x7f4080acd19f in mozilla::dom::Document_Binding::adoptNode(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/DocumentBinding.cpp:1573:60
#46 0x7f4080f75eb8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3151:13
#47 0x7f40873e600d in CallJSNative src/js/src/vm/Interpreter.cpp:452:13
#48 0x7f40873e600d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:544:12
#49 0x7f40873e7e4a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:608:10
#50 0x7f40873ce123 in CallFromStack src/js/src/vm/Interpreter.cpp:612:10
#51 0x7f40873ce123 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3046:16
#52 0x7f40873b0164 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:10
#53 0x7f40873e6105 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:580:13
#54 0x7f40873e7e4a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:608:10
#55 0x7f40873e8126 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:625:8
#56 0x7f408757fa32 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2787:10
#57 0x7f4080cdcfc3 in mozilla::dom::BlobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Blob*, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:89:8
#58 0x7f40811197c7 in Call src/obj-firefox/dist/include/mozilla/dom/HTMLCanvasElementBinding.h:180:12
#59 0x7f40811197c7 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::BlobCallback&, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&)::EncodeCallback::ReceiveBlobImpl(already_AddRefed<mozilla::dom::BlobImpl>) src/dom/canvas/CanvasRenderingContextHelper.cpp:47:17
#60 0x7f407f456d09 in mozilla::dom::EncodingCompleteEvent::Run() src/dom/base/ImageEncoder.cpp:105:22
#61 0x7f407b476c88 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1220:14
#62 0x7f407b481a9c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#63 0x7f407c6bf44f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#64 0x7f407c5b8ce7 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#65 0x7f407c5b8ce7 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
#66 0x7f407c5b8ce7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#67 0x7f408365e458 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#68 0x7f4087180476 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:945:20
#69 0x7f407c5b8ce7 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#70 0x7f407c5b8ce7 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
#71 0x7f407c5b8ce7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#72 0x7f408717fb1f in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:780:34
#73 0x563727cf93f1 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#74 0x563727cf93f1 in main src/browser/app/nsBrowserApp.cpp:303:18
Flags: in-testsuite?
|
Reporter | |
Comment 1•5 years ago
|
||
Also saw this during reduction. I assume it has the same root cause:
==3739==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500077811c at pc 0x7fd4ade027f5 bp 0x7ffe363751e0 sp 0x7ffe363751d8
READ of size 2 at 0x62500077811c thread T0 (file:// Content)
#0 0x7fd4ade027f4 in nsLineBox::GetChildCount() const /src/layout/generic/nsLineBox.h:321:12
#1 0x7fd4ae113ba8 in BuildTextRuns /src/layout/generic/nsTextFrame.cpp:1502:28
#2 0x7fd4ae113ba8 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) /src/layout/generic/nsTextFrame.cpp:2979:7
#3 0x7fd4ae1212ec in nsTextFrame::GetRenderedText(unsigned int, unsigned int, nsIFrame::TextOffsetType, nsIFrame::TrailingWhitespace) /src/layout/generic/nsTextFrame.cpp:9767:20
#4 0x7fd4b0a3eaf6 in nsTextEquivUtils::AppendTextEquivFromTextContent(nsIContent*, nsTSubstring<char16_t>*) /src/accessible/base/nsTextEquivUtils.cpp:127:46
#5 0x7fd4b0a3e591 in nsTextEquivUtils::AppendFromDOMNode(nsIContent*, nsTSubstring<char16_t>*) /src/accessible/base/nsTextEquivUtils.cpp:271:17
#6 0x7fd4b0a3f432 in nsTextEquivUtils::AppendFromDOMChildren(nsIContent*, nsTSubstring<char16_t>*) /src/accessible/base/nsTextEquivUtils.cpp:262:19
#7 0x7fd4b0a3e7bc in nsTextEquivUtils::AppendFromDOMNode(nsIContent*, nsTSubstring<char16_t>*) /src/accessible/base/nsTextEquivUtils.cpp:294:10
#8 0x7fd4b0a3dfc5 in nsTextEquivUtils::AppendTextEquivFromContent(mozilla::a11y::Accessible const*, nsIContent*, nsTSubstring<char16_t>*) /src/accessible/base/nsTextEquivUtils.cpp:95:33
#9 0x7fd4b0a3dd8e in nsTextEquivUtils::GetTextEquivFromIDRefs(mozilla::a11y::Accessible const*, nsAtom*, nsTSubstring<char16_t>&) /src/accessible/base/nsTextEquivUtils.cpp:64:9
#10 0x7fd4b0a5262b in mozilla::a11y::Accessible::ARIAName(nsTString<char16_t>&) const /src/accessible/generic/Accessible.cpp:1956:17
#11 0x7fd4b0a52361 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) const /src/accessible/generic/Accessible.cpp:135:3
#12 0x7fd4b0a9cc75 in mozilla::a11y::HTMLFormAccessible::NativeRole() const /src/accessible/html/HTMLFormControlAccessible.cpp:40:42
#13 0x7fd4b09c4a62 in mozilla::a11y::Accessible::Role() const /src/accessible/generic/Accessible-inl.h:25:30
#14 0x7fd4b0a9fd2a in mozilla::a11y::HTMLTextFieldAccessible::ContainerWidget() const /src/accessible/html/HTMLFormControlAccessible.cpp:399:28
#15 0x7fd4b0a5b57a in mozilla::a11y::Accessible::State() /src/accessible/generic/Accessible.cpp:1228:26
#16 0x7fd4b09e9ebf in mozilla::a11y::AccTextChangeEvent::AccTextChangeEvent(mozilla::a11y::Accessible*, int, nsTSubstring<char16_t> const&, bool, mozilla::a11y::EIsFromUserInput) /src/accessible/base/AccEvent.cpp:92:20
#17 0x7fd4b09fbb55 in mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*) /src/accessible/base/NotificationController.cpp:257:38
#18 0x7fd4b09fc6b6 in mozilla::a11y::TreeMutation::BeforeRemoval(mozilla::a11y::Accessible*, bool) /src/accessible/base/EventTree.cpp:86:21
#19 0x7fd4b0a77261 in mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::Accessible*) /src/accessible/generic/DocAccessible.cpp:2062:6
#20 0x7fd4b0a7127a in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) /src/accessible/generic/DocAccessible.cpp:2091:5
#21 0x7fd4b0a71387 in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) /src/accessible/generic/DocAccessible.cpp:2097:5
#22 0x7fd4a961da12 in mozilla::dom::MutationObservers::NotifyNativeAnonymousChildListChange(nsIContent*, bool) /src/dom/base/MutationObservers.cpp:192:3
#23 0x7fd4a95772b4 in mozilla::dom::Element::UnbindFromTree(bool) /src/dom/base/Element.cpp:1696:7
#24 0x7fd4abb26db1 in nsGenericHTMLElement::UnbindFromTree(bool) /src/dom/html/nsGenericHTMLElement.cpp:414:20
#25 0x7fd4adf4d515 in nsIFrame::DestroyAnonymousContent(nsPresContext*, already_AddRefed<nsIContent>&&) /src/layout/generic/nsFrame.cpp:262:14
#26 0x7fd4ade03808 in nsIFrame::AutoPostDestroyData::~AutoPostDestroyData() /src/layout/generic/nsIFrame.h:639:9
#27 0x7fd4adecb1ac in Destroy /src/layout/generic/nsIFrame.h:657:3
#28 0x7fd4adecb1ac in nsBlockFrame::DoRemoveOutOfFlowFrame(nsIFrame*) /src/layout/generic/nsBlockFrame.cpp:5850:13
#29 0x7fd4adeca806 in nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /src/layout/generic/nsBlockFrame.cpp:5573:5
#30 0x7fd4ae0e7780 in nsPlaceholderFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /src/layout/generic/nsPlaceholderFrame.cpp:180:11
#31 0x7fd4adfac0cc in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /src/layout/generic/nsFrameList.cpp:51:12
#32 0x7fd4ade9c96e in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /src/layout/generic/nsContainerFrame.cpp:215:11
#33 0x7fd4ae074e57 in nsInlineFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /src/layout/generic/nsInlineFrame.cpp:177:21
#34 0x7fd4adece40f in nsBlockFrame::DoRemoveFrameInternal(nsIFrame*, unsigned int, mozilla::layout::PostFrameDestroyData&) /src/layout/generic/nsBlockFrame.cpp:6241:20
#35 0x7fd4adeca982 in DoRemoveFrame /src/layout/generic/nsBlockFrame.h:528:5
#36 0x7fd4adeca982 in nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /src/layout/generic/nsBlockFrame.cpp:5557:5
#37 0x7fd4add61582 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /src/layout/base/nsCSSFrameConstructor.cpp:7602:5
#38 0x7fd4add5575c in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /src/layout/base/nsCSSFrameConstructor.cpp:8615:7
#39 0x7fd4add62a85 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /src/layout/base/nsCSSFrameConstructor.cpp
#40 0x7fd4add60c3d in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /src/layout/base/nsCSSFrameConstructor.cpp:7481:9
#41 0x7fd4adcc8141 in mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*) /src/layout/base/PresShell.cpp:4321:22
#42 0x7fd4a961e51a in mozilla::dom::MutationObservers::NotifyContentRemoved(nsINode*, nsIContent*, nsIContent*) /src/dom/base/MutationObservers.cpp:215:3
#43 0x7fd4a97e31d3 in nsINode::RemoveChildNode(nsIContent*, bool) /src/dom/base/nsINode.cpp:1870:5
#44 0x7fd4a951f6d9 in mozilla::dom::Document::AdoptNode(nsINode&, mozilla::ErrorResult&) /src/dom/base/Document.cpp:9320:17
#45 0x7fd4aac3927f in mozilla::dom::Document_Binding::adoptNode(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/DocumentBinding.cpp:1573:60
#46 0x7fd4ab0e1fa8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3151:13
#47 0x7fd4b155253d in CallJSNative /src/js/src/vm/Interpreter.cpp:452:13
#48 0x7fd4b155253d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:544:12
#49 0x7fd4b155437a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /src/js/src/vm/Interpreter.cpp:608:10
#50 0x7fd4b153a653 in CallFromStack /src/js/src/vm/Interpreter.cpp:612:10
#51 0x7fd4b153a653 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3046:16
#52 0x7fd4b151c694 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:424:10
#53 0x7fd4b1552635 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:580:13
#54 0x7fd4b155437a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /src/js/src/vm/Interpreter.cpp:608:10
#55 0x7fd4b1554656 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /src/js/src/vm/Interpreter.cpp:625:8
#56 0x7fd4b16ebf72 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2787:10
#57 0x7fd4aae490a3 in mozilla::dom::BlobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Blob*, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:89:8
#58 0x7fd4ab2858b7 in Call /src/obj-firefox/dist/include/mozilla/dom/HTMLCanvasElementBinding.h:180:12
#59 0x7fd4ab2858b7 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::BlobCallback&, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&)::EncodeCallback::ReceiveBlobImpl(already_AddRefed<mozilla::dom::BlobImpl>) /src/dom/canvas/CanvasRenderingContextHelper.cpp:47:17
#60 0x7fd4a95c2419 in mozilla::dom::EncodingCompleteEvent::Run() /src/dom/base/ImageEncoder.cpp:105:22
#61 0x7fd4a55e0f08 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1220:14
#62 0x7fd4a55ebd1c in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
#63 0x7fd4a6829604 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:109:5
#64 0x7fd4a6723267 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#65 0x7fd4a6723267 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308:3
#66 0x7fd4a6723267 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290:3
#67 0x7fd4ad7cac28 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
#68 0x7fd4b12ec9a6 in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:945:20
#69 0x7fd4a6723267 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#70 0x7fd4a6723267 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308:3
#71 0x7fd4a6723267 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290:3
#72 0x7fd4b12ec04f in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:780:34
#73 0x557d62f123f1 in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#74 0x557d62f123f1 in main /src/browser/app/nsBrowserApp.cpp:303:18
|
||
Comment 2•5 years ago
|
||
Ug. Another case where we try to access the frame tree mid-destruction.
|
||
Updated•5 years ago
|
Keywords: csectype-bounds,
sec-moderate
|
||
Comment 3•5 years ago
|
||
The priority flag is not set for this bug.
:Jamie, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(jteh)
|
||
Comment 4•5 years ago
|
||
|
|
||
Comment 5•5 years ago
|
||
BugMon: Verified bug as reproducible on 7f41334e10443f4f1c7426e86fb0cb7adfdf4d62
|
|
||
Comment 6•5 years ago
|
||
Bugmon: Reduced build range to...
> Start: 1536cf66a302811c1e302118e0d356c6c7545fab (20200112214546)
> End: 7295ca89e880c1c930643e72ff0600cb71cebb9e (20200113093823)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1536cf66a302811c1e302118e0d356c6c7545fab&tochange=7295ca89e880c1c930643e72ff0600cb71cebb9e
|
|
||
Updated•5 years ago
|
Flags: needinfo?(jteh)
Priority: -- → P3
|
|
Reporter | |
Comment 7•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/HAVuttym4C086bk1qCfpNA/index.html
|
|
||
Comment 8•4 years ago
•
|
||
I can think of two ways we could fix this:
- Try to change HTMLFormAccessible::NativeRole so that it doesn't call Name. It still needs to know whether there's likely to be a name, though. Maybe we can just explicitly check for aria-labelledby, aria-label, title, etc.?
- Have some state flag somewhere which says it's not safe to use layout and check that flag in relevant places. We might even be able to use NotificationController's mObservingState attribute, since it's only guaranteed to be safe (I think?) if NotificationController triggered the call.
Option 1 is obviously simpler, but 2) is more widely applicable.
Eitan, thoughts?
Flags: needinfo?(eitan)
|
|
Reporter | |
Updated•4 years ago
|
status-firefox92:
--- → wontfix
status-firefox93:
--- → affected
status-firefox94:
--- → affected
status-firefox-esr78:
--- → affected
status-firefox-esr91:
--- → affected
|
|
||
Comment 9•3 years ago
|
||
Set release status flags based on info from the regressing bug 1597916
|
|
Reporter | |
Updated•3 years ago
|
status-firefox101:
--- → wontfix
status-firefox102:
--- → affected
status-firefox103:
--- → affected
status-firefox-esr102:
--- → affected
|
||
Updated•3 years ago
|
Severity: normal → S3
|
||
Comment 10•2 years ago
|
||
I would go with option 1 :)
The test case probably won't work with cache the world enabled.
Flags: needinfo?(eitan)
|
|
||
Comment 11•2 years ago
|
||
(In reply to Eitan Isaacson [:eeejay] from comment #10)
The test case probably won't work with cache the world enabled.
What makes you think that? Interestingly, I can't seem to reproduce a crash locally, but I don't see anything in the stack or the test case that should make any difference with the cache on vs off. It's all during content tree mutation. Am I missing something?
Flags: needinfo?(eitan)
Keywords: regression
|
|
||
Comment 12•2 years ago
|
||
This crashes for on-demand role calculation, not pre-cached roles. I guess if there was a HTMLFormAccessible in the parent content it would crash, but not via the test case.
update on second reading I see now that the role is used in event generation, so it will happen locally regardless of cache or process type, so never mind!
Also, this reminds me that there is probably a bug here where if a form gets or loses a name the role changes, but the parent process cache doesn't get updated. This isn't exclusively a bug in CtW because we always cached roles.
Flags: needinfo?(eitan)
|
|
||
Comment 13•2 years ago
|
||
(In reply to Eitan Isaacson [:eeejay] from comment #12)
Also, this reminds me that there is probably a bug here where if a form gets or loses a name the role changes, but the parent process cache doesn't get updated. This isn't exclusively a bug in CtW because we always cached roles.
Interestingly, this is new in Windows + CTW because in Windows without CTW, clients got the role via COM, which was more likely to be accurate. (Strictly speaking, the handler cache might have meant it was stale, but only if there had been no event of any kind on any object since the change.)
|
||
Comment 14•2 years ago
|
||
Bug 1851787 should've fixed this. Mind confirming?
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Group: layout-core-security → core-security-release
|
|
||
Comment 15•2 years ago
|
||
I was never able to reproduce this crash locally, so I can't confirm the fix unfortunately. Hopefully bugmon can help?
|
|
||
Comment 16•2 years ago
|
||
(In reply to James Teh [:Jamie] from comment #15)
I was never able to reproduce this crash locally, so I can't confirm the fix unfortunately. Hopefully bugmon can help?
Flags: needinfo?(twsmith)
|
|
||
Comment 17•2 years ago
|
||
I can't reproduce this on tip. I'm bisecting now to verify the fixed revision.
Flags: needinfo?(twsmith) → needinfo?(jkratzer)
|
|
||
Comment 18•2 years ago
|
||
Reduced build range to:
Start: a8acb9b8880c2f1c2cf5891e5a20997a21d9d909 (20230719034317)
End: 49a85b3b07e07c1158f9cb0c1f58b67fc2d659f7 (20230719051228)
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a8acb9b8880c2f1c2cf5891e5a20997a21d9d909&tochange=49a85b3b07e07c1158f9cb0c1f58b67fc2d659f7
Looks like bug 1694573?
Flags: needinfo?(jkratzer)
|
|
||
Comment 19•2 years ago
|
||
James, Emilio: does bug 1694573 in 117 seem like a plausible bug to have fixed this? Jason's fix range is a couple of versions off from bug 1851787 being the fix.
status-firefox117:
--- → fixed
status-firefox119:
--- → fixed
status-firefox-esr115:
--- → affected
No longer duplicate of bug: 1851787
Flags: needinfo?(jteh)
Flags: needinfo?(emilio)
Resolution: DUPLICATE → FIXED
Whiteboard: [fixed by maybe 1851787 or 1694573]
|
|
||
Comment 20•2 years ago
|
||
Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.
status-firefox118:
--- → affected
|
|
||
Comment 21•2 years ago
|
||
I'm not familiar with the work in bug 1694573, but yeah, potentially.
Flags: needinfo?(emilio)
|
|
||
Comment 22•2 years ago
|
||
I think it's unlikely to have been fixed by bug 1694573 because that work impacts the code paths that occur after an event is fired. The stack in comment 0 suggests this happens while the event is being constructed, before it has even been queued. That said, I also can't see any other a11y or layout change in that push log that might explain the fix here. Hmm.
Flags: needinfo?(jteh)
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
|
Reporter | |
Updated•2 years ago
|
Whiteboard: [fixed by maybe 1851787 or 1694573] → [fixed by maybe 1851787 or 1694573][adv-main119-]
|
|
Reporter | |
Updated•2 years ago
|
Whiteboard: [fixed by maybe 1851787 or 1694573][adv-main119-] → [fixed by maybe 1851787 or 1694573][adv-main119-][adv-ESR115.4-]
|
|
||
Comment 23•1 year ago
|
||
Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•