Open
Bug 1648221
Opened 4 years ago
Updated 1 year ago
AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h in mozilla::EffectCompositor::GetAnimationElementAndPseudoForFrame(nsIFrame const*)
Categories
(Core :: DOM: Animation, defect)
Core
DOM: Animation
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox79 | --- | affected |
People
(Reporter: jkratzer, Assigned: boris)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
1.41 KB,
application/zip
|
Details |
Testcase found while fuzzing mozilla-central rev 992822684324. Testcase requires the GNOME_ACCESSIBILITY=1 env variable to be set.
==10225==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7fc328e30f36 bp 0x7ffec1ab74d0 sp 0x7ffec1ab7400 T0)
==10225==The signal is caused by a READ memory access.
==10225==Hint: address points to the zero page.
#0 0x7fc328e30f35 in mozilla::EffectCompositor::GetAnimationElementAndPseudoForFrame(nsIFrame const*) /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h
#1 0x7fc328e24f98 in mozilla::EffectSet::GetEffectSetForFrame(nsIFrame const*, nsCSSPropertyIDSet const&) /builds/worker/checkouts/gecko/dom/animation/EffectSet.cpp:100:7
#2 0x7fc32ddc4b2b in HasMatchingAnimations<(lambda at /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:240:7)> /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:227:26
#3 0x7fc32ddc4b2b in nsLayoutUtils::HasAnimationOfPropertySet(nsIFrame const*, nsCSSPropertyIDSet const&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:238:10
#4 0x7fc32ddc56b0 in nsLayoutUtils::HasAnimationOfTransformAndMotionPath(nsIFrame const*) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:278:10
#5 0x7fc32df7c804 in HasAnimationOfTransform /builds/worker/checkouts/gecko/layout/generic/nsFrame.cpp:1848:10
#6 0x7fc32df7c804 in nsIFrame::IsCSSTransformed(nsStyleDisplay const*) const /builds/worker/checkouts/gecko/layout/generic/nsFrame.cpp:1843:49
#7 0x7fc32dfa7f72 in IsTransformed /builds/worker/checkouts/gecko/layout/generic/nsFrame.cpp:1837:10
#8 0x7fc32dfa7f72 in IsTransformed /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:1911:39
#9 0x7fc32dfa7f72 in operator() /builds/worker/checkouts/gecko/layout/generic/nsFrame.cpp:6920:23
#10 0x7fc32dfa7f72 in nsIFrame::GetTransformMatrix(mozilla::ViewportType, mozilla::RelativeTo, nsIFrame**, unsigned int) const /builds/worker/checkouts/gecko/layout/generic/nsFrame.cpp:6927:11
#11 0x7fc32ddd614f in nsLayoutUtils::GetTransformToAncestor(mozilla::RelativeTo, mozilla::RelativeTo, unsigned int, nsIFrame**) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2680:25
#12 0x7fc32dddd6d7 in TransformGfxRectToAncestor(mozilla::RelativeTo, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::RelativeTo, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> >*, bool, nsIFrame**) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3052:11
#13 0x7fc32dddcf07 in nsLayoutUtils::TransformFrameRectToAncestor(nsIFrame const*, nsRect const&, mozilla::RelativeTo, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> >*, bool, nsIFrame**) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3138:14
#14 0x7fc330ab4218 in TransformFrameRectToAncestor /builds/worker/workspace/obj-build/dist/include/nsLayoutUtils.h:947:12
#15 0x7fc330ab4218 in mozilla::a11y::Accessible::VisibilityState() const /builds/worker/checkouts/gecko/accessible/generic/Accessible.cpp:353:26
#16 0x7fc330ab494f in mozilla::a11y::Accessible::NativeState() const /builds/worker/checkouts/gecko/accessible/generic/Accessible.cpp:412:12
#17 0x7fc330ade68e in mozilla::a11y::HyperTextAccessible::NativeState() const /builds/worker/checkouts/gecko/accessible/generic/HyperTextAccessible.cpp:73:37
#18 0x7fc330b0898e in mozilla::a11y::HTMLTableCellAccessible::NativeState() const /builds/worker/checkouts/gecko/accessible/html/HTMLTableAccessible.cpp:60:45
#19 0x7fc330abb33f in mozilla::a11y::Accessible::State() /builds/worker/checkouts/gecko/accessible/generic/Accessible.cpp:1143:20
#20 0x7fc330a49c9c in mozilla::a11y::AccTextChangeEvent::AccTextChangeEvent(mozilla::a11y::Accessible*, int, nsTSubstring<char16_t> const&, bool, mozilla::a11y::EIsFromUserInput) /builds/worker/checkouts/gecko/accessible/base/AccEvent.cpp:96:20
#21 0x7fc330a5c9c4 in mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:257:38
#22 0x7fc330a5d519 in mozilla::a11y::TreeMutation::BeforeRemoval(mozilla::a11y::Accessible*, bool) /builds/worker/checkouts/gecko/accessible/base/EventTree.cpp:86:21
#23 0x7fc330ad7cf1 in mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::Accessible*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2114:6
#24 0x7fc330ad1b6a in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2143:5
#25 0x7fc330ad81e1 in mozilla::a11y::DocAccessible::RecreateAccessible(nsIContent*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1526:3
#26 0x7fc32e07e902 in nsImageFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsImageFrame.cpp:269:3
#27 0x7fc32e0a341d in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:387:14
#28 0x7fc32deb3b51 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:437:3
#29 0x7fc32dfc56ac in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:51:12
#30 0x7fc32deb41be in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:215:11
#31 0x7fc32dfc56ac in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:51:12
#32 0x7fc32deb41be in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:215:11
#33 0x7fc32dfc56ac in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:51:12
#34 0x7fc32deb41be in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:215:11
#35 0x7fc32dfc56ac in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:51:12
#36 0x7fc32deb41be in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:215:11
#37 0x7fc32dfc56ac in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:51:12
#38 0x7fc32deb41be in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:215:11
#39 0x7fc32e0a341d in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:387:14
#40 0x7fc32deb3b51 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:437:3
#41 0x7fc32e0a341d in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsLineBox.cpp:387:14
#42 0x7fc32deb3b51 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:437:3
#43 0x7fc32dfc56ac in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:51:12
#44 0x7fc32deb41be in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:215:11
#45 0x7fc32defe1e5 in nsCanvasFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:231:21
#46 0x7fc32dfc56ac in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:51:12
#47 0x7fc32deb41be in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:215:11
#48 0x7fc32df0f99e in Destroy /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:747:5
#49 0x7fc32df0f99e in nsContainerFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:169:19
#50 0x7fc32dd79a51 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7549:5
#51 0x7fc32dd6e69a in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8531:7
#52 0x7fc32dd0c5d7 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1482:25
#53 0x7fc32dd16bcc in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3035:9
#54 0x7fc32dcd7701 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3114:3
#55 0x7fc32dcd7701 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4208:39
#56 0x7fc32917cbfd in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1443:5
#57 0x7fc32917cbfd in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10018:16
#58 0x7fc327bac5ae in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:702:14
#59 0x7fc327baf27d in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:640:5
#60 0x7fc327bb031c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
#61 0x7fc325457f27 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:615:22
#62 0x7fc32545b137 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:522:10
#63 0x7fc329182c0f in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10716:18
#64 0x7fc329139656 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10648:9
#65 0x7fc32db974de in UnblockOnload /builds/worker/checkouts/gecko/layout/style/Loader.cpp:2244:16
#66 0x7fc32db974de in mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) /builds/worker/checkouts/gecko/layout/style/Loader.cpp:450:12
#67 0x7fc32db976ac in AfterProcessNextEvent /builds/worker/checkouts/gecko/layout/style/Loader.cpp:422:3
#68 0x7fc32db976ac in non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/checkouts/gecko/layout/style/Loader.cpp
#69 0x7fc3251a77cd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1256:3
#70 0x7fc3251b218c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:501:10
#71 0x7fc3265423af in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#72 0x7fc32641e4b7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#73 0x7fc32641e4b7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#74 0x7fc32641e4b7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#75 0x7fc32d7bc9b8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#76 0x7fc3313833a6 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#77 0x7fc32641e4b7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#78 0x7fc32641e4b7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#79 0x7fc32641e4b7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#80 0x7fc33138298f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#81 0x55a086f95b43 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#82 0x55a086f95b43 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#83 0x7fc3490a2b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h in mozilla::EffectCompositor::GetAnimationElementAndPseudoForFrame(nsIFrame const*)
Flags: in-testsuite?
|
||
Comment 1•4 years ago
|
||
I wonder if this is us failing to null-check frameToQuery here: https://searchfox.org/mozilla-central/rev/a87a1c3b543475276e6d57a7a80cb02f3e42b6ed/dom/animation/EffectSet.cpp#89
I don't have a Linux environment available (which I assume is needed for GNOME_ACCESSIBILITY=1 to have any affect). Boris, are you interested in trying to reproduce?
Flags: needinfo?(boris.chiou)
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200625161839-324d5257f6f7.
The bug appears to have been introduced in the following build range:
> Start: b8525b0c48d99e447f47db559269e2e0ba2092ea (20200513231529)
> End: 52d384f924a177ffb6c377abc56bc7c47ec5b002 (20200513235417)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b8525b0c48d99e447f47db559269e2e0ba2092ea&tochange=52d384f924a177ffb6c377abc56bc7c47ec5b002
|
Assignee | |
Comment 3•4 years ago
|
||
I cannot access my linux desktop (which is in the office) for now. I assign this to myself so I can try to reproduce this once I got the chance.
Assignee: nobody → boris.chiou
Flags: needinfo?(boris.chiou)
|
||
Comment 4•3 years ago
|
||
:boris, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(boris.chiou)
|
|
Assignee | |
Comment 5•3 years ago
|
||
This is pretty hard to mark the "regressed by". The only transform related bug is Bug 1332588. Mark it for now.
Flags: needinfo?(boris.chiou)
Regressed by: 1332588
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
|
||
Updated•3 years ago
|
Keywords: regression
|
||
Updated•2 years ago
|
Blocks: asan-maintenance
|
||
Comment 6•2 years ago
|
||
Bugmon Analysis
Unable to reproduce bug 1648221 using build mozilla-central 20210327094311-2c4ad7073241. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•