Closed
Bug 1782042
Opened 2 years ago
Closed 2 years ago
Assertion failure: !GetPrevContinuation() || (aOffsetType == TextOffsetType::OffsetsInContentText && aStartOffset >= (uint32_t)GetContentOffset() && aEndOffset <= (uint32_t)GetContentEnd()) (Must be called on first-in-flow, or content offsets must be give
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
RESOLVED
FIXED
107 Branch
| Tracking | Status | |
|---|---|---|
| firefox107 | --- | fixed |
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev 7a144cb09b52 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 7a144cb09b52 --debug --fuzzing -n firefox
$ GNOME_ACCESSIBILITY=1 python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !GetPrevContinuation() || (aOffsetType == TextOffsetType::OffsetsInContentText && aStartOffset >= (uint32_t)GetContentOffset() && aEndOffset <= (uint32_t)GetContentEnd()) (Must be called on first-in-flow, or content offsets must be give
==2903143==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe2b950693f bp 0x7fff34078630 sp 0x7fff34078340 T2903143)
==2903143==The signal is caused by a WRITE memory access.
==2903143==Hint: address points to the zero page.
#0 0x7fe2b950693f in nsTextFrame::GetRenderedText(unsigned int, unsigned int, nsIFrame::TextOffsetType, nsIFrame::TrailingWhitespace) /layout/generic/nsTextFrame.cpp:10182:3
#1 0x7fe2b9336b56 in nsLayoutUtils::GetMarkerSpokenText(nsIContent const*, nsTSubstring<char16_t>&) /layout/base/nsLayoutUtils.cpp:926:44
#2 0x7fe2baa5c62c in mozilla::a11y::HTMLListBulletAccessible::Name(nsTString<char16_t>&) const /accessible/html/HTMLListAccessible.cpp:92:3
#3 0x7fe2baa5c95f in AppendTextTo /accessible/html/HTMLListAccessible.cpp:113:3
#4 0x7fe2baa5c95f in non-virtual thunk to mozilla::a11y::HTMLListBulletAccessible::AppendTextTo(nsTSubstring<char16_t>&, unsigned int, unsigned int) /accessible/html/HTMLListAccessible.cpp
#5 0x7fe2ba9f6adf in mozilla::a11y::nsAccUtils::TextLength(mozilla::a11y::Accessible*) /accessible/base/nsAccUtils.cpp:387:16
#6 0x7fe2baa1e240 in mozilla::a11y::HyperTextAccessibleBase::BuildCachedHyperTextOffsets(nsTArray<int>&) const /accessible/basetypes/HyperTextAccessibleBase.cpp:25:44
#7 0x7fe2ba9ca2ad in GetCachedHyperTextOffsets /accessible/generic/HyperTextAccessible.h:429:7
#8 0x7fe2ba9ca2ad in non-virtual thunk to mozilla::a11y::HyperTextAccessible::GetCachedHyperTextOffsets() const /accessible/generic/HyperTextAccessible.h
#9 0x7fe2baa1e391 in mozilla::a11y::HyperTextAccessibleBase::GetChildOffset(unsigned int) const /accessible/basetypes/HyperTextAccessibleBase.cpp:70:25
#10 0x7fe2baa37bf5 in mozilla::a11y::HyperTextAccessible::DOMPointToOffset(nsINode*, int, bool) const /accessible/generic/HyperTextAccessible.cpp:354:10
#11 0x7fe2ba9f76e8 in mozilla::a11y::SelectionManager::ProcessTextSelChangeEvent(mozilla::a11y::AccEvent*) /accessible/base/SelectionManager.cpp:159:29
#12 0x7fe2ba9e1e24 in mozilla::a11y::EventQueue::ProcessEventQueue() /accessible/base/EventQueue.cpp:378:23
#13 0x7fe2ba9ec813 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /accessible/base/NotificationController.cpp:931:3
#14 0x7fe2b926ca72 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2496:12
#15 0x7fe2b9275e90 in TickDriver /layout/base/nsRefreshDriver.cpp:375:13
#16 0x7fe2b9275e90 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:353:7
#17 0x7fe2b9275d93 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:369:5
#18 0x7fe2b9275a60 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:896:5
#19 0x7fe2b92750ca in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:810:5
#20 0x7fe2b9274ab5 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:731:5
#21 0x7fe2b92746ea in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:594:14
#22 0x7fe2b92742fc in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:551:9
#23 0x7fe2b876485b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:68:15
#24 0x7fe2b89e68a6 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#25 0x7fe2b4dd48b4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6326:32
#26 0x7fe2b4d674a1 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1749:25
#27 0x7fe2b4d63ff5 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1674:9
#28 0x7fe2b4d64b96 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1474:3
#29 0x7fe2b4d65f21 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1572:14
#30 0x7fe2b41a909e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
#31 0x7fe2b41817c9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
#32 0x7fe2b4180353 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
#33 0x7fe2b41805c3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
#34 0x7fe2b41ac8f6 in operator() /xpcom/threads/TaskController.cpp:187:37
#35 0x7fe2b41ac8f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#36 0x7fe2b419620f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
#37 0x7fe2b419c81d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#38 0x7fe2b4d6cf26 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#39 0x7fe2b4c921e7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
#40 0x7fe2b4c920f2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#41 0x7fe2b4c920f2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#42 0x7fe2b8f44888 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
#43 0x7fe2bb06fe9b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:887:20
#44 0x7fe2b4d6de1a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#45 0x7fe2b4c921e7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
#46 0x7fe2b4c920f2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#47 0x7fe2b4c920f2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#48 0x7fe2bb06f4bc in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:746:34
#49 0x5650bc8e1120 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#50 0x5650bc8e1120 in main /browser/app/nsBrowserApp.cpp:346:18
#51 0x7fe2cb9d8082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#52 0x5650bc8b6ecc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15ecc) (BuildId: a37b8cc815552de63d66f1eb3124d51cd433e0b8)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsTextFrame.cpp:10182:3 in nsTextFrame::GetRenderedText(unsigned int, unsigned int, nsIFrame::TextOffsetType, nsIFrame::TrailingWhitespace)
==2903143==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220728093233-7a144cb09b52.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: 0d03c626963ad6c886bf2e7d00d9431419f1de12 (20210729033943)
End: 7a144cb09b522ccaabaa83542205154b502eecec (20220728093233)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 3•2 years ago
|
||
The severity field is not set for this bug.
:Jamie, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(jteh)
|
||
Updated•2 years ago
|
Severity: -- → S4
|
|
||
Comment 4•2 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220728093233-7a144cb09b52) but not with tip (mozilla-central 20220923212151-12300304d394.)
The bug appears to have been fixed in the following build range:
Start: 1b8f84b953c5ea7b512f4f0fe7228eeb5523ac30 (20220922060235)
End: c9041757a18ac481d701af85012d9c7c9720db7a (20220922080430)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1b8f84b953c5ea7b512f4f0fe7228eeb5523ac30&tochange=c9041757a18ac481d701af85012d9c7c9720db7a
jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Flags: needinfo?(jteh) → needinfo?(jkratzer)
Keywords: bugmon
|
|
Reporter | |
Comment 5•2 years ago
|
||
:masayuki, can you confirm if this issue was fixed via bug 1789967?
Flags: needinfo?(jkratzer) → needinfo?(masayuki)
|
Assignee | |
Comment 6•2 years ago
|
||
Same as the testcase of bug 1690323, this should still be reproducible.
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 7•2 years ago
|
||
Taking to add the reported crash test to the tree.
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 8•2 years ago
|
||
Depends on D158549
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/b240ded22d26 Add reported test case to WPT r=hiro
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/36302 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 11•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox107:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch
Upstream PR merged by moz-wptsync-bot
You need to log in
before you can comment on or make changes to this bug.
Description
•