Closed Bug 1788547 Opened 2 years ago Closed 2 years ago

Assertion failure: mRawPtr != nullptr (You can't dereference a NULL RefPtr with operator->().), at /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:315

Categories

(Core :: Disability Access APIs, defect)

defect

Tracking

()

VERIFIED FIXED
106 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox104 --- unaffected
firefox105 --- unaffected
firefox106 --- verified

People

(Reporter: tsmith, Assigned: morgan)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20220831-11e997d3cf78 (--enable-debug --enable-fuzzing) with GNOME_ACCESSIBILITY=1

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ GNOME_ACCESSIBILITY=1 python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mRawPtr != nullptr (You can't dereference a NULL RefPtr with operator->().), at /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:315

#0 0x7ff19585836b in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:314:5
#1 0x7ff19585836b in Document /builds/worker/checkouts/gecko/accessible/base/AccEvent.h:88:44
#2 0x7ff19585836b in mozilla::a11y::EventQueue::PushEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/base/EventQueue.cpp:32:3
#3 0x7ff19585e43d in QueueEvent /builds/worker/checkouts/gecko/accessible/base/NotificationController.h:112:9
#4 0x7ff19585e43d in mozilla::a11y::DocAccessible::FireDelayedEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible-inl.h:60:28
#5 0x7ff195857b93 in mozilla::a11y::DocAccessible::FireDelayedEvent(unsigned int, mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible-inl.h:66:3
#6 0x7ff19588122c in nsAccessibilityService::TableLayoutGuessMaybeChanged(mozilla::PresShell*, nsIContent*) /builds/worker/checkouts/gecko/accessible/base/nsAccessibilityService.cpp:572:17
#7 0x7ff1943e7bbe in nsTableRowFrame::DidSetComputedStyle(mozilla::ComputedStyle*) /builds/worker/checkouts/gecko/layout/tables/nsTableRowFrame.cpp:195:19
#8 0x7ff19412821f in SetComputedStyle /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:806:7
#9 0x7ff19412821f in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:2855:10
#10 0x7ff1941287db in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:2901:32
#11 0x7ff1941287db in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:2901:32
#12 0x7ff19412a380 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3114:28
#13 0x7ff194103150 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3228:3
#14 0x7ff1941028a5 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4372:39
#15 0x7ff1924bbe00 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1454:5
#16 0x7ff1924bbe00 in mozilla::EventStateManager::FlushLayout(nsPresContext*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:5946:16
#17 0x7ff1924b86f5 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:779:7
#18 0x7ff1941169a8 in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8230:39
#19 0x7ff19411138c in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8199:17
#20 0x7ff194110b49 in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7148:30
#21 0x7ff19410f825 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6951:12
#22 0x7ff19410edac in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6894:23
#23 0x7ff193d26882 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:685:18
#24 0x7ff193d26629 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/checkouts/gecko/view/nsView.cpp:1130:9
#25 0x7ff193d5d1f5 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:352:37
#26 0x7ff1901b5d0d in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/checkouts/gecko/gfx/layers/apz/util/APZCCallbackHelper.cpp:512:21
#27 0x7ff1935c0e92 in DispatchWidgetEventViaAPZ /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1813:10
#28 0x7ff1935c0e92 in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1776:3
#29 0x7ff1935c23ff in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1743:3
#30 0x7ff1935c2569 in mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1708:8
#31 0x7ff1936cc7a5 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5613:80
#32 0x7ff193744ed3 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8674:32
#33 0x7ff18fab5271 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1755:25
#34 0x7ff18fab1dc5 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1680:9
#35 0x7ff18fab2966 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1480:3
#36 0x7ff18fab3cf1 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1578:14
#37 0x7ff18eeec95e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#38 0x7ff18eec5009 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#39 0x7ff18eec3b93 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#40 0x7ff18eec3e03 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#41 0x7ff18eef0229 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:190:37
#42 0x7ff18eef0229 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#43 0x7ff18eed9acf in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
#44 0x7ff18eee00dd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#45 0x7ff18fabaca4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#46 0x7ff18f9e03d7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#47 0x7ff18f9e02e2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#48 0x7ff18f9e02e2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#49 0x7ff193d8f328 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#50 0x7ff195ef3b1b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
#51 0x7ff18fabbbea in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#52 0x7ff18f9e03d7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#53 0x7ff18f9e02e2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#54 0x7ff18f9e02e2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#55 0x7ff195ef3033 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
#56 0x56081d681429 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#57 0x56081d681429 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:362:18
#58 0x7ff1a585e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#59 0x56081d6571cc in _start (/home/worker/builds/m-c-20220831093258-fuzzing-debug/firefox-bin+0x161cc) (BuildId: 2dc67b1eef3732a23fd8cc93ded9ebcf7f58c389)
Flags: in-testsuite?
Summary: mozilla::a11y::EventQueue::PushEvent → Assertion failure: mRawPtr != nullptr (You can't dereference a NULL RefPtr with operator->().), at /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:315

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220907093209-663615ef7a19.
The bug appears to have been introduced in the following build range:

Start: afe6acd96ead1e85e72159fa003bc05beaacf8e4 (20220830230640)
End: 11e997d3cf78eb6a4f31a1e13a2509f4181f4b0a (20220831045044)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=afe6acd96ead1e85e72159fa003bc05beaacf8e4&tochange=11e997d3cf78eb6a4f31a1e13a2509f4181f4b0a

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

:morgan I see you have a couple changes in the regression range.

Flags: needinfo?(mreschenberg)

:Jamie do you think this is the null table acc bug also? that's my guess

Flags: needinfo?(mreschenberg) → needinfo?(jteh)
Flags: needinfo?(mreschenberg)

I would say so, yes.

:tsmith, that fix landed a few days ago. Should bugmon have picked it up yet?

Depends on: 1788597
Flags: needinfo?(jteh) → needinfo?(twsmith)

Bugmon uses the latest available build, in this case it was: mozilla-central 20220907093209-663615ef7a19.

Bugmon confirmed that this bug is reproducible and provided a regression range.

Flags: needinfo?(twsmith)

huh... I guess I'll add some asserts to where we queue that event

Flags: needinfo?(mreschenberg)
Assignee: nobody → mreschenberg
Status: NEW → ASSIGNED
Attachment #9294006 - Attachment description: Bug 1788547: Null check table acc exists before firing styling changed event, add assert for debugging r?Jamie → Bug 1788547: Null check table acc before firing styling changed event, add assert for debugging r?Jamie

A Pernosco session is available here: https://pernos.co/debug/KDC-hggi9Wn0U735kRPA5w/index.html

Severity: -- → S3
Severity: S3 → S4

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:morgan, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mreschenberg)
Flags: needinfo?(mreschenberg)
Regressed by: 1726124

Set release status flags based on info from the regressing bug 1726124

Attachment #9294006 - Attachment description: Bug 1788547: Null check table acc before firing styling changed event, add assert for debugging r?Jamie → Bug 1788547: Null check table acc exists before firing styling changed event, add assert for debugging r?Jamie
Pushed by mreschenberg@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5be9c9ab2683
Null check table acc exists before firing styling changed event, add assert for debugging r=Jamie
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220914154803-e2ce8d3d4a4b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: