1800780 - crash near null in [@ mozilla::a11y::TableAccessible::IsProbablyLayoutTable]

Status: RESOLVED FIXED

(Core :: Disability Access APIs, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20221115-1adc82d1eb96 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==30307==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7fc958b2dbbf bp 0x7ffd4e5a2bb0 sp 0x7ffd4e5a2b90 T0)
==30307==The signal is caused by a READ memory access.
==30307==Hint: address points to the zero page.
    #0 0x7fc958b2dbbf in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7fc958b2dbbf in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
    #2 0x7fc958b2dbbf in IsInNamespace /builds/worker/workspace/obj-build/dist/include/nsINode.h:774:12
    #3 0x7fc958b2dbbf in IsHTMLElement /builds/worker/workspace/obj-build/dist/include/nsIContent.h:177:12
    #4 0x7fc958b2dbbf in bool nsIContent::IsAnyOfHTMLElements<nsStaticAtom*, nsStaticAtom*>(nsStaticAtom*, nsStaticAtom*) const /builds/worker/workspace/obj-build/dist/include/nsIContent.h:186:12
    #5 0x7fc9631375ad in IsAbbreviation /builds/worker/workspace/obj-build/dist/include/mozilla/a11y/LocalAccessible.h:452:22
    #6 0x7fc9631375ad in mozilla::a11y::TableAccessible::IsProbablyLayoutTable() /gecko/accessible/generic/TableAccessible.cpp:139:46
    #7 0x7fc9631023de in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /gecko/accessible/generic/LocalAccessible.cpp:3568:18
    #8 0x7fc9630fdc4d in mozilla::a11y::DocAccessible::ProcessQueuedCacheUpdates() /gecko/accessible/generic/DocAccessible.cpp:1463:16
    #9 0x7fc963073cae in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /gecko/accessible/base/NotificationController.cpp:890:16
    #10 0x7fc95f3ff815 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /gecko/layout/base/nsRefreshDriver.cpp:2525:12
    #11 0x7fc95f40dd76 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:375:13
    #12 0x7fc95f40dd76 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /gecko/layout/base/nsRefreshDriver.cpp:353:7
    #13 0x7fc95f40dade in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:369:5
    #14 0x7fc95f40d865 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:913:5
    #15 0x7fc95f40caff in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:827:5
    #16 0x7fc95f40bd41 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /gecko/layout/base/nsRefreshDriver.cpp:748:5
    #17 0x7fc95f40b55b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /gecko/layout/base/nsRefreshDriver.cpp:594:14
    #18 0x7fc95f40b0f8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /gecko/layout/base/nsRefreshDriver.cpp:551:9
    #19 0x7fc95e0651bc in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /gecko/dom/ipc/VsyncMainChild.cpp:68:15
    #20 0x7fc95e4afc8f in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
    #21 0x7fc957de14d6 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6306:32
    #22 0x7fc957d4a0c9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1756:25
    #23 0x7fc957d471bf in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /gecko/ipc/glue/MessageChannel.cpp:1681:9
    #24 0x7fc957d47dee in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1481:3
    #25 0x7fc957d4901e in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1579:14
    #26 0x7fc9565ca919 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:538:16
    #27 0x7fc9565c19d7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:851:26
    #28 0x7fc9565bec58 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:683:15
    #29 0x7fc9565bf380 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:461:36
    #30 0x7fc9565d0a21 in operator() /gecko/xpcom/threads/TaskController.cpp:187:37
    #31 0x7fc9565d0a21 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #32 0x7fc9565f3c50 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1204:16
    #33 0x7fc9565fe3e4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #34 0x7fc957d518be in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #35 0x7fc957bd5ea7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #36 0x7fc957bd5ea7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #37 0x7fc957bd5ea7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #38 0x7fc95ee26119 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:150:27
    #39 0x7fc963d7ccc8 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
    #40 0x7fc957bd5ea7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #41 0x7fc957bd5ea7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #42 0x7fc957bd5ea7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #43 0x7fc963d7bc95 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
    #44 0x55c1b87042d4 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #45 0x55c1b8704797 in main /gecko/browser/app/nsBrowserApp.cpp:359:18
    #46 0x7fc97882b082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #47 0x55c1b8642d58 in _start (/home/worker/builds/m-c-20221115164451-fuzzing-asan-opt/firefox+0x111d58) (BuildId: b52a592a4bc8d4b251f72487dbb848881c3a8560)

Comment 1

[Tyson Smith [:tsmith]]

Attachment: prefs.js

A prefs.js file for bugmon

Comment 2

[James Teh [:Jamie]]

Attachment: Bug 1800780: Null check mContent in LocalAccessible::IsAbbreviation.

When we push a cache update for tables, we call IsProbablyLayoutTable.
That in turn checks whether the first grandchild LocalAccessible of each row is an abbreviation.
If there is a malformed table containing an iframe as a child of a row, this grandchild will be an embedded DocAccessible.
Since a DocAccessible has a null mContent prior to DoInitialUpdate, calling IsAbbreviation on this would previously crash because it didn't null check mContent.
The fix is simply to null check mContent.

Comment 3

[Pulsebot]

Pushed by jteh@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f7413f4018ed
Null check mContent in LocalAccessible::IsAbbreviation. r=nlapre

Comment 4

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20221118154632-3b5a8f67189b.
The bug appears to have been introduced in the following build range:

Start: 2d625e5d6ff86fda6d83464bb315478f94afc577 (20221114233128)
End: 1adc82d1eb960a8a6aac68b9abceaac3fd491abb (20221115021943)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d625e5d6ff86fda6d83464bb315478f94afc577&tochange=1adc82d1eb960a8a6aac68b9abceaac3fd491abb

Comment 5

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/f7413f4018ed

Comment 6

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20221115051541-1adc82d1eb96) but not with tip (mozilla-central 20221119085828-f7eac47f5daa.)

The bug appears to have been fixed in the following build range:

Start: 01175db411656d9df143a23d3a7001ae0244f2cb (20221118212701)
End: 66771e1d95c104ad6b8cddbe8edcf6b2a055a93c (20221118233908)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=01175db411656d9df143a23d3a7001ae0244f2cb&tochange=66771e1d95c104ad6b8cddbe8edcf6b2a055a93c

Jamie, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 7

[James Teh [:Jamie]]

Yes, the patch here fixed this.