Assertion failure: mRawPtr != nullptr (You can't dereference a NULL RefPtr with operator->().), at /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:315
Categories
(Core :: Disability Access APIs, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox108 | --- | unaffected |
| firefox109 | --- | disabled |
| firefox110 | --- | verified |
People
(Reporter: tsmith, Assigned: Jamie)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [ctw-m4][bugmon:bisected,confirmed])
Crash Data
Attachments
(4 files)
Found while fuzzing m-c 20221213-300b0ac8eb7b (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: mRawPtr != nullptr (You can't dereference a NULL RefPtr with operator->().), at /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:315
#0 0x7f8875c2ce45 in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:314:5
#1 0x7f8875c2ce45 in mozilla::a11y::StyleInfo::Display() /builds/worker/checkouts/gecko/accessible/base/StyleInfo.cpp:23:3
#2 0x7f8875c824c4 in mozilla::a11y::LocalAccessible::DisplayStyle() const /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3825:17
#3 0x7f8875c69e33 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3547:34
#4 0x7f8875c9c657 in mozilla::a11y::DocAccessibleChildBase::InsertIntoIpcTree(mozilla::a11y::LocalAccessible*, mozilla::a11y::LocalAccessible*, unsigned int, bool) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChildBase.cpp:106:16
#5 0x7f8875c7d221 in mozilla::a11y::LocalAccessible::HandleAccEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:866:19
#6 0x7f8875bfa428 in mozilla::a11y::AccessibleWrap::HandleAccEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/atk/AccessibleWrap.cpp:1019:34
#7 0x7f8875c2c519 in nsEventShell::FireEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/base/nsEventShell.cpp:54:15
#8 0x7f8875c201b3 in mozilla::a11y::NotificationController::ProcessMutationEvents() /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:564:7
#9 0x7f8875c211ca in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:894:3
#10 0x7f887442c942 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2550:12
#11 0x7f887443664d in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
#12 0x7f887443664d in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:352:7
#13 0x7f8874436553 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
#14 0x7f8874436430 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:912:5
#15 0x7f887443579a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:826:5
#16 0x7f8874434f56 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:5
#17 0x7f8874434a69 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
#18 0x7f887443467d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:550:9
#19 0x7f88738f2d7b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
#20 0x7f8873b79a88 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#21 0x7f8873a8cfbb in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8728:32
#22 0x7f886fcba6ca in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
#23 0x7f886fcb7327 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
#24 0x7f886fcb7e75 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
#25 0x7f886fcb91af in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
#26 0x7f886f0ae9a5 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#27 0x7f886f0a9f7c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#28 0x7f886f0a8b4a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#29 0x7f886f0a8ea5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#30 0x7f886f0b2319 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:191:37
#31 0x7f886f0b2319 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#32 0x7f886f0c7c58 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#33 0x7f886f0ce49d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:474:10
#34 0x7f886fcbff53 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#35 0x7f886fbe4f38 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#36 0x7f886fbe4e41 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#37 0x7f886fbe4e41 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#38 0x7f88740db348 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#39 0x7f887630909b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
#40 0x7f886fcc0e69 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#41 0x7f886fbe4f38 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#42 0x7f886fbe4e41 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#43 0x7f886fbe4e41 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#44 0x7f887630862c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#45 0x563ac0411ca0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#46 0x563ac0411ca0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#47 0x7f8882884d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#48 0x7f8882884e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#49 0x563ac03e8308 in _start (/home/user/workspace/browsers/m-c-20221213165020-fuzzing-debug/firefox-bin+0x5b308) (BuildId: 632b23276e3228be633d34f1ac3c66957e03ca4b)
|
Reporter | |
Comment 1•2 years ago
|
||
prefs.js file for bugmon.
|
Assignee | |
Comment 2•2 years ago
|
||
Causes an instant tab crash. This looks a lot like bug 1800731, but I don't yet understand why we're seeing this new instance.
|
|
Assignee | |
Comment 3•2 years ago
|
||
|
||
Comment 4•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20221213165020-300b0ac8eb7b.
The bug appears to have been introduced in the following build range:
Start: 2d625e5d6ff86fda6d83464bb315478f94afc577 (20221114233128)
End: 1adc82d1eb960a8a6aac68b9abceaac3fd491abb (20221115021943)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d625e5d6ff86fda6d83464bb315478f94afc577&tochange=1adc82d1eb960a8a6aac68b9abceaac3fd491abb
|
||
Updated•2 years ago
|
|
||
Comment 5•2 years ago
|
||
:eeejay, since you are the author of the regressor, bug 1798621, could you take a look?
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 6•2 years ago
|
||
Digging into this has been quite the journey.
The (image) map element and its area elements are inside an audio element, which means they aren't "rendered" at all. They don't even have a computed style. Normal elements wouldn't even get Accessibles in this case. However, area elements are special in that they are rendered by their associated img element, so we create Accessibles as children of the img.
As far as I can tell, the computed style of an area element is completely irrelevant. It's effectively just metadata. A11y doesn't currently know this, so it tries to query the computed style of the area. If the area is "rendered" (e.g. not inside a shadow host or slotted inside a shadow host), we'll get the computed style just fine, even though it's effectively a no-op. If it's inside a shadow host but unslotted, then there is no computed style, so we crash.
Fixing this will involve special casing HTMLAreaAccessibles somewhere. I'm not sure whether this should be done in StyleInfo, LocalAccessible, etc.
As a side note, image map areas don't have their own frames. GetPrimaryFrame() on an area element returns the image frame, which is a hack that should be removed; see bug 135040. This confused me a lot when I was investigating this.
Also, HTMLAreaAccessible's bounds methods don't handle the possibility that a map might be used by multiple imgs. They return the bounds of the last one because GetPrimaryFrame() on the areas returns the last image frame. We should use the frame of the parent Accessible instead. That said, I'm not sure how well DOM/layout support this either. Tabbing through the document only hits one area, even when there are two imgs using the map.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 7•2 years ago
|
||
See the code comments for an explanation.
This fixes assertions and crashes when pushing the cache when a page contains a map which is unslotted in a shadow host.
|
|
Assignee | |
Comment 8•2 years ago
|
||
This fixes the same bug as part 1, but when the cache is disabled.
It is covered by the same test.
|
||
Comment 10•2 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/8f0a910858ab
https://hg.mozilla.org/mozilla-central/rev/4d637fe57944
|
|
||
Comment 11•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20221216093922-ef0d179e0aeb.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•