Closed Bug 1807851 Opened 3 years ago Closed 3 years ago

crash near null in [@ nsLayoutUtils::FindNearestCommonAncestorFrame]

Categories

(Core :: Disability Access APIs, defect)

defect

Tracking

()

RESOLVED FIXED
112 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox108 --- wontfix
firefox109 --- disabled
firefox110 --- disabled
firefox111 --- disabled
firefox112 --- fixed

People

(Reporter: tsmith, Assigned: sefeng211)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing 20221127-f49e8eca9e34 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
==26382==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f8ddfdaaa7c bp 0x7ffe69f17030 sp 0x7ffe69f167c0 T0)
==26382==The signal is caused by a READ memory access.
==26382==Hint: address points to the zero page.
    #0 0x7f8ddfdaaa7c in nsLayoutUtils::FindNearestCommonAncestorFrame(nsIFrame const*, nsIFrame const*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h
    #1 0x7f8ddfdac491 in nsLayoutUtils::TransformRect(nsIFrame const*, nsIFrame const*, nsRect&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:2432:7
    #2 0x7f8de397c6e1 in mozilla::a11y::HTMLAreaAccessible::ParentRelativeBounds() /builds/worker/checkouts/gecko/accessible/html/HTMLImageMapAccessible.cpp:207:3
    #3 0x7f8de392aed1 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3280:28
    #4 0x7f8de3988af5 in mozilla::a11y::DocAccessibleChildBase::InsertIntoIpcTree(mozilla::a11y::LocalAccessible*, mozilla::a11y::LocalAccessible*, unsigned int, bool) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChildBase.cpp:106:16
    #5 0x7f8de394f795 in mozilla::a11y::LocalAccessible::HandleAccEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:852:19
    #6 0x7f8de3855236 in mozilla::a11y::AccessibleWrap::HandleAccEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/atk/AccessibleWrap.cpp:1019:34
    #7 0x7f8de38b9988 in nsEventShell::FireEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/base/nsEventShell.cpp:54:15
    #8 0x7f8de389b1f6 in mozilla::a11y::NotificationController::ProcessMutationEvents() /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:561:7
    #9 0x7f8de389cf6e in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:894:3
    #10 0x7f8ddfc32fd5 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2550:12
    #11 0x7f8ddfc41686 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
    #12 0x7f8ddfc41686 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:352:7
    #13 0x7f8ddfc413ee in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
    #14 0x7f8ddfc41175 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:912:5
    #15 0x7f8ddfc4040f in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:826:5
    #16 0x7f8ddfc3f661 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:5
    #17 0x7f8ddfc3ee7b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
    #18 0x7f8ddfc3ea18 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:550:9
    #19 0x7f8dde8467ac in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
    #20 0x7f8ddec99d1f in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
    #21 0x7f8ddead3346 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8757:32
    #22 0x7f8dd84709a9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
    #23 0x7f8dd846dafd in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
    #24 0x7f8dd846e6ce in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
    #25 0x7f8dd846f8fe in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
    #26 0x7f8dd6ce1b79 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
    #27 0x7f8dd6cd8997 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
    #28 0x7f8dd6cd5c18 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
    #29 0x7f8dd6cd6340 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
    #30 0x7f8dd6ce7cb4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:191:37
    #31 0x7f8dd6ce7cb4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #32 0x7f8dd6d0ade4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
    #33 0x7f8dd6d151d4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
    #34 0x7f8dd84785a3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
    #35 0x7f8dd82fb407 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #36 0x7f8dd82fb407 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #37 0x7f8dd82fb407 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #38 0x7f8ddf641dc9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #39 0x7f8de45ba508 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
    #40 0x7f8dd82fb407 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #41 0x7f8dd82fb407 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #42 0x7f8dd82fb407 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #43 0x7f8de45b9c9f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
    #44 0x564b3ce08454 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #45 0x564b3ce08917 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
    #46 0x7f8df921ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #47 0x7f8df921ae3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #48 0x564b3cd46ed8 in _start (/home/user/workspace/browsers/m-c-20221228044022-fuzzing-asan-opt/firefox+0x111ed8) (BuildId: 8f377898df4619750c0ddd7cace4bbc6fefbb03d)
Flags: in-testsuite?
Attached file prefs.js

prefs.js for bugmon

Verified bug as reproducible on mozilla-central 20221228213747-5dde89820aa5.
The bug appears to have been introduced in the following build range:

Start: 2d625e5d6ff86fda6d83464bb315478f94afc577 (20221114233128)
End: 1adc82d1eb960a8a6aac68b9abceaac3fd491abb (20221115021943)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d625e5d6ff86fda6d83464bb315478f94afc577&tochange=1adc82d1eb960a8a6aac68b9abceaac3fd491abb

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Crash Signature: [@ nsLayoutUtils::FindNearestCommonAncestorFrame]
Regressed by: 1798621

:eeejay, since you are the author of the regressor, bug 1798621, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

Flags: needinfo?(eitan)
Blocks: a11y-ctw
Severity: -- → S3
See Also: → 1732154
Flags: needinfo?(eitan)
Assignee: nobody → mreschenberg

Set release status flags based on info from the regressing bug 1798621

Testcase crashes using the initial build (mozilla-central 20221127212619-f49e8eca9e34) but not with tip (mozilla-central 20230218045051-50be9c4a3f06.)

The bug appears to have been fixed in the following build range:

Start: dafb2e6890e11b74ec00d49c8f2767903a67aa92 (20230213153318)
End: 073223bab35f4149bf5665ec59b16684b7b9a65b (20230213163401)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dafb2e6890e11b74ec00d49c8f2767903a67aa92&tochange=073223bab35f4149bf5665ec59b16684b7b9a65b

morgan, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(mreschenberg)
Keywords: bugmon

I can confirm that this no longer crashes. The crash was due to obscure image map state. The bisection range includes bug 1815913, which changes the way nsImageMap is initialised, so I'm fairly sure this is what would have fixed this.

Status: NEW → RESOLVED
Closed: 3 years ago
Depends on: 1815913
Flags: needinfo?(mreschenberg)
Resolution: --- → FIXED
Assignee: mreschenberg → sefeng
Target Milestone: --- → 112 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: