Assertion failure: !GetPrevContinuation() || (aOffsetType == TextOffsetType::OffsetsInContentText && aStartOffset >= (uint32_t)GetContentOffset() && aEndOffset <= (uint32_t)GetContentEnd()) (Must be called on first-in-flow, or content offsets must be give
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: bugmon, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
3.72 KB,
application/octet-stream
|
Details |
Testcase found while fuzzing mozilla-central rev c5ddc463e9f8 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build c5ddc463e9f8 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
Assertion failure: !GetPrevContinuation() || (aOffsetType == TextOffsetType::OffsetsInContentText && aStartOffset >= (uint32_t)GetContentOffset() && aEndOffset <= (uint32_t)GetContentEnd()) (Must be called on first-in-flow, or content offsets must be give
==247918==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdf5495328a bp 0x7fff89df53e0 sp 0x7fff89df50f0 T247918)
==247918==The signal is caused by a WRITE memory access.
==247918==Hint: address points to the zero page.
#0 0x7fdf5495328a in nsTextFrame::GetRenderedText(unsigned int, unsigned int, nsIFrame::TextOffsetType, nsIFrame::TrailingWhitespace) /layout/generic/nsTextFrame.cpp:10285:3
#1 0x7fdf54781886 in nsLayoutUtils::GetMarkerSpokenText(nsIContent const*, nsTSubstring<char16_t>&) /layout/base/nsLayoutUtils.cpp:917:44
#2 0x7fdf55f1c0ac in mozilla::a11y::HTMLListBulletAccessible::Name(nsTString<char16_t>&) const /accessible/html/HTMLListAccessible.cpp:92:3
#3 0x7fdf55f1c296 in mozilla::a11y::HTMLListBulletAccessible::AppendTextTo(nsTSubstring<char16_t>&, unsigned int, unsigned int) /accessible/html/HTMLListAccessible.cpp:113:3
#4 0x7fdf55ea06af in mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*) /accessible/base/NotificationController.cpp:229:28
#5 0x7fdf55ea0177 in mozilla::a11y::TreeMutation::AfterInsertion(mozilla::a11y::LocalAccessible*) /accessible/base/EventTree.cpp:54:41
#6 0x7fdf55ef4446 in mozilla::a11y::DocAccessible::ProcessContentInserted(mozilla::a11y::LocalAccessible*, nsTArray<nsCOMPtr<nsIContent>> const*) /accessible/generic/DocAccessible.cpp:2079:10
#7 0x7fdf55ea7da3 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /accessible/base/NotificationController.cpp:784:16
#8 0x7fdf546b6492 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2550:12
#9 0x7fdf546c018d in TickDriver /layout/base/nsRefreshDriver.cpp:374:13
#10 0x7fdf546c018d in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /layout/base/nsRefreshDriver.cpp:352:7
#11 0x7fdf546c0093 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:368:5
#12 0x7fdf546bff70 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:912:5
#13 0x7fdf546bf2da in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:826:5
#14 0x7fdf546beaa6 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:747:5
#15 0x7fdf546be5b9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:593:14
#16 0x7fdf546be1cd in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:550:9
#17 0x7fdf53b6670b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:68:15
#18 0x7fdf53df0328 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#19 0x7fdf4ff6fefa in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6371:32
#20 0x7fdf4feff54a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1800:25
#21 0x7fdf4fefc1c7 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1725:9
#22 0x7fdf4fefccf5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
#23 0x7fdf4fefe02f in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
#24 0x7fdf4f2f77b5 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:539:16
#25 0x7fdf4f2f2d8c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:852:26
#26 0x7fdf4f2f195a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:684:15
#27 0x7fdf4f2f1cb5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:462:36
#28 0x7fdf4f2fb129 in operator() /xpcom/threads/TaskController.cpp:191:37
#29 0x7fdf4f2fb129 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#30 0x7fdf4f310955 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1197:16
#31 0x7fdf4f316e9d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:476:10
#32 0x7fdf4ff05443 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
#33 0x7fdf4fe28f58 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#34 0x7fdf4fe28e61 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#35 0x7fdf4fe28e61 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#36 0x7fdf5435e568 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#37 0x7fdf56592b6b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:743:20
#38 0x7fdf4ff06359 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#39 0x7fdf4fe28f58 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#40 0x7fdf4fe28e61 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#41 0x7fdf4fe28e61 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#42 0x7fdf565926c8 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:676:34
#43 0x56386dea9ca0 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#44 0x56386dea9ca0 in main /browser/app/nsBrowserApp.cpp:359:18
#45 0x7fdf64568d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#46 0x7fdf64568e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#47 0x56386de80308 in _start (/home/jkratzer/builds/m-c-20221229092636-fuzzing-debug/firefox-bin+0x5b308) (BuildId: 57d0e68973c298505724f6ed9f82c1dea3cdb0d1)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsTextFrame.cpp:10285:3 in nsTextFrame::GetRenderedText(unsigned int, unsigned int, nsIFrame::TextOffsetType, nsIFrame::TrailingWhitespace)
==247918==ABORTING
Reporter | ||
Comment 1•2 years ago
|
||
Comment 2•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20221229092636-c5ddc463e9f8.
The bug appears to have been introduced in the following build range:
Start: 2e227bee7e5a0bbfe3bfa9a26221a9c1ff5bb913 (20221104042106)
End: 3f828529f7b2a08c99508d80d5120823145dc471 (20221104071305)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2e227bee7e5a0bbfe3bfa9a26221a9c1ff5bb913&tochange=3f828529f7b2a08c99508d80d5120823145dc471
Comment 3•2 years ago
|
||
This bug has been marked as a regression. Setting status flag for Nightly to affected
.
Comment 4•2 years ago
|
||
The regression window implicates bug 1798500, but only because fuzzing wasn't enabling a11y for a while due to that bug. So, all we know is that this bug existed before bug 1798500 landed (2022-11-04).
Updated•2 years ago
|
Updated•2 years ago
|
Comment 5•1 year ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Reporter | ||
Comment 6•1 year ago
|
||
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.
Updated•9 months ago
|
Comment 7•9 months ago
|
||
Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.
Updated•9 months ago
|
Updated•8 months ago
|
Updated•8 months ago
|
Description
•