Open Bug 1807972 Opened 2 years ago Updated 8 months ago

Assertion failure: !GetPrevContinuation() || (aOffsetType == TextOffsetType::OffsetsInContentText && aStartOffset >= (uint32_t)GetContentOffset() && aEndOffset <= (uint32_t)GetContentEnd()) (Must be called on first-in-flow, or content offsets must be give

Categories

(Core :: Disability Access APIs, defect)

x86_64
Linux
defect

Tracking

()

Tracking Status
firefox-esr115 --- wontfix
firefox110 --- wontfix
firefox121 --- wontfix
firefox122 --- wontfix
firefox123 --- wontfix
firefox124 --- wontfix

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: bugmon, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

3.72 KB, application/octet-stream
Details

Testcase found while fuzzing mozilla-central rev c5ddc463e9f8 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build c5ddc463e9f8 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
Assertion failure: !GetPrevContinuation() || (aOffsetType == TextOffsetType::OffsetsInContentText && aStartOffset >= (uint32_t)GetContentOffset() && aEndOffset <= (uint32_t)GetContentEnd()) (Must be called on first-in-flow, or content offsets must be give

    ==247918==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdf5495328a bp 0x7fff89df53e0 sp 0x7fff89df50f0 T247918)
    ==247918==The signal is caused by a WRITE memory access.
    ==247918==Hint: address points to the zero page.
        #0 0x7fdf5495328a in nsTextFrame::GetRenderedText(unsigned int, unsigned int, nsIFrame::TextOffsetType, nsIFrame::TrailingWhitespace) /layout/generic/nsTextFrame.cpp:10285:3
        #1 0x7fdf54781886 in nsLayoutUtils::GetMarkerSpokenText(nsIContent const*, nsTSubstring<char16_t>&) /layout/base/nsLayoutUtils.cpp:917:44
        #2 0x7fdf55f1c0ac in mozilla::a11y::HTMLListBulletAccessible::Name(nsTString<char16_t>&) const /accessible/html/HTMLListAccessible.cpp:92:3
        #3 0x7fdf55f1c296 in mozilla::a11y::HTMLListBulletAccessible::AppendTextTo(nsTSubstring<char16_t>&, unsigned int, unsigned int) /accessible/html/HTMLListAccessible.cpp:113:3
        #4 0x7fdf55ea06af in mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*) /accessible/base/NotificationController.cpp:229:28
        #5 0x7fdf55ea0177 in mozilla::a11y::TreeMutation::AfterInsertion(mozilla::a11y::LocalAccessible*) /accessible/base/EventTree.cpp:54:41
        #6 0x7fdf55ef4446 in mozilla::a11y::DocAccessible::ProcessContentInserted(mozilla::a11y::LocalAccessible*, nsTArray<nsCOMPtr<nsIContent>> const*) /accessible/generic/DocAccessible.cpp:2079:10
        #7 0x7fdf55ea7da3 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /accessible/base/NotificationController.cpp:784:16
        #8 0x7fdf546b6492 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2550:12
        #9 0x7fdf546c018d in TickDriver /layout/base/nsRefreshDriver.cpp:374:13
        #10 0x7fdf546c018d in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /layout/base/nsRefreshDriver.cpp:352:7
        #11 0x7fdf546c0093 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:368:5
        #12 0x7fdf546bff70 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:912:5
        #13 0x7fdf546bf2da in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:826:5
        #14 0x7fdf546beaa6 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:747:5
        #15 0x7fdf546be5b9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:593:14
        #16 0x7fdf546be1cd in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:550:9
        #17 0x7fdf53b6670b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:68:15
        #18 0x7fdf53df0328 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
        #19 0x7fdf4ff6fefa in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6371:32
        #20 0x7fdf4feff54a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1800:25
        #21 0x7fdf4fefc1c7 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1725:9
        #22 0x7fdf4fefccf5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
        #23 0x7fdf4fefe02f in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
        #24 0x7fdf4f2f77b5 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:539:16
        #25 0x7fdf4f2f2d8c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:852:26
        #26 0x7fdf4f2f195a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:684:15
        #27 0x7fdf4f2f1cb5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:462:36
        #28 0x7fdf4f2fb129 in operator() /xpcom/threads/TaskController.cpp:191:37
        #29 0x7fdf4f2fb129 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
        #30 0x7fdf4f310955 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1197:16
        #31 0x7fdf4f316e9d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:476:10
        #32 0x7fdf4ff05443 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #33 0x7fdf4fe28f58 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #34 0x7fdf4fe28e61 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #35 0x7fdf4fe28e61 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #36 0x7fdf5435e568 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #37 0x7fdf56592b6b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:743:20
        #38 0x7fdf4ff06359 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #39 0x7fdf4fe28f58 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #40 0x7fdf4fe28e61 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #41 0x7fdf4fe28e61 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #42 0x7fdf565926c8 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:676:34
        #43 0x56386dea9ca0 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #44 0x56386dea9ca0 in main /browser/app/nsBrowserApp.cpp:359:18
        #45 0x7fdf64568d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #46 0x7fdf64568e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #47 0x56386de80308 in _start (/home/jkratzer/builds/m-c-20221229092636-fuzzing-debug/firefox-bin+0x5b308) (BuildId: 57d0e68973c298505724f6ed9f82c1dea3cdb0d1)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /layout/generic/nsTextFrame.cpp:10285:3 in nsTextFrame::GetRenderedText(unsigned int, unsigned int, nsIFrame::TextOffsetType, nsIFrame::TrailingWhitespace)
    ==247918==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20221229092636-c5ddc463e9f8.
The bug appears to have been introduced in the following build range:

Start: 2e227bee7e5a0bbfe3bfa9a26221a9c1ff5bb913 (20221104042106)
End: 3f828529f7b2a08c99508d80d5120823145dc471 (20221104071305)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2e227bee7e5a0bbfe3bfa9a26221a9c1ff5bb913&tochange=3f828529f7b2a08c99508d80d5120823145dc471

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

This bug has been marked as a regression. Setting status flag for Nightly to affected.

The regression window implicates bug 1798500, but only because fuzzing wasn't enabling a11y for a while due to that bug. So, all we know is that this bug existed before bug 1798500 landed (2022-11-04).

Severity: -- → S4

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Keywords: bugmon

Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: