Closed Bug 1808046 Opened 3 years ago Closed 3 years ago

crash near null in [@ mozilla::a11y::TreeMutation::BeforeRemoval]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
110 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox108 --- unaffected
firefox109 --- unaffected
firefox110 --- verified

People

(Reporter: tsmith, Assigned: Jamie)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed] [ctw-m4])

Attachments

(3 files)

testcase.html
198 bytes, text/html
Details
prefs.js
9.84 KB, application/x-javascript
Details
Bug 1808046: Never try to remove the DocAccessible when an element's slot changes.
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20221223-2de5f759dac6 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==172943==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000001e8 (pc 0x7f109975b333 bp 0x7ffd7eeb0ac0 sp 0x7ffd7eeb0ac0 T0)
==172943==The signal is caused by a READ memory access.
==172943==Hint: address points to the zero page.
    #0 0x7f109975b333 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7f109975b333 in operator mozilla::a11y::NotificationController * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:299:12
    #2 0x7f109975b333 in Controller /builds/worker/workspace/obj-build/dist/include/mozilla/a11y/DocAccessible.h:394:55
    #3 0x7f109975b333 in mozilla::a11y::TreeMutation::Controller() const /builds/worker/checkouts/gecko/accessible/base/EventTree.h:41:33
    #4 0x7f109975c68c in mozilla::a11y::TreeMutation::BeforeRemoval(mozilla::a11y::LocalAccessible*, bool) /builds/worker/checkouts/gecko/accessible/base/EventTree.cpp:71:7
    #5 0x7f10997ef237 in mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2163:6
    #6 0x7f109980f467 in mozilla::a11y::LocalAccessible::DOMAttributeChanged(int, nsAtom*, int, nsAttrValue const*, unsigned long) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:1446:11
    #7 0x7f10997e914c in mozilla::a11y::DocAccessible::AttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:874:15
    #8 0x7f108ff03a0d in operator() /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:146:3
    #9 0x7f108ff03a0d in ForEachAncestorObserver<(lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:146:3)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:63:9
    #10 0x7f108ff03a0d in Notify<(IsRemoval)0, (ShouldAssert)1, (lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:146:3), (lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:146:3)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:93:19
    #11 0x7f108ff03a0d in mozilla::dom::MutationObservers::NotifyAttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:148:3
    #12 0x7f108fe12862 in mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, mozilla::dom::Document*, mozAutoDocUpdate const&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2646:5
    #13 0x7f108fe0b8a4 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2486:10
    #14 0x7f108fe085fc in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:955:12
    #15 0x7f108fe085fc in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:951:12
    #16 0x7f108fe085fc in mozilla::dom::Element::SetSlot(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1164:12
    #17 0x7f1091a11baf in mozilla::dom::Element_Binding::set_slot(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:4957:24
    #18 0x7f1091de0047 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3235:8
    #19 0x7f109a8969c4 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #20 0x7f109a8969c4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
    #21 0x7f109a89879f in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #22 0x7f109a89879f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
    #23 0x7f109a89a00c in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:777:10
    #24 0x7f109ab7ea46 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2539:8
    #25 0x7f109ab7c5a5 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2573:14
    #26 0x7f109a881085 in SetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:306:10
    #27 0x7f109a881085 in SetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:1848:10
    #28 0x7f109a881085 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3112:12
    #29 0x7f109a869acc in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
    #30 0x7f109a896ae0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
    #31 0x7f109a89879f in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #32 0x7f109a89879f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
    #33 0x7f109a9a14ad in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #34 0x7f10919ae4f3 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
    #35 0x7f10928a4b64 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
    #36 0x7f10928a3134 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
    #37 0x7f10928683cc in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:22
    #38 0x7f1092869c2b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1504:17
    #39 0x7f1092857b72 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
    #40 0x7f1092856424 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
    #41 0x7f109285a59d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1122:11
    #42 0x7f1092860255 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #43 0x7f10901239c3 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1373:17
    #44 0x7f108fa51247 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4593:28
    #45 0x7f108fa50f95 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4563:10
    #46 0x7f1095a1d7ab in mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) /builds/worker/checkouts/gecko/layout/style/Loader.cpp:460:3
    #47 0x7f1095a1d93c in AfterProcessNextEvent /builds/worker/checkouts/gecko/layout/style/Loader.cpp:424:3
    #48 0x7f1095a1d93c in non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/checkouts/gecko/layout/style/Loader.cpp
    #49 0x7f108cbd2824 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1221:3
    #50 0x7f108cbdc8b4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
    #51 0x7f108e33fe2e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #52 0x7f108e1c2c87 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #53 0x7f108e1c2c87 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #54 0x7f108e1c2c87 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #55 0x7f10955099a9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #56 0x7f109a481ce8 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
    #57 0x7f108e1c2c87 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #58 0x7f108e1c2c87 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #59 0x7f108e1c2c87 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #60 0x7f109a48147f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
    #61 0x55582f66d454 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #62 0x55582f66d917 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
    #63 0x7f10af0d2d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #64 0x7f10af0d2e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #65 0x55582f5abed8 in _start (/home/user/workspace/browsers/m-c-20221230044034-fuzzing-asan-opt/firefox+0x111ed8) (BuildId: 61fe2d2779afae5d7f5df7a7aa619e6adf24ac6e)
Flags: in-testsuite?
Attached file prefs.js

prefs.js for bugmon

Verified bug as reproducible on mozilla-central 20221231091949-81f62de2d85e.
The bug appears to have been introduced in the following build range:

Start: 27a62fceb6f41ff6e7c6de2f8e4ac0ae8792a39d (20221222094520)
End: 442b99cea070d25ed89ef4d09434fbb04344040b (20221222014523)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=27a62fceb6f41ff6e7c6de2f8e4ac0ae8792a39d&tochange=442b99cea070d25ed89ef4d09434fbb04344040b

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Assignee: nobody → jteh
Regressed by: 1806548
Blocks: a11y-ctw
Severity: -- → S2
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed] [ctw-m4]

When an element's slot changes and the element is unslotted, we remove its Accessible.
If the body is moved inside a shadow host at the same time, we will process the slot removal first because moves are processed async.
Previously, this caused us to try to remove the DocAccessible (since it was still associated with the body), causing nastiness and potentially crashes.
We should never try to remove the DocAccessible, so explicitly prevent this when handling slot changes.
An assertion was also added to make sure we never try to remove the DocAccessible in future.

Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/78bf272823c0 Never try to remove the DocAccessible when an element's slot changes. r=nlapre

https://hg.mozilla.org/mozilla-central/rev/78bf272823c0

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox110: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch

Verified bug as fixed on rev mozilla-central 20230109162059-05db4ea9cea4.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox110: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: