Closed Bug 1832730 Opened 2 years ago Closed 2 years ago

crash near null in [@ mozilla::a11y::RemoteAccessibleBase<mozilla::a11y::RemoteAccessible>::PruneRelationsOnShutdown]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox113 --- unaffected
firefox114 --- unaffected
firefox115 --- fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
362 bytes, text/html
Details
prefs.js
9.65 KB, application/x-javascript
Details
Attached file testcase.html

Found while fuzzing m-c 20230509-169e7173a60f (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==95168==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000002c (pc 0x7f832b8c6378 bp 0x7ffc79b1ac70 sp 0x7ffc79b1ac10 T0)
==95168==The signal is caused by a WRITE memory access.
==95168==Hint: address points to the zero page.
    #0 0x7f832b8c6378 in fetch_add /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/atomic_base.h:514:16
    #1 0x7f832b8c6378 in add /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:219:17
    #2 0x7f832b8c6378 in inc /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:245:12
    #3 0x7f832b8c6378 in operator++ /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:341:30
    #4 0x7f832b8c6378 in StartReadOp /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:129:25
    #5 0x7f832b8c6378 in AutoReadOp /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:32:58
    #6 0x7f832b8c6378 in PLDHashTable::Search(void const*) const /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:493:14
    #7 0x7f833be142fd in GetEntry /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:289:16
    #8 0x7f833be142fd in Lookup /builds/worker/workspace/obj-build/dist/include/nsBaseHashtable.h:641:55
    #9 0x7f833be142fd in GetMutableAttribute<nsTArray<unsigned long> > /builds/worker/workspace/obj-build/dist/include/mozilla/a11y/AccAttributes.h:153:28
    #10 0x7f833be142fd in mozilla::a11y::RemoteAccessibleBase<mozilla::a11y::RemoteAccessible>::PruneRelationsOnShutdown() /builds/worker/checkouts/gecko/accessible/ipc/RemoteAccessibleBase.cpp:1156:21
    #11 0x7f833be011bd in mozilla::a11y::RemoteAccessibleBase<mozilla::a11y::RemoteAccessible>::Shutdown() /builds/worker/checkouts/gecko/accessible/ipc/RemoteAccessibleBase.cpp:66:5
    #12 0x7f833be00ab5 in mozilla::a11y::DocAccessibleParent::ShutdownOrPrepareForMove(mozilla::a11y::RemoteAccessible*) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleParent.cpp:261:11
    #13 0x7f833be021b6 in mozilla::a11y::DocAccessibleParent::RecvHideEvent(unsigned long const&, bool const&) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleParent.cpp:344:3
    #14 0x7f833bf04482 in mozilla::a11y::PDocAccessibleParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PDocAccessibleParent.cpp:8959:52
    #15 0x7f8335ef946e in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6660:32
    #16 0x7f832d677cb5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
    #17 0x7f832d67362c in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
    #18 0x7f832d674a1a in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
    #19 0x7f832d675fc3 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
    #20 0x7f832ba4c15a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
    #21 0x7f832ba3ceaa in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
    #22 0x7f832ba39da7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:702:15
    #23 0x7f832ba3a68f in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
    #24 0x7f832ba51881 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
    #25 0x7f832ba51881 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #26 0x7f832ba7d4fb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
    #27 0x7f832ba8af94 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
    #28 0x7f832d6824ce in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #29 0x7f832d4ac7ca in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #30 0x7f832d4ac7ca in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #31 0x7f832d4ac7ca in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #32 0x7f8336dd8309 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #33 0x7f833ca9344b in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
    #34 0x7f833cd9054c in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5657:22
    #35 0x7f833cd9223b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5857:8
    #36 0x7f833cd93331 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5913:21
    #37 0x563945a87383 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:227:22
    #38 0x563945a87383 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:445:16
    #39 0x7f8352429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #40 0x7f8352429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #41 0x5639459b0d58 in _start (/home/user/workspace/browsers/m-c-20230510213701-fuzzing-asan-opt/firefox+0x107d58) (BuildId: 1a6107a3fe794b68d29433eba1f4d947c1c8bb25)
Flags: in-testsuite?
Attached file prefs.js

prefs.js file for bugmon

Verified bug as reproducible on mozilla-central 20230512040642-55608cb73889.
The bug appears to have been introduced in the following build range:

Start: a7a328c86d5bab5e73de7abf526304c96addccc3 (20230508201033)
End: cc7b419c4bbea93ee3364cf6749a0d6dcbb0a991 (20230508213519)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a7a328c86d5bab5e73de7abf526304c96addccc3&tochange=cc7b419c4bbea93ee3364cf6749a0d6dcbb0a991

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1455416

Set release status flags based on info from the regressing bug 1455416

:nlapre, since you are the author of the regressor, bug 1455416, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox113: --- → unaffected
status-firefox114: --- → unaffected
status-firefox-esr102: --- → unaffected
Flags: needinfo?(nlapre)

Setting 115 to Fixed as the regressor Bug 1455416 was backed out of central

status-firefox115: affectedfixed

Fixed by backout.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Flags: needinfo?(nlapre)

Verified bug as fixed on rev mozilla-central 20230519041011-d97636946466.

Status: RESOLVED → VERIFIED
Target Milestone: --- → 115 Branch
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: