Testcase found while fuzzing mozilla-central rev 5647ec4ba6f2. Testcase must be served via a local webserver in order to reproduce and also requires the env variable GNOME_ACCESSIBILITY=1.

==26305==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fd665f9e9af bp 0x7ffc55cc1210 sp 0x7ffc55cc1140 T0)
==26305==The signal is caused by a WRITE memory access.
==26305==Hint: address points to the zero page.
    #0 0x7fd665f9e9ae in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:278:27
    #1 0x7fd665f9e9ae in operator mozilla::dom::BrowsingContext * /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:291:12
    #2 0x7fd665f9e9ae in GetBrowsingContext /builds/worker/workspace/build/src/dom/base/nsPIDOMWindowInlines.h:70:10
    #3 0x7fd665f9e9ae in nsGlobalWindowInner::InnerSetNewDocument(JSContext*, mozilla::dom::Document*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:1609:29
    #4 0x7fd665ff88dd in nsGlobalWindowOuter::SetNewDocument(mozilla::dom::Document*, nsISupports*, bool, mozilla::dom::WindowGlobalChild*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:2213:23
    #5 0x7fd66b899bb9 in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::dom::WindowGlobalChild*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:977:22
    #6 0x7fd66b8990fa in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::dom::WindowGlobalChild*) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:743:10
    #7 0x7fd66e649820 in nsDocShell::SetupNewViewer(nsIContentViewer*, mozilla::dom::WindowGlobalChild*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8257:7
    #8 0x7fd66e648729 in nsDocShell::Embed(nsIContentViewer*, mozilla::dom::WindowGlobalChild*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6030:17
    #9 0x7fd66e653dd1 in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIPrincipal*, nsIContentSecurityPolicy*, nsIURI*, bool, bool, mozilla::dom::WindowGlobalChild*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6869:14
    #10 0x7fd66e5ff89a in nsDocShell::EnsureContentViewer() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6703:17
    #11 0x7fd66e62c1f7 in GetDocument /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:3506:3
    #12 0x7fd66e62c1f7 in non-virtual thunk to nsDocShell::GetDocument() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #13 0x7fd666031748 in nsPIDOMWindowOuter::MaybeCreateDoc() /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:7883:45
    #14 0x7fd66e762c0c in GetDoc /builds/worker/workspace/build/src/obj-firefox/dist/include/nsPIDOMWindow.h:839:7
    #15 0x7fd66e762c0c in mozilla::a11y::DocManager::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/accessible/base/DocManager.cpp:220:43
    #16 0x7fd664b430f3 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1352:3
    #17 0x7fd664b4167f in nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1315:14
    #18 0x7fd664b3fb80 in nsDocLoader::OnStartRequest(nsIRequest*) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #19 0x7fd664b4013c in non-virtual thunk to nsDocLoader::OnStartRequest(nsIRequest*) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #20 0x7fd6623224f1 in mozilla::net::nsLoadGroup::AddRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:464:22
    #21 0x7fd6622b2de7 in nsBaseChannel::AsyncOpen(nsIStreamListener*) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:704:31
    #22 0x7fd664b51cff in nsURILoader::OpenURI(nsIChannel*, unsigned int, nsIInterfaceRequestor*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:840:19
    #23 0x7fd66e670183 in nsDocShell::OpenInitializedChannel(nsIChannel*, nsIURILoader*, unsigned int) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10545:20
    #24 0x7fd66e670b73 in nsDocShell::DoChannelLoad(nsIChannel*, nsIURILoader*, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10500:10
    #25 0x7fd66e6696af in nsDocShell::DoURILoad(nsDocShellLoadState*, bool, nsIDocShell**, nsIRequest**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10309:8
    #26 0x7fd66e607efb in nsDocShell::InternalLoad(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9479:8
    #27 0x7fd66e601632 in nsDocShell::LoadURI(nsDocShellLoadState*, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:800:10
    #28 0x7fd6664fe97e in nsFrameLoader::ReallyStartLoadingInternal() /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:670:23
    #29 0x7fd6664fd83f in nsFrameLoader::ReallyStartLoading() /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:548:17
    #30 0x7fd66622aa49 in mozilla::dom::Document::MaybeInitializeFinalizeFrameLoaders() /builds/worker/workspace/build/src/dom/base/Document.cpp:8463:13
    #31 0x7fd66622a203 in mozilla::dom::Document::EndUpdate() /builds/worker/workspace/build/src/dom/base/Document.cpp:6983:3
    #32 0x7fd666540be9 in ~mozAutoDocUpdate /builds/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:34:18
    #33 0x7fd666540be9 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:2407:1
    #34 0x7fd666e76fa0 in InsertBefore /builds/worker/workspace/build/src/dom/base/nsINode.h:1723:12
    #35 0x7fd666e76fa0 in AppendChild /builds/worker/workspace/build/src/dom/base/nsINode.h:1726:12
    #36 0x7fd666e76fa0 in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:953:60
    #37 0x7fd6687e0a3c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3218:13
    #38 0x7fd5d976de0f  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:278:27 in get

Oh, this isn't what I was thinking.
I see 'too much recursion'

Please note, that the testcase bisects back further than a year.

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Didn't crash locally (perhaps it needs to run longer), but the following errors, etc were emitted:

JavaScript error: https://bug1593704.bmoattachments.org/attachment.cgi?id=9106205, line 7: too much recursion
JavaScript error: https://bug1593704.bmoattachments.org/attachment.cgi?id=9106205, line 7: too much recursion
JavaScript error: https://bug1593704.bmoattachments.org/attachment.cgi?id=9106205, line 8: too much recursion
JavaScript error: https://bug1593704.bmoattachments.org/attachment.cgi?id=9106205, line 8: too much recursion
JavaScript error: https://bug1593704.bmoattachments.org/attachment.cgi?id=9106205, line 9: too much recursion
JavaScript error: https://bug1593704.bmoattachments.org/attachment.cgi?id=9106205, line 8: too much recursion
++DOCSHELL 0x7f6f5faeb000 == 3 [pid = 25292] [id = {fbf41ede-bb6e-481e-a5f6-a3448d9f6022}]
++DOMWINDOW == 7 (0x7f6f5e2a0c40) [pid = 25292] [serial = 8] [outer = (nil)]
[Child 25292, Main Thread] WARNING: Overrecursion in SetNewDocument: file /home/mirko/src/firefox/gecko/dom/base/nsGlobalWindowOuter.cpp, line 1916
[Child 25292, Main Thread] WARNING: ContentViewer Initialization failed: file /home/mirko/src/firefox/gecko/docshell/base/nsDocShell.cpp, line 8198
[Child 25292, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /home/mirko/src/firefox/gecko/docshell/base/nsDocShell.cpp, line 5970
[Child 25292, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /home/mirko/src/firefox/gecko/docshell/base/nsDocShell.cpp, line 6809
[Child 25292, Main Thread] WARNING: NS_ENSURE_TRUE(mContentViewer) failed: file /home/mirko/src/firefox/gecko/docshell/base/nsDocShell.cpp, line 6645
[Child 25292, Main Thread] WARNING: NS_ENSURE_SUCCESS(EnsureContentViewer(), nullptr) failed with result 0x8000FFFF: file /home/mirko/src/firefox/gecko/docshell/base/nsDocShell.cpp, line 3455
[Child 25292, Main Thread] WARNING: NS_ENSURE_TRUE(document) failed: file /home/mirko/src/firefox/gecko/accessible/base/DocManager.cpp, line 221 
JavaScript error: https://bug1593704.bmoattachments.org/attachment.cgi?id=9106205, line 7: too much recursion
[Child 25292, Main Thread] WARNING: Subdocument container has non-subdocument frame: 'subdocFrame->Type() == LayoutFrameType::None', file /home/mirko/src/firefox/gecko/layout/base/nsDocumentViewer.cpp, line 2490
[Child 25292, Main Thread] WARNING: Overrecursion in SetNewDocument: file /home/mirko/src/firefox/gecko/dom/base/nsGlobalWindowOuter.cpp, line 1916
[Child 25292, Main Thread] WARNING: ContentViewer Initialization failed: file /home/mirko/src/firefox/gecko/docshell/base/nsDocShell.cpp, line 8198
[Child 25292, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /home/mirko/src/firefox/gecko/docshell/base/nsDocShell.cpp, line 5970
[Child 25292, Main Thread] WARNING: NS_ENSURE_SUCCESS(Embed(viewer), NS_ERROR_FAILURE) failed with result 0x80004005: file /home/mirko/src/firefox/gecko/docshell/base/nsDocShell.cpp, line 7998
[Child 25292, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80520015: file /home/mirko/src/firefox/gecko/toolkit/xre/nsXREDirProvider.cpp, line 1553
[Child 25292, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80520015: file /home/mirko/src/firefox/gecko/toolkit/profile/nsToolkitProfileService.cpp, line 727 
^G[Child 25292, Main Thread] ###!!! ASSERTION: nsToolkitProfileService::Init failed!: 'Error', file /home/mirko/src/firefox/gecko/toolkit/profile/nsToolkitProfileService.cpp, line 2019```

Clearing Fission milestone because this bug does not appear to be Fission-related.

Does this test still reproduce? Might be a variant of bug 1488480?

Jens, it does still reproduce but with the following signature:

    #0 0x7f60ff623dc3 in ClearDocumentDependentSlots /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:7226:5
    #1 0x7f60ff623dc3 in nsGlobalWindowInner::InitDocumentDependentState(JSContext*) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:1751:3
    #2 0x7f60ff671e71 in nsGlobalWindowOuter::SetNewDocument(mozilla::dom::Document*, nsISupports*, bool, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:2413:23
    #3 0x7f610482af10 in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::dom::WindowGlobalChild*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:910:22
    #4 0x7f610482a38a in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:693:10
    #5 0x7f610747a37f in nsDocShell::SetupNewViewer(nsIContentViewer*, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8123:7
    #6 0x7f610747924c in nsDocShell::Embed(nsIContentViewer*, mozilla::dom::WindowGlobalChild*, bool, bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5627:17
    #7 0x7f6107486ab1 in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIPrincipal*, nsIContentSecurityPolicy*, nsIURI*, mozilla::Maybe<nsILoadInfo::CrossOriginEmbedderPolicy> const&, bool, bool, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6695:14
    #8 0x7f6107444eb1 in nsDocShell::EnsureContentViewer() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6515:17
    #9 0x7f61074606c7 in GetDocument /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:3143:3
    #10 0x7f61074606c7 in non-virtual thunk to nsDocShell::GetDocument() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #11 0x7f60ff6a611d in nsPIDOMWindowOuter::MaybeCreateDoc() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:7700:45
    #12 0x7f61075d0130 in GetDoc /builds/worker/workspace/obj-build/dist/include/nsPIDOMWindow.h:843:7
    #13 0x7f61075d0130 in mozilla::a11y::DocManager::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/accessible/base/DocManager.cpp:235:43
    #14 0x7f60fe405fd6 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1348:3
    #15 0x7f60fe4046d5 in nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1311:14
    #16 0x7f60fe402c77 in nsDocLoader::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
    #17 0x7f60fe40326c in non-virtual thunk to nsDocLoader::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
    #18 0x7f60fc419976 in mozilla::net::nsLoadGroup::AddRequest(nsIRequest*, nsISupports*) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:485:22
    #19 0x7f60fd0bf073 in mozilla::net::DocumentChannelChild::AsyncOpen(nsIStreamListener*) /builds/worker/checkouts/gecko/netwerk/ipc/DocumentChannelChild.cpp:75:17
    #20 0x7f60fe412808 in nsURILoader::OpenURI(nsIChannel*, unsigned int, nsIInterfaceRequestor*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:696:17
    #21 0x7f61074a9461 in nsDocShell::OpenInitializedChannel(nsIChannel*, nsIURILoader*, unsigned int) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:10412:20
    #22 0x7f61074a0d91 in nsDocShell::DoURILoad(nsDocShellLoadState*, mozilla::Maybe<unsigned int>, nsIRequest**) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:10257:10
    #23 0x7f61073f7227 in nsDocShell::InternalLoad(nsDocShellLoadState*, mozilla::Maybe<unsigned int>) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:9393:8
    #24 0x7f6107446834 in nsDocShell::LoadURI(nsDocShellLoadState*, bool, bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:873:8
    #25 0x7f60ffad844d in nsFrameLoader::ReallyStartLoadingInternal() /builds/worker/checkouts/gecko/dom/base/nsFrameLoader.cpp:748:23
    #26 0x7f60ffad796e in nsFrameLoader::ReallyStartLoading() /builds/worker/checkouts/gecko/dom/base/nsFrameLoader.cpp:626:17
    #27 0x7f60ff836465 in mozilla::dom::Document::MaybeInitializeFinalizeFrameLoaders() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8836:13
    #28 0x7f60ff8f8b2f in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #29 0x7f60ff8f8b2f in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #30 0x7f60ff8f8b2f in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #31 0x7f60ff58ceb3 in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5581:15
    #32 0x7f60ff82718f in mozilla::dom::Document::EndUpdate() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7403:3
    #33 0x7f60ff4fab26 in mozAutoDocUpdate::~mozAutoDocUpdate() /builds/worker/checkouts/gecko/dom/base/mozAutoDocUpdate.h:34:18
    #34 0x7f60ffb17fae in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2727:1
    #35 0x7f6100243602 in InsertBefore /builds/worker/checkouts/gecko/dom/base/nsINode.h:1981:12
    #36 0x7f6100243602 in AppendChild /builds/worker/checkouts/gecko/dom/base/nsINode.h:1988:12
    #37 0x7f6100243602 in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/NodeBinding.cpp:992:60

That seems to be another instance of bug 1405521 ?

Given that this requires GNOME_ACCESSIBILITY=1, I'm going to assume this is really an OOM triggered by GNOME_ACCESSIBILITY somehow.

I did find a couple of similar-looking crashes by looking for crashes with a11y::DocManager::OnStateChange, but the latest version was esr91.

bp-8cd49f9e-f844-45a2-a5fc-5087f0230216

Well, I guess I do see a couple of OOM-y crashes on ESR-102: bp-64a59ce6-f6c1-452f-a43b-6fd560230110

The test case looks very similar to bug 1645865, so maybe it isn't an a11y issue in general. Maybe we can dupe this over there or something.

Bug 1645865 was fixed. Is this still reproducible?

BTW, I guess this was critical/S2 by default as it was filed as a crash, but it's not actually that severe.

(In reply to Marco Castelluccio [:marco] from comment #11)

Bug 1645865 was fixed. Is this still reproducible?

^^^ ?

This testcase was last seen on 2019/12/16. I think we can safely close this bug for now.