Closed Bug 1818413 Opened 2 years ago Closed 2 years ago

crash near null in [@ mozilla::a11y::HTMLImageMapAccessible::UpdateChildAreas]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox110 --- unaffected
firefox111 --- unaffected
firefox112 --- verified

People

(Reporter: tsmith, Assigned: sefeng)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(3 files)

testcase.html
(deleted), text/html
Details
prefs.js
(deleted), application/x-javascript
Details
Bug 1818413 - Add some null pointer checks in HTMLImageMapAccessible::UpdateChildAreas r=jamie
(deleted), text/x-phabricator-request
Details
Attached file testcase.html (deleted) —

Found while fuzzing m-c 20230214-f45ac8766b61 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==159075==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000006d (pc 0x7f13973f11c4 bp 0x7fff4be9e3b0 sp 0x7fff4be9e260 T0)
==159075==The signal is caused by a READ memory access.
==159075==Hint: address points to the zero page.
    #0 0x7f13973f11c4 in QueryFrame /builds/worker/workspace/obj-build/dist/include/nsQueryFrame.h:131:53
    #1 0x7f13973f11c4 in operator nsImageFrame *<nsImageFrame> /builds/worker/workspace/obj-build/dist/include/nsQueryFrame.h:107:19
    #2 0x7f13973f11c4 in mozilla::a11y::HTMLImageMapAccessible::UpdateChildAreas(bool) /gecko/accessible/html/HTMLImageMapAccessible.cpp:64:30
    #3 0x7f1393a72b76 in nsImageFrame::GetImageMap() /gecko/layout/generic/nsImageFrame.cpp:2422:18
    #4 0x7f1393a72303 in nsImageFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /gecko/layout/generic/nsImageFrame.cpp:516:3
    #5 0x7f139377feb3 in nsCSSFrameConstructor::InitAndRestoreFrame(nsFrameConstructorState const&, nsIContent*, nsContainerFrame*, nsIFrame*, bool) /gecko/layout/base/nsCSSFrameConstructor.cpp:4637:14
    #6 0x7f139378f8f8 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:3786:7
    #7 0x7f1393795d1a in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:5597:3
    #8 0x7f1393780568 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:9537:5
    #9 0x7f1393781b00 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp:9819:3
    #10 0x7f13937874d3 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp:10675:3
    #11 0x7f139378dcb2 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:4623:3
    #12 0x7f139378f962 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:3761:16
    #13 0x7f1393795d1a in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:5597:3
    #14 0x7f1393780568 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:9537:5
    #15 0x7f1393781b00 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp:9819:3
    #16 0x7f13937874d3 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp:10675:3
    #17 0x7f139378dcb2 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:4623:3
    #18 0x7f139378f962 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:3761:16
    #19 0x7f1393795d1a in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:5597:3
    #20 0x7f1393780568 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:9537:5
    #21 0x7f1393781b00 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp:9819:3
    #22 0x7f13937874d3 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp:10675:3
    #23 0x7f1393784fc8 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*) /gecko/layout/base/nsCSSFrameConstructor.cpp:2556:5
    #24 0x7f13937998b1 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /gecko/layout/base/nsCSSFrameConstructor.cpp:6898:9
    #25 0x7f139372f0b0 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /gecko/layout/base/RestyleManager.cpp:1593:25
    #26 0x7f1393737aa4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /gecko/layout/base/RestyleManager.cpp:3165:9
    #27 0x7f13936fde26 in mozilla::RestyleManager::ProcessPendingRestyles() /gecko/layout/base/RestyleManager.cpp:3250:3
    #28 0x7f13936fc49a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4369:39
    #29 0x7f138d583107 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /gecko/dom/base/Document.cpp:10731:16
    #30 0x7f138d35dffe in mozilla::dom::AutoPrintEventDispatcher::DispatchEvent(bool) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/AutoPrintEventDispatcher.h:68:14
    #31 0x7f138d349aad in mozilla::dom::AutoPrintEventDispatcher::AutoPrintEventDispatcher(mozilla::dom::Document&, nsIPrintSettings*, bool) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/AutoPrintEventDispatcher.h:97:5
    #32 0x7f138d34571e in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /gecko/dom/base/nsGlobalWindowOuter.cpp:5272:30
    #33 0x7f138d2dfc3f in nsGlobalWindowInner::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, mozilla::ErrorResult&) /gecko/dom/base/nsGlobalWindowInner.cpp:3940:3
    #34 0x7f138ed806d5 in mozilla::dom::Window_Binding::printPreview(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3784:59
    #35 0x7f138f5d8b3c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3318:13
    #36 0x7f1398492694 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:459:13
    #37 0x7f1398492694 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:547:12
    #38 0x7f139935d533 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /gecko/js/src/jit/BaselineIC.cpp:1591:10
    #39 0x187fb2506da8  (<unknown module>)
Flags: in-testsuite?
Attached file prefs.js (deleted) —

prefs.js file for bugmon

Severity: -- → S3

Verified bug as reproducible on mozilla-central 20230222214030-5bb3e281dc9e.
The bug appears to have been introduced in the following build range:

Start: dafb2e6890e11b74ec00d49c8f2767903a67aa92 (20230213153318)
End: 073223bab35f4149bf5665ec59b16684b7b9a65b (20230213163401)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dafb2e6890e11b74ec00d49c8f2767903a67aa92&tochange=073223bab35f4149bf5665ec59b16684b7b9a65b

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

This was likely bug 1815913, but that also fixed some other obscure accessibility fuzzing bugs.

Perhaps the content's primary frame is null here for some reason for a short while? In that case, maybe a simple null check will suffice.

Crash Signature: [@ mozilla::a11y::HTMLImageMapAccessible::UpdateChildAreas]
Regressed by: 1815913

Set release status flags based on info from the regressing bug 1815913

:sefeng, since you are the author of the regressor, bug 1815913, could you take a look?

For more information, please visit auto_nag documentation.

status-firefox110: --- → unaffected
status-firefox111: --- → unaffected
status-firefox-esr102: --- → unaffected
Flags: needinfo?(sefeng)

Given Bug 1815913 made the initialization of ImageMap earlier,
calling HTMLImageMapAccessible::UpdateChildAreas along with that
can lead to some null pointer crashes when reading mContent.

This patch adds some null pointer checks to fix this.

Assignee: nobody → sefeng
Status: NEW → ASSIGNED

I've drafted a patch and landing it right now, so removing my NI.

Flags: needinfo?(sefeng)
Pushed by sefeng@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b345887154f9 Add some null pointer checks in HTMLImageMapAccessible::UpdateChildAreas r=Jamie

https://hg.mozilla.org/mozilla-central/rev/b345887154f9

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox112: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch

Verified bug as fixed on rev mozilla-central 20230309093044-c0aa24001283.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox112: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: