Found while fuzzing m-c 20230509-a5468e749653 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

#0 0x7f7b66142271 in _$LT$servo_arc..RawOffsetArc$LT$T$GT$$u20$as$u20$core..ops..deref..Deref$GT$::deref::h76ba97fd269cd868 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:1139:20
#1 0x7f7b66142271 in style::gecko_properties::_$LT$impl$u20$style..gecko_bindings..structs..root..ServoComputedData$GT$::get_box::h14c8d111ce6ac781 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/style-ba52d9f018cc1d46/out/gecko_properties.rs:579:9
#2 0x7f7b66142271 in style::properties::_$LT$impl$u20$style..gecko_properties..ComputedValues$GT$::clone_overflow_x::h80aadd06a38ab638 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/style-ba52d9f018cc1d46/out/properties.rs:66845:14
#3 0x7f7b66142271 in style::properties::_$LT$impl$u20$style..gecko_properties..ComputedValues$GT$::computed_or_resolved_declaration::h24ddb18a01f48750 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/style-ba52d9f018cc1d46/out/properties.rs:74417:51
#4 0x7f7b650f8ab5 in geckoservo::glue::computed_or_resolved_value::h6a25ac593a51d228 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:6919:13
#5 0x7f7b5bb146b7 in GetComputedPropertyValue /builds/worker/workspace/obj-build/dist/include/mozilla/ComputedStyle.h:69:5
#6 0x7f7b5bb146b7 in nsAccessibilityService::NotifyOfComputedStyleChange(mozilla::PresShell*, nsIContent*) /builds/worker/checkouts/gecko/accessible/base/nsAccessibilityService.cpp:545:15
#7 0x7f7b579500b0 in nsIFrame::DidSetComputedStyle(mozilla::ComputedStyle*) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:1159:19
#8 0x7f7b575e5b22 in SetComputedStyle /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:813:7
#9 0x7f7b575e5b22 in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3739:11
#10 0x7f7b5767be65 in ReparentFrame /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:352:22
#11 0x7f7b5767be65 in ReparentFrames /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:362:5
#12 0x7f7b5767be65 in nsCSSFrameConstructor::WrapFramesInFirstLineFrame(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsFirstLineFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9894:3
#13 0x7f7b5763ff5f in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9839:5
#14 0x7f7b576490cb in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10649:3
#15 0x7f7b576532a4 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4603:3
#16 0x7f7b57655811 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3769:16
#17 0x7f7b5765e0c7 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5574:3
#18 0x7f7b5763e166 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9508:5
#19 0x7f7b57668761 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:6714:3
#20 0x7f7b575d634d in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1555:27
#21 0x7f7b575e29f4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3179:9
#22 0x7f7b57592de8 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3264:3
#23 0x7f7b57592de8 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4343:39
#24 0x7f7b574fc803 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1470:5
#25 0x7f7b574fc803 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2624:22
#26 0x7f7b57511aac in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#27 0x7f7b57511aac in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#28 0x7f7b575117ae in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#29 0x7f7b57511421 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#30 0x7f7b575106a6 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#31 0x7f7b5750f264 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:746:5
#32 0x7f7b5750e86d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#33 0x7f7b5750e3e5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9
#34 0x7f7b558d424b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#35 0x7f7b55e903e4 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#36 0x7f7b55c65284 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8771:32
#37 0x7f7b4d477cb5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#38 0x7f7b4d47362c in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#39 0x7f7b4d474a1a in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#40 0x7f7b4d475fc3 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#41 0x7f7b4b84c15a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#42 0x7f7b4b83ceaa in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
#43 0x7f7b4b839da7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:702:15
#44 0x7f7b4b83a68f in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#45 0x7f7b4b851881 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#46 0x7f7b4b851881 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#47 0x7f7b4b87d4fb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#48 0x7f7b4b88af94 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#49 0x7f7b4d4824ce in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#50 0x7f7b4d2ac7ca in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#51 0x7f7b4d2ac7ca in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#52 0x7f7b4d2ac7ca in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#53 0x7f7b56bd8309 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#54 0x7f7b5cb997b8 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#55 0x7f7b4d2ac7ca in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#56 0x7f7b4d2ac7ca in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#57 0x7f7b4d2ac7ca in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#58 0x7f7b5cb98e7e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673:34
#59 0x56359fac973e in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#60 0x56359fac973e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#61 0x7f7b72229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#62 0x7f7b72229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#63 0x56359f9f2d58 in _start (/home/user/workspace/browsers/m-c-20230510213701-fuzzing-asan-opt/firefox+0x107d58) (BuildId: 1a6107a3fe794b68d29433eba1f4d947c1c8bb25)

prefs.js file for bugmon

frame->Style() can return null. We null check for other properties, but not for overflow.

Set release status flags based on info from the regressing bug 1825611

frame->Style() can't return null, but frame might be null

Please don't use GetComputedPropertyValue if you have a ComputedStyle handy? You have nsStyleDisplay::OverflowIsVisibleInBothAxis which seems exactly what you want and is more efficient.

Verified bug as reproducible on mozilla-central 20230511040639-da13ef752e22.
The bug appears to have been introduced in the following build range:

Start: a7a328c86d5bab5e73de7abf526304c96addccc3 (20230508201033)
End: cc7b419c4bbea93ee3364cf6749a0d6dcbb0a991 (20230508213519)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a7a328c86d5bab5e73de7abf526304c96addccc3&tochange=cc7b419c4bbea93ee3364cf6749a0d6dcbb0a991

The bug is marked as tracked for firefox115 (nightly). However, the bug still isn't assigned.

:fgriffith, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

It looks like this is showing up on Nightly Fenix as [@ style::gecko_properties::<T>::box_ptr ]

I looked at a couple of crashes, and they were all null derefs with nsAccessibilityService::NotifyOfComputedStyleChange in the stack.

bp-2a75ea6e-5a8c-4d47-afcf-0c3ea0230514

It looks like it is also showing up in higher volume as [@ <servo_arc::RawOffsetArc<T> as core::ops::deref::Deref>::deref ] on Fenix and Firefox.

Fenix: bp-9a20e1de-23b6-4487-bd4d-37f2d0230515
Firefox: bp-71d53dc7-d32e-49ab-b706-d847b0230512

The bug is linked to topcrash signatures, which match the following criterion:

• Top 10 AArch64 and ARM crashes on nightly

For more information, please visit BugBot documentation.

https://hg.mozilla.org/mozilla-central/rev/8b6e154c789c

Verified bug as fixed on rev mozilla-central 20230517094542-85d90852b1c5.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Here's one more signature of this.

Copying crash signatures from duplicate bugs.