Bug 1696272 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
First detected while fuzzing m-c 20210301-c2a11810933e
```
#0 0x7fd10f557e11 in mozilla::a11y::HTMLFileInputAccessible::CurrentItem() const src/accessible/html/HTMLFormControlAccessible.cpp:485:3
#1 0x7fd10f4fbb5c in mozilla::a11y::FocusManager::ProcessFocusEvent(mozilla::a11y::AccEvent*) src/accessible/base/FocusManager.cpp:285:43
#2 0x7fd10f4fb417 in mozilla::a11y::EventQueue::ProcessEventQueue() src/accessible/base/EventQueue.cpp:322:21
#3 0x7fd10f504d99 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) src/accessible/base/NotificationController.cpp:889:3
#4 0x7fd10e3ddd1e in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2138:12
#5 0x7fd10e3e60d1 in TickDriver src/layout/base/nsRefreshDriver.cpp:357:13
#6 0x7fd10e3e60d1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:336:7
#7 0x7fd10e3e5faf in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:351:5
#8 0x7fd10e3e5558 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:799:5
#9 0x7fd10e3e5558 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:722:16
#10 0x7fd10e3e4e70 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:624:7
#11 0x7fd10e3e48e9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:545:9
#12 0x7fd10dbc83e6 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncChild.cpp:68:15
#13 0x7fd10a8ff0d0 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#14 0x7fd10a69492c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6243:32
#15 0x7fd10a34fcae in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2153:25
#16 0x7fd10a34c26d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2077:9
#17 0x7fd10a34d716 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1925:3
#18 0x7fd10a34e45b in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1956:13
#19 0x7fd109a1bfff in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:472:16
#20 0x7fd109a1a570 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:760:26
#21 0x7fd109a19334 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:611:15
#22 0x7fd109a194e7 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:395:36
#23 0x7fd109a1fe16 in operator() src/xpcom/threads/TaskController.cpp:133:37
#24 0x7fd109a1fe16 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#25 0x7fd109a31307 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1158:16
#26 0x7fd109a3795a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#27 0x7fd10a355596 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#28 0x7fd10a2c09e3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#29 0x7fd10a2c08fd in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#30 0x7fd10a2c08fd in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#31 0x7fd10e12d028 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#32 0x7fd10f97c153 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
#33 0x7fd10a35647c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#34 0x7fd10a2c09e3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#35 0x7fd10a2c08fd in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#36 0x7fd10a2c08fd in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#37 0x7fd10f97bd28 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:34
#38 0x5587adb6efa6 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#39 0x5587adb6efa6 in main src/browser/app/nsBrowserApp.cpp:309:18
#40 0x7fd11f7b30b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#41 0x5587adb4cd4c in _start (/home/worker/builds/m-c-20210301162538-fuzzing-debug/firefox-bin+0x14d4c)
```
Revision 1 by
on 
First detected while fuzzing m-c 20210301-c2a11810933e

```
#0 0x7fd10f557e11 in mozilla::a11y::HTMLFileInputAccessible::CurrentItem() const src/accessible/html/HTMLFormControlAccessible.cpp:485:3
#1 0x7fd10f4fbb5c in mozilla::a11y::FocusManager::ProcessFocusEvent(mozilla::a11y::AccEvent*) src/accessible/base/FocusManager.cpp:285:43
#2 0x7fd10f4fb417 in mozilla::a11y::EventQueue::ProcessEventQueue() src/accessible/base/EventQueue.cpp:322:21
#3 0x7fd10f504d99 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) src/accessible/base/NotificationController.cpp:889:3
#4 0x7fd10e3ddd1e in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2138:12
#5 0x7fd10e3e60d1 in TickDriver src/layout/base/nsRefreshDriver.cpp:357:13
#6 0x7fd10e3e60d1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:336:7
#7 0x7fd10e3e5faf in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:351:5
#8 0x7fd10e3e5558 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:799:5
#9 0x7fd10e3e5558 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:722:16
#10 0x7fd10e3e4e70 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:624:7
#11 0x7fd10e3e48e9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:545:9
#12 0x7fd10dbc83e6 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncChild.cpp:68:15
#13 0x7fd10a8ff0d0 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#14 0x7fd10a69492c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6243:32
#15 0x7fd10a34fcae in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2153:25
#16 0x7fd10a34c26d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2077:9
#17 0x7fd10a34d716 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1925:3
#18 0x7fd10a34e45b in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1956:13
#19 0x7fd109a1bfff in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:472:16
#20 0x7fd109a1a570 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:760:26
#21 0x7fd109a19334 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:611:15
#22 0x7fd109a194e7 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:395:36
#23 0x7fd109a1fe16 in operator() src/xpcom/threads/TaskController.cpp:133:37
#24 0x7fd109a1fe16 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#25 0x7fd109a31307 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1158:16
#26 0x7fd109a3795a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#27 0x7fd10a355596 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#28 0x7fd10a2c09e3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#29 0x7fd10a2c08fd in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#30 0x7fd10a2c08fd in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#31 0x7fd10e12d028 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#32 0x7fd10f97c153 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
#33 0x7fd10a35647c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#34 0x7fd10a2c09e3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#35 0x7fd10a2c08fd in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#36 0x7fd10a2c08fd in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#37 0x7fd10f97bd28 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:34
#38 0x5587adb6efa6 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#39 0x5587adb6efa6 in main src/browser/app/nsBrowserApp.cpp:309:18
#40 0x7fd11f7b30b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#41 0x5587adb4cd4c in _start (/home/worker/builds/m-c-20210301162538-fuzzing-debug/firefox-bin+0x14d4c)
```

Note for bugmon: GNOME_ACCESSIBILITY=1

Back to Bug 1696272 Comment 0