Found while fuzzing 20240914-99b3ca864422 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid> --xvfb

The test case is not completely reduced but should be stable enough to work with bugmon.

==197721==ERROR: AddressSanitizer: heap-use-after-free on address 0x521000306150 at pc 0x70f65ba1b3d7 bp 0x7fff9b22c450 sp 0x7fff9b22c448
READ of size 8 at 0x521000306150 thread T0 (Isolated Web Co)
    #0 0x70f65ba1b3d6 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:314:27
    #1 0x70f65ba1b3d6 in operator mozilla::ComputedStyle * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:327:12
    #2 0x70f65ba1b3d6 in Style /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:914:41
    #3 0x70f65ba1b3d6 in TableAwareParentFor /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:2383:15
    #4 0x70f65ba1b3d6 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:2884:11
    #5 0x70f65ba19eb5 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3046:32
    #6 0x70f65ba19eb5 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3046:32
    #7 0x70f65ba19eb5 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3046:32
    #8 0x70f65ba19eb5 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3046:32
    #9 0x70f65ba1ccdc in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3265:28
    #10 0x70f65b9dac86 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3370:3
    #11 0x70f65b9d994a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4369:37
    #12 0x70f65b964de0 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1455:5
    #13 0x70f65b964de0 in nsRefreshDriver::FlushLayoutOnPendingDocsAndFixUpFocus() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2199:31
    #14 0x70f65b962552 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2782:3
    #15 0x70f65b9760e7 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:13
    #16 0x70f65b9760e7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:7
    #17 0x70f65b975dfa in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:362:5
    #18 0x70f65b975a71 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:952:5
    #19 0x70f65b974a97 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:862:5
    #20 0x70f65b973628 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:759:5
    #21 0x70f65b972c38 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
    #22 0x70f65b972875 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:550:9
    #23 0x70f65a3b377b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
    #24 0x70f65a839da4 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:235:78
    #25 0x70f652702c60 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:4932:32
    #26 0x70f65266e855 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1785:25
    #27 0x70f65266aa8f in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1712:9
    #28 0x70f65266b9b1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1503:3
    #29 0x70f65266cf03 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1603:14
    #30 0x70f6510c8a5a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
    #31 0x70f6510b4d1e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
    #32 0x70f6510b2538 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
    #33 0x70f6510b2b56 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
    #34 0x70f6510cfd31 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
    #35 0x70f6510cfd31 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #36 0x70f6510f021f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
    #37 0x70f6510faf78 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #38 0x70f6526767fe in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #39 0x70f65255c0a4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #40 0x70f65255c0a4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #41 0x70f65255c0a4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #42 0x70f65b2a69b9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #43 0x70f65b43fe7a in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
    #44 0x70f65d09a85d in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:710:20
    #45 0x70f65255c0a4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #46 0x70f65255c0a4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #47 0x70f65255c0a4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #48 0x70f65d099e45 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:645:34
    #49 0x5e1d76976669 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:403:22
    #50 0x70f671429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #51 0x70f671429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #52 0x5e1d7689e4c8 in _start (/home/user/workspace/browsers/m-c-20240912092307-fuzzing-asan-opt/firefox+0xcd4c8) (BuildId: fb74c84f0fc07c95a1bce2fd4104f88eff873825)

0x521000306150 is located 1104 bytes inside of 4096-byte region [0x521000305d00,0x521000306d00)
freed by thread T0 (Isolated Web Co) here:
    #0 0x5e1d76936d56 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x70f652573461 in free_<char> /builds/worker/workspace/obj-build/dist/include/mozilla/mozalloc.h:179:5
    #2 0x70f652573461 in mozilla::BufferList<InfallibleAllocPolicy>::Clear() /builds/worker/workspace/obj-build/dist/include/mozilla/BufferList.h:163:15
    #3 0x70f65256217d in mozilla::BufferList<InfallibleAllocPolicy>::~BufferList() /builds/worker/workspace/obj-build/dist/include/mozilla/BufferList.h:115:19
    #4 0x70f65257eebf in IPC::Message::~Message() /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message.cc:22:53
    #5 0x70f65257ef9d in IPC::Message::~Message() /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message.cc:22:21
    #6 0x70f652579451 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:460:5
    #7 0x70f652579451 in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:302:7
    #8 0x70f652579451 in ~UniquePtr /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:250:18
    #9 0x70f652579451 in OutputQueuePop /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:853:1
    #10 0x70f652579451 in IPC::Channel::ChannelImpl::ProcessOutgoingMessages() /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:764:7
    #11 0x70f65257d027 in IPC::Channel::ChannelImpl::Send(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:799:12
    #12 0x70f65257e33f in IPC::Channel::Send(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:1193:25
    #13 0x70f65267b949 in mozilla::ipc::NodeChannel::SendMessage(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/NodeChannel.cpp:198:18
    #14 0x70f65267b662 in mozilla::ipc::NodeChannel::SendEventMessage(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/NodeChannel.cpp:133:3
    #15 0x70f652680c8b in mozilla::ipc::NodeController::ContactRemotePeer(mojo::core::ports::NodeName const&, mozilla::UniquePtr<mojo::core::ports::Event, mozilla::DefaultDelete<mojo::core::ports::Event>>) /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:390:13
    #16 0x70f6526817ce in mozilla::ipc::NodeController::ForwardEvent(mojo::core::ports::NodeName const&, mozilla::UniquePtr<mojo::core::ports::Event, mozilla::DefaultDelete<mojo::core::ports::Event>>) /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:401:5
    #17 0x70f65259083e in mojo::core::ports::Node::SendUserMessageInternal(mojo::core::ports::PortRef const&, mozilla::UniquePtr<mojo::core::ports::UserMessageEvent, mozilla::DefaultDelete<mojo::core::ports::UserMessageEvent>>*) /builds/worker/checkouts/gecko/ipc/chromium/src/mojo/core/ports/node.cc:1272:16
    #18 0x70f652590267 in mojo::core::ports::Node::SendUserMessage(mojo::core::ports::PortRef const&, mozilla::UniquePtr<mojo::core::ports::UserMessageEvent, mozilla::DefaultDelete<mojo::core::ports::UserMessageEvent>>) /builds/worker/checkouts/gecko/ipc/chromium/src/mojo/core/ports/node.cc:380:12
    #19 0x70f6526744fc in mozilla::ipc::NodeController::SendUserMessage(mojo::core::ports::PortRef const&, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:150:19
    #20 0x70f652673e26 in mozilla::ipc::PortLink::SendMessage(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageLink.cpp:133:16
    #21 0x70f65265d8d1 in mozilla::ipc::MessageChannel::SendMessageToLink(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:799:10
    #22 0x70f65265c62d in mozilla::ipc::MessageChannel::Send(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:768:3
    #23 0x70f6526928c3 in mozilla::ipc::IProtocol::ChannelSend(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:535:22
    #24 0x70f6535796f3 in mozilla::layers::PWebRenderBridgeChild::SendSetDisplayList(mozilla::layers::DisplayListData&&, mozilla::Span<mozilla::layers::OpDestroy const, 18446744073709551615ul>, unsigned long const&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType> const&, bool const&, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTSubstring<char> const&, mozilla::TimeStamp const&, mozilla::Span<mozilla::layers::CompositionPayload const, 18446744073709551615ul>) /builds/worker/workspace/obj-build/ipc/ipdl/PWebRenderBridgeChild.cpp:353:21
    #25 0x70f6538f19e8 in mozilla::layers::WebRenderBridgeChild::EndTransaction(mozilla::layers::DisplayListData&&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType>, bool, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTString<char> const&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderBridgeChild.cpp:125:20
    #26 0x70f653993e28 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:461:28
    #27 0x70f65b9ef02e in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6513:19
    #28 0x70f65b1c41a3 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:406:18
    #29 0x70f65b1c35fb in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:341:22
    #30 0x70f65b1c6097 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:896:5
    #31 0x70f65b1bf6d9 in nsViewManager::WillPaintWindow(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:573:7
    #32 0x70f65b1bf4b7 in nsView::WillPaintWindow(nsIWidget*) /builds/worker/checkouts/gecko/view/nsView.cpp:980:7
    #33 0x70f65b25987f in mozilla::widget::PuppetWidget::Paint() /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:972:31
    #34 0x70f65b259634 in mozilla::widget::PuppetWidget::WidgetPaintTask::Run() /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:960:14

previously allocated by thread T0 (Isolated Web Co) here:
    #0 0x5e1d76936fef in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x5e1d7697b1e5 in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x70f652572bad in pod_malloc<char> /builds/worker/workspace/obj-build/dist/include/mozilla/mozalloc.h:161:28
    #3 0x70f652572bad in mozilla::BufferList<InfallibleAllocPolicy>::AllocateSegment(unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/BufferList.h:406:33
    #4 0x70f652573739 in mozilla::BufferList<InfallibleAllocPolicy>::AllocateBytes(unsigned long, unsigned long*) /builds/worker/workspace/obj-build/dist/include/mozilla/BufferList.h:476:16
    #5 0x70f652564500 in mozilla::BufferList<InfallibleAllocPolicy>::WriteBytes(char const*, unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/BufferList.h:443:18
    #6 0x70f652563c7e in WriteBytes /builds/worker/checkouts/gecko/ipc/chromium/src/base/pickle.cc:471:3
    #7 0x70f652563c7e in Pickle::WriteInt32(int) /builds/worker/checkouts/gecko/ipc/chromium/src/base/pickle.cc:397:43
    #8 0x70f65393ef5e in WriteUInt32 /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:74:3
    #9 0x70f65393ef5e in Write /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:863:13
    #10 0x70f65393ef5e in WriteParam<unsigned int> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:455:3
    #11 0x70f65393ef5e in Write /builds/worker/workspace/obj-build/dist/include/ipc/EnumSerializer.h:62:5
    #12 0x70f65393ef5e in WriteParam<const mozilla::wr::GeckoDisplayListType::Tag &> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:455:3
    #13 0x70f65393ef5e in IPC::ParamTraits<mozilla::wr::GeckoDisplayListType>::Write(IPC::MessageWriter*, mozilla::wr::GeckoDisplayListType const&) /builds/worker/workspace/obj-build/dist/include/mozilla/layers/WebRenderMessageUtils.h:69:5
    #14 0x70f6538eb3f9 in WriteParam<const mozilla::wr::GeckoDisplayListType &> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:455:3
    #15 0x70f6538eb3f9 in Write /builds/worker/workspace/obj-build/dist/include/mozilla/layers/WebRenderMessageUtils.h:106:5
    #16 0x70f6538eb3f9 in WriteParam<mozilla::wr::BuiltDisplayListDescriptor &> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:455:3
    #17 0x70f6538eb3f9 in void mozilla::ipc::WriteIPDLParam<mozilla::wr::BuiltDisplayListDescriptor&>(IPC::MessageWriter*, mozilla::ipc::IProtocol*, mozilla::wr::BuiltDisplayListDescriptor&) /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/IPDLParamTraits.h:52:3
    #18 0x70f6538eaf31 in mozilla::ipc::IPDLParamTraits<mozilla::layers::DisplayListData>::Write(IPC::MessageWriter*, mozilla::ipc::IProtocol*, mozilla::layers::DisplayListData&&) /builds/worker/checkouts/gecko/gfx/layers/wr/RenderRootTypes.cpp:22:3
    #19 0x70f653579179 in Write<mozilla::layers::DisplayListData> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:704:5
    #20 0x70f653579179 in WriteParam<mozilla::layers::DisplayListData> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:455:3
    #21 0x70f653579179 in mozilla::layers::PWebRenderBridgeChild::SendSetDisplayList(mozilla::layers::DisplayListData&&, mozilla::Span<mozilla::layers::OpDestroy const, 18446744073709551615ul>, unsigned long const&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType> const&, bool const&, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTSubstring<char> const&, mozilla::TimeStamp const&, mozilla::Span<mozilla::layers::CompositionPayload const, 18446744073709551615ul>) /builds/worker/workspace/obj-build/ipc/ipdl/PWebRenderBridgeChild.cpp:303:5
    #22 0x70f6538f19e8 in mozilla::layers::WebRenderBridgeChild::EndTransaction(mozilla::layers::DisplayListData&&, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType>, bool, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&, nsTString<char> const&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderBridgeChild.cpp:125:20
    #23 0x70f653993e28 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:461:28
    #24 0x70f65b9ef02e in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6513:19
    #25 0x70f65b1c41a3 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:406:18
    #26 0x70f65b1c35fb in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:341:22
    #27 0x70f65b1c6097 in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:896:5
    #28 0x70f65b1bf6d9 in nsViewManager::WillPaintWindow(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:573:7
    #29 0x70f65b1bf4b7 in nsView::WillPaintWindow(nsIWidget*) /builds/worker/checkouts/gecko/view/nsView.cpp:980:7
    #30 0x70f65b25987f in mozilla::widget::PuppetWidget::Paint() /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:972:31
    #31 0x70f65b259634 in mozilla::widget::PuppetWidget::WidgetPaintTask::Run() /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:960:14
    #32 0x70f6510c8a5a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
    #33 0x70f6510b4d1e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
    #34 0x70f6510b2538 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
    #35 0x70f6510b2b56 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
    #36 0x70f6510cfd31 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
    #37 0x70f6510cfd31 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #38 0x70f6510f021f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
    #39 0x70f6510faf78 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #40 0x70f6526767fe in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #41 0x70f65255c0a4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #42 0x70f65255c0a4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #43 0x70f65255c0a4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #44 0x70f65b2a69b9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:314:27 in get
Shadow bytes around the buggy address:
  0x521000305e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000305f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000305f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000306000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000306080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x521000306100: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x521000306180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000306200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000306280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000306300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000306380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

prefs.js for bugmon

A Pernosco session is available here: https://pernos.co/debug/f4IrbD_uZ_7MTvZ6Y70CKw/index.html

The stack looks odd, in that the use is a style data structure, but the allocation and free are IPC. I guess there could be style data sent over IPC. It looks like this is for PWebRenderBridgeChild::SendSetDisplayList.

Verified bug as reproducible on mozilla-central 20240918211346-1c5ae0e00db2.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 137b5966e6ec0a63006a36cac0a3f1c4e3f5cefe (20230921032132)
End: 99b3ca864422ae96e52d061a149c9e454a986443 (20240914211959)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Tentatively triaging as S2 given that it's sec-high (with heap-use-after-free).

emilio, maybe you could take a look at the pernosco trace if you've got cycles?

I think this is a bug trigger by our accessibility engine, though it might be an underlying layout bug. The issue is that, at this stack:

#0  0x00007ff91bb7a6f5 in nsLineBox::SetInvalidateTextRuns (this=0x5250002dfe48, aOn=false) at /builds/worker/checkouts/gecko/layout/generic/nsLineBox.h:129
#1  0x00007ff91be5b4f1 in BuildTextRuns (aDrawTarget=0x51000002fc40, aForFrame=0x5250002e0320, aLineContainer=0x5250002dfda8, aForFrameLine=0x0, aWhichTextRun=nsTextFrame::eInflated) at /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:1545
#2  0x00007ff91be59bc2 in nsTextFrame::EnsureTextRun (this=0x5250002e0320, aWhichTextRun=nsTextFrame::eInflated, aRefDrawTarget=0x0, aLineContainer=0x0, aLine=0x0, aFlowEndInTextRun=0x0) at /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:3022
#3  0x00007ff91be665bb in nsTextFrame::GetRenderedText (this=0x5250002e0320, aStartOffset=0, aEndOffset=4294967295, aOffsetType=nsIFrame::TextOffsetType::OffsetsInContentText, aTrimTrailingWhitespace=nsIFrame::TrailingWhitespace::DontTrim) at /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:10344
#4  0x00007ff91c80195c in nsTextEquivUtils::AppendTextEquivFromTextContent (aContent=0x50c000312a00, aString=0x7ff93b8ccf20) at /builds/worker/checkouts/gecko/accessible/base/nsTextEquivUtils.cpp:173
#5  0x00007ff91c800d0a in nsTextEquivUtils::AppendFromAccessible (aAccessible=0x50f00002c058, aString=0x7ff93b8ccf20) at /builds/worker/checkouts/gecko/accessible/base/nsTextEquivUtils.cpp:235
#6  0x00007ff91c8001cf in nsTextEquivUtils::AppendFromAccessibleChildren (aAccessible=0x50f00002bd88, aString=0x7ff93b8ccf20) at /builds/worker/checkouts/gecko/accessible/base/nsTextEquivUtils.cpp:222
#7  0x00007ff91c7ff5d7 in nsTextEquivUtils::GetNameFromSubtree (aAccessible=0x50f00002bd80, aName=...) at /builds/worker/checkouts/gecko/accessible/base/nsTextEquivUtils.cpp:66
#8  0x00007ff91c8745d2 in mozilla::a11y::LocalAccessible::NativeName (this=0x50f00002bd80, aName=...) at /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:2684
#9  0x00007ff91c8742d2 in mozilla::a11y::HyperTextAccessible::NativeName (this=0x50f00002bd80, aName=...) at /builds/worker/checkouts/gecko/accessible/generic/HyperTextAccessible.cpp:1017
#10 0x00007ff91c8bf7b9 in mozilla::a11y::HTMLLinkAccessible::NativeName (this=0x50f00002bd80, aName=...) at /builds/worker/checkouts/gecko/accessible/html/HTMLLinkAccessible.cpp:123
#11 0x00007ff91c8488bd in mozilla::a11y::LocalAccessible::Name (this=0x50f00002bd80, aName=...) at /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:131
#12 0x00007ff91c77bc8e in mozilla::a11y::EventQueue::PushNameOrDescriptionChange (this=0x5110001173c8, aOrigEvent=0x50b0000765a0) at /builds/worker/checkouts/gecko/accessible/base/EventQueue.cpp:84
#13 0x00007ff91c7b122e in mozilla::a11y::NotificationController::QueueMutationEvent (this=0x5110001173c0, aEvent=0x50b0000765a0) at /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:219
#14 0x00007ff91c780061 in mozilla::a11y::TreeMutation::BeforeRemoval (this=0x7ff93b8cba60, aChild=0x50f00002cb90, aNoShutdown=false) at /builds/worker/checkouts/gecko/accessible/base/EventTree.cpp:67
#15 0x00007ff91c85749c in mozilla::a11y::DocAccessible::ContentRemoved (this=0x5170000c7180, aChild=0x50f00002cb90) at /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2374
#16 0x00007ff91c85017f in mozilla::a11y::DocAccessible::ContentRemoved (this=0x5170000c7180, aContentNode=0x5120001a6140) at /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2407
#17 0x00007ff91c8578e1 in mozilla::a11y::DocAccessible::RecreateAccessible (this=0x5170000c7180, aContent=0x5120001a6140) at /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1533
#18 0x00007ff91c7f138d in nsAccessibilityService::RecreateAccessible (this=0x5130000590c0, aPresShell=0x5210005af100, aContent=0x5120001a6140) at /builds/worker/checkouts/gecko/accessible/base/nsAccessibilityService.cpp:892
#19 0x00007ff91bd34314 in nsImageFrame::DisconnectMap (this=0x5250002e03c0) at /builds/worker/checkouts/gecko/layout/generic/nsImageFrame.cpp:486
#20 0x00007ff91bd346b0 in nsImageFrame::Destroy (this=0x5250002e03c0, aContext=...) at /builds/worker/checkouts/gecko/layout/generic/nsImageFrame.cpp:502
#21 0x00007ff91bbe7bcd in nsFrameList::DestroyFrames (this=0x5250002ef778, aContext=...) at /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:36
#22 0x00007ff91bbe75ce in nsContainerFrame::Destroy (this=0x5250002ef6f0, aContext=...) at /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:234
#23 0x00007ff91bde1b66 in nsInlineFrame::Destroy (this=0x5250002ef6f0, aContext=...) at /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:177
#24 0x00007ff91bb94be0 in nsBlockFrame::DoRemoveFrame (this=0x5250002dfda8, aContext=..., aDeletedFrame=0x5250002ef6f0, aFlags=2) at /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7069
#25 0x00007ff91bb9376d in nsBlockFrame::RemoveFrame (this=0x5250002dfda8, aContext=..., aListID=mozilla::FrameChildListID::Principal, aOldFrame=0x5250002e0090) at /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6234
#26 0x00007ff91b9469d6 in nsFrameManager::RemoveFrame (this=0x514000073240, aContext=..., aListID=mozilla::FrameChildListID::Principal, aOldFrame=0x5250002e0090) at /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:122
#27 0x00007ff91b9477d6 in nsCSSFrameConstructor::ContentRemoved (this=0x514000073240, aChild=0x50f00002a520, aOldNextSibling=0x50c000312d00, aFlags=nsCSSFrameConstructor::REMOVE_FOR_RECONSTRUCTION) at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7550
#28 0x00007ff91b940f67 in nsCSSFrameConstructor::RecreateFramesForContent (this=0x514000073240, aContent=0x50f00002a520, aInsertionKind=nsCSSFrameConstructor::InsertionKind::Async) at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8472
#29 0x00007ff91b948c52 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval (this=0x514000073240, aFrame=0x5250002e0280) at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8317
#30 0x00007ff91b9472cd in nsCSSFrameConstructor::ContentRemoved (this=0x514000073240, aChild=0x50c0003124c0, aOldNextSibling=0x50e0000e7900, aFlags=nsCSSFrameConstructor::REMOVE_CONTENT) at /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7437
#31 0x00007ff91b857e3e in mozilla::PresShell::ContentRemoved (this=0x5210005af100, aChild=0x50c0003124c0, aPreviousSibling=0x0) at /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4605
#32 0x00007ff90fa99c71 in mozilla::dom::MutationObservers::NotifyContentRemoved(nsINode*, nsIContent*, nsIContent*)::$_0::operator()(nsIMutationObserver*) const (this=0x7ff93b789160, aObserver=0x5210005af100) at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:188
#33 0x00007ff90fa4d68d in Notify<(NotifyPresShell)1, mozilla::dom::MutationObservers::NotifyContentRemoved(nsINode*, nsIContent*, nsIContent*)::$_0>(nsINode*, mozilla::dom::MutationObservers::NotifyContentRemoved(nsINode*, nsIContent*, nsIContent*)::$_0&&, unsigned int) (aNode=0x50f00002a520, aNotify=..., aCallback=128) at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:91
#34 0x00007ff90fa4d447 in mozilla::dom::MutationObservers::NotifyContentRemoved (aContainer=0x50f00002a520, aChild=0x50c0003124c0, aPreviousSibling=0x0) at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:187
#35 0x00007ff90fdf1055 in nsINode::RemoveChildNode (this=0x50f00002a520, aKid=0x50c0003124c0, aNotify=true) at /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2328
#36 0x00007ff90f136cb9 in nsContentUtils::SetNodeTextContent (aContent=0x50f00002a520, aValue=..., aTryReuse=false) at /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5901
#37 0x00007ff91599cd33 in mozilla::dom::HTMLAnchorElement::SetText (this=0x50f00002a520, aText=..., aRv=...) at /builds/worker/checkouts/gecko/dom/html/HTMLAnchorElement.cpp:167
#38 0x00007ff9121787e2 in mozilla::dom::HTMLAnchorElement_Binding::set_text (cx=0x51e000003c80, obj=(JSObject * const) 0x1e7e7b25c348 [object HTMLAnchorElement], void_self=0x50f00002a520, args=$JS::Value('A' <repeats 15 times>)) at ./HTMLAnchorElementBinding.cpp:729
#39 0x00007ff91235569b in mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy> (cx=0x51e000003c80, argc=1, vp=0x7ff93b994e88) at /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3216
#40 0x00007ff91dd59878 in CallJSNative (cx=0x51e000003c80, native=0x7ff912354708 <mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Setter, args=...) at /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:518
#41 js::InternalCallOrConstruct (cx=0x51e000003c80, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::Setter) at /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612
#42 0x00007ff91dd5ad82 in InternalCall (cx=0x51e000003c80, args=..., reason=js::CallReason::Setter) at /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679
#43 0x00007ff91dd5b02b in js::Call (cx=0x51e000003c80, fval=$JS::Value((JSObject *) 0x1ebfa6998900 [object Function "text"]), thisv=$JS::Value((JSObject *) 0x1e7e7b25c348 [object HTMLAnchorElement]), args=..., rval=$JS::UndefinedValue(), reason=js::CallReason::Setter) at /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:711
#44 0x00007ff91dd5d922 in js::CallSetter (cx=0x51e000003c80, thisv=$JS::Value((JSObject *) 0x1e7e7b25c348 [object HTMLAnchorElement]), setter=$JS::Value((JSObject *) 0x1ebfa6998900 [object Function "text"]), v=$JS::Value('A' <repeats 15 times>)) at /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:842
#45 0x00007ff91e3c3a5f in SetExistingProperty (cx=0x51e000003c80, id=$jsid("text"), v=$JS::Value('A' <repeats 15 times>), receiver=$JS::Value((JSObject *) 0x1e7e7b25c348 [object HTMLAnchorElement]), pobj=(js::NativeObject * const) 0x7ff8f3001d40 [object HTMLAnchorElementPrototype] used_as_prototype, prop=..., result=...) at /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2707
#46 0x00007ff91e3c2cf2 in js::NativeSetProperty<(js::QualifiedBool)1> (cx=0x51e000003c80, obj=(js::NativeObject * const) 0x1e7e7b25c348 [object HTMLAnchorElement], id=$jsid("text"), v=$JS::Value('A' <repeats 15 times>), receiver=$JS::Value((JSObject *) 0x1e7e7b25c348 [object HTMLAnchorElement]), result=...) at /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2742
#47 0x00007ff91dcb63c6 in js::SetProperty (cx=0x51e000003c80, obj=(JSObject * const) 0x1e7e7b25c348 [object HTMLAnchorElement], id=$jsid("text"), v=$JS::Value('A' <repeats 15 times>), receiver=$JS::Value((JSObject *) 0x1e7e7b25c348 [object HTMLAnchorElement]), result=...) at /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:305
#48 0x00007ff91f81fed6 in js::jit::DoSetPropFallback (cx=0x51e000003c80, frame=0x7ffec8fb1358, stub=0x515000208258, stack=0x7ffec8fb1340, lhs=$JS::Value((JSObject *) 0x1e7e7b25c348 [object HTMLAnchorElement]), rhs=$JS::Value('A' <repeats 15 times>)) at /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1491

Basically we end up clobbering an nsPlaceholderFrames mParent pointer to point to garbage. Then reading that garbage fails, not totally unexpectedly.

When running in a debug build, we get:

[Child 12329, Main Thread] ###!!! ASSERTION: aForFrame not found in block, someone lied to us: 'isValid', file /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:1464
[Child 12329, Main Thread] ###!!! ASSERTION: Someone lied to us about the block: 'backIterator.GetContainer() == block', file /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:1466
[12329] Assertion failure: mCurrent != mListLink (running past end), at /builds/worker/checkouts/gecko/layout/generic/nsLineBox.h:660

This looks like a very similar bug as bug 1703969, just with worse consequences... But I don't think this can happen without that accessibility call.

Looks unwise of us to call LocalAccessible::Name at that stage. All we need is the ENameValueFlag and not the actual name string. I'll look to see if there is an alternative to this approach.

Looks like getting rid of Name() in that routine is hard. Instead, I deferred PushNameOrDescriptionChange to a tick so we don't prod layout in a problematic path. Waiting on try before I ask for review.

Comment on attachment 9427627 [details]
Bug 1919087 - Defer PushNameOrDescriptionChange to WillRefresh tick. r?Jamie

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Not easily. We moved some code out of an unsafe layout code path, but no fingers are pointing at an exploit.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: beta, release
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: There is a moderate amount of risk since this is not a trivial change.
• How likely is this patch to cause regressions; how much testing does it need?: There is a moderate risk for regressions even though we have good test coverage.
• Is the patch ready to land after security approval is given?: Yes
• Is Android affected?: Yes

I narrowed the regression range to this (2024-06-19 - 2024-06-20):
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7999d1a5d574ee541ca56d536b445ca3dfbdbfe0&tochange=389fe769c55c14205de4ea1c874a63b70abfdbd2

There were no accessibility changes in that time, but several layout ones. mozregression doesn't let me dig deeper into taskcluster builds for some reason.

Interestingly, esr 128 does not have this UAF (predates the regression timeframe), but esr 115 has a very similar one that is triggered in similar conditions. The patch in this bug should remedy this issue too.

Based on comment #11, this bug contains a bisection range found by mozregression. However, the Regressed by field is still not filled.

:eeejay, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

No. The bisection range is too big to point at a specific bug.

Comment on attachment 9427627 [details]
Bug 1919087 - Defer PushNameOrDescriptionChange to WillRefresh tick. r?Jamie

Approved to land and request uplift

Since the method is deferred we need to do extra guesswork for possible
situtations where the name has changed because we don't have the
privilege to calculate the name in-line when content is deleted.

I tried to account for all cases as we have in our test coverage. I
hope that if there are edge cases they are false positives, and we are
firing extra name changes and not the opposite.

Original Revision: https://phabricator.services.mozilla.com/D223877

beta Uplift Approval Request

• User impact if declined: UAF possibility
• Code covered by automated testing: yes
• Fix verified in Nightly: no
• Needs manual QE test: yes
• Steps to reproduce for manual QE testing: grizzly.replay.bugzilla command in bug
• Risk associated with taking this patch: moderate
• Explanation of risk level: This is not a small change to how we generate name change events
• String changes made/needed: none
• Is Android affected?: yes

Backed out for debug build bustage:
https://hg.mozilla.org/integration/autoland/rev/7ae59c3c77cffb8799c7107fe31df4d251fdb1ad

Push with bustage
Failure log

[task 2024-10-15T20:56:11.241Z] 20:56:11    ERROR -  /builds/worker/checkouts/gecko/accessible/base/EventQueue.cpp:56:47: error: converting the enum constant to a boolean [-Werror,-Wint-in-bool-context]
[task 2024-10-15T20:56:11.241Z] 20:56:11     INFO -     56 |   MOZ_ASSERT(aType == RelationType::LABEL_FOR || RelationType::DESCRIPTION_FOR);
[task 2024-10-15T20:56:11.242Z] 20:56:11     INFO -        |                                               ^
[task 2024-10-15T20:56:11.242Z] 20:56:11    ERROR -  /builds/worker/checkouts/gecko/accessible/base/EventQueue.cpp:56:50: error: value of type 'mozilla::a11y::RelationType' is not contextually convertible to 'bool'
[task 2024-10-15T20:56:11.242Z] 20:56:11     INFO -     56 |   MOZ_ASSERT(aType == RelationType::LABEL_FOR || RelationType::DESCRIPTION_FOR);
[task 2024-10-15T20:56:11.243Z] 20:56:11     INFO -        |                                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~

https://hg.mozilla.org/mozilla-central/rev/690948396604

Verified bug as fixed on rev mozilla-central 20241017205015-d9805f1059e4.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

(In reply to Eitan Isaacson [:eeejay] from comment #10)

• Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: beta, release

(In reply to Eitan Isaacson [:eeejay] from comment #12)

Interestingly, esr 128 does not have this UAF (predates the regression timeframe), but esr 115 has a very similar one that is triggered in similar conditions. The patch in this bug should remedy this issue too.

I'm a bit confused about what the status of ESR128 & ESR115 are based on these two comments, but if we need to fix this bug on those branches as well, the patch applies cleanly to ESR128 but needs rebasing for ESR115. Please attached a rebase patch and request uplift on it so we can include the fix in next week's RC builds. Thanks!

Since the method is deferred we need to do extra guesswork for possible
situtations where the name has changed because we don't have the
privilege to calculate the name in-line when content is deleted.

I tried to account for all cases as we have in our test coverage. I
hope that if there are edge cases they are false positives, and we are
firing extra name changes and not the opposite.

Original Revision: https://phabricator.services.mozilla.com/D223877

I have reproduced this issue with an affected asan Nightly (2024-09-16) build, following STR from comment 0. Tested with Ubuntu 20.04 x64.

The issue is verified as fixed using asan builds, 133.0a1 Nightly and 132.0b10 Beta under Ubuntu 20.04 x64.

Comment on attachment 9431128 [details]
Bug 1919087 - Defer PushNameOrDescriptionChange to WillRefresh tick. r?Jamie

Approved for 128.4esr and 115.17esr.

This is also verified as fixed on asan builds, 128.4esr and 115.17esr under Ubuntu 20.04 x64.