Found while fuzzing m-c 20211112-b16763f1da6b (--enable-address-sanitizer --enable-fuzzing)
A test case will be attached once reduction is complete.
```
==17663==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100014fce0 at pc 0x7ff5396dcfca bp 0x7ffd4ee40170 sp 0x7ffd4ee40168
READ of size 8 at 0x61100014fce0 thread T0 (Web Content)
#0 0x7ff5396dcfc9 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
#1 0x7ff5396dcfc9 in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
#2 0x7ff5396dcfc9 in OwnerDoc /gecko/dom/base/nsINode.h:647:12
#3 0x7ff5396dcfc9 in mozilla::dom::HTMLDialogElement::FocusDialog() /gecko/dom/html/HTMLDialogElement.cpp:201:34
#4 0x7ff5396dd474 in mozilla::dom::HTMLDialogElement::ShowModal(mozilla::ErrorResult&) /gecko/dom/html/HTMLDialogElement.cpp:143:3
#5 0x7ff538ace9f6 in mozilla::dom::HTMLDialogElement_Binding::showModal(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HTMLDialogElementBinding.cpp:252:24
#6 0x7ff538cc9cad in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3300:13
#7 0x7ff54052b131 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:387:13
#8 0x7ff54052b131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:474:12
#9 0x7ff54051777d in CallFromStack /gecko/js/src/vm/Interpreter.cpp:538:10
#10 0x7ff54051777d in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3242:16
#11 0x7ff5404fc7e1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:356:13
#12 0x7ff54052b26c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:506:13
#13 0x7ff54052d3bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:551:8
#14 0x7ff5407a054d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
#15 0x7ff5388e089f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#16 0x7ff5395143d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#17 0x7ff539512904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /gecko/dom/events/JSEventHandler.cpp:201:12
#18 0x7ff5394d9b48 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1123:22
#19 0x7ff5394db15c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1314:17
#20 0x7ff5394c92ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:348:17
#21 0x7ff5394c7add in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:550:16
#22 0x7ff5394cbd55 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1085:11
#23 0x7ff5394d1269 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
#24 0x7ff53721445a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/base/nsINode.cpp:1344:17
#25 0x7ff536c94e0f in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /gecko/dom/base/nsContentUtils.cpp:4289:28
#26 0x7ff536c94b53 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /gecko/dom/base/nsContentUtils.cpp:4259:10
#27 0x7ff53bcfac1f in mozilla::PendingFullscreenEvent::Dispatch() /builds/worker/workspace/obj-build/dist/include/mozilla/PendingFullscreenEvent.h:55:15
#28 0x7ff53bcfa8b2 in nsRefreshDriver::RunFullscreenSteps() /gecko/layout/base/nsRefreshDriver.cpp:1956:12
#29 0x7ff53bcf7753 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /gecko/layout/base/nsRefreshDriver.cpp:2347:7
#30 0x7ff53bd04897 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:353:13
#31 0x7ff53bd04897 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /gecko/layout/base/nsRefreshDriver.cpp:331:7
#32 0x7ff53bd045fd in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:347:5
#33 0x7ff53bd04385 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:782:5
#34 0x7ff53bd039a5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:705:16
#35 0x7ff53bd02f69 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /gecko/layout/base/nsRefreshDriver.cpp:622:7
#36 0x7ff53bd02711 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /gecko/layout/base/nsRefreshDriver.cpp:543:9
#37 0x7ff53aebf817 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /gecko/dom/ipc/VsyncChild.cpp:68:15
#38 0x7ff5357960a4 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:200:54
#39 0x7ff535382b7b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6082:32
#40 0x7ff534d99559 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2043:25
#41 0x7ff534d96458 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:1968:9
#42 0x7ff534d97c72 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1827:3
#43 0x7ff534d98687 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1855:14
#44 0x7ff5338d21b2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:468:16
#45 0x7ff533897b7d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:771:26
#46 0x7ff5338950d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:607:15
#47 0x7ff5338957e9 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:391:36
#48 0x7ff5338db7f1 in operator() /gecko/xpcom/threads/TaskController.cpp:124:37
#49 0x7ff5338db7f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:531:5
#50 0x7ff5338b7ed7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1175:16
#51 0x7ff5338c2ffc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#52 0x7ff534da1eef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#53 0x7ff534c21891 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#54 0x7ff534c21891 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#55 0x7ff534c21891 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#56 0x7ff53b7b4ed7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#57 0x7ff540248fbf in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
#58 0x7ff534c21891 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#59 0x7ff534c21891 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#60 0x7ff534c21891 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#61 0x7ff5402481f2 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
#62 0x555abbe5a92d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#63 0x555abbe5ad58 in main /gecko/browser/app/nsBrowserApp.cpp:327:18
#64 0x7ff55216d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#65 0x555abbda99f9 in _start (/home/worker/builds/m-c-20211112092317-fuzzing-asan-opt/firefox+0x5c9f9)
0x61100014fce0 is located 32 bytes inside of 232-byte region [0x61100014fcc0,0x61100014fda8)
freed by thread T0 (Web Content) here:
#0 0x555abbe25d62 in __interceptor_free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:111:3
#1 0x7ff536fbe47e in Free /builds/worker/workspace/obj-build/dist/include/nsNodeInfoManager.h:121:27
#2 0x7ff536fbe47e in nsIContent::Destroy() /gecko/dom/base/FragmentOrElement.cpp:150:1
#3 0x7ff5336dacd2 in SnowWhiteKiller::~SnowWhiteKiller() /gecko/xpcom/base/nsCycleCollector.cpp:2408:7
#4 0x7ff5336da138 in nsCycleCollector::FreeSnowWhite(bool) /gecko/xpcom/base/nsCycleCollector.cpp:2598:3
#5 0x7ff5336e228d in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /gecko/xpcom/base/nsCycleCollector.cpp:3581:3
#6 0x7ff5336e18c0 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /gecko/xpcom/base/nsCycleCollector.cpp:3404:9
#7 0x7ff5336e50f3 in nsCycleCollector_collect(mozilla::CCReason, nsICycleCollectorListener*) /gecko/xpcom/base/nsCycleCollector.cpp:3909:28
#8 0x7ff53722f54f in nsJSContext::CycleCollectNow(mozilla::CCReason, nsICycleCollectorListener*) /gecko/dom/base/nsJSEnvironment.cpp:1372:3
#9 0x7ff538a01522 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FuzzingFunctionsBinding.cpp:132:3
#10 0x7ff54052b131 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:387:13
#11 0x7ff54052b131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:474:12
#12 0x7ff54051777d in CallFromStack /gecko/js/src/vm/Interpreter.cpp:538:10
#13 0x7ff54051777d in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3242:16
#14 0x7ff5404fc7e1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:356:13
#15 0x7ff54052b26c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:506:13
#16 0x7ff54052d3bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:551:8
#17 0x7ff5407a054d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
#18 0x7ff5388e089f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#19 0x7ff5395143d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#20 0x7ff539512904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /gecko/dom/events/JSEventHandler.cpp:201:12
#21 0x7ff5394d9b48 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1123:22
#22 0x7ff5394db15c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1314:17
previously allocated by thread T0 (Web Content) here:
#0 0x555abbe25fcd in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x7ff53720cbf0 in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/dom/DOMArena.h:43:17
#2 0x7ff53720cbf0 in nsNodeInfoManager::Allocate(unsigned long) /gecko/dom/base/nsNodeInfoManager.cpp:300:20
#3 0x7ff53970d074 in NS_NewHTMLIFrameElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /gecko/dom/html/HTMLIFrameElement.cpp:23:1
#4 0x7ff53988b8b5 in CreateHTMLElement(unsigned int, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /gecko/dom/html/nsHTMLContentSink.cpp:235:41
#5 0x7ff536cc0ccc in nsContentUtils::NewXULOrHTMLElement(mozilla::dom::Element**, mozilla::dom::NodeInfo*, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) /gecko/dom/base/nsContentUtils.cpp:9463:18
#6 0x7ff53988b83d in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) /gecko/dom/html/nsHTMLContentSink.cpp:219:10
#7 0x7ff5372416b5 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*) /gecko/dom/base/nsNameSpaceManager.cpp:183:12
#8 0x7ff536f3111e in mozilla::dom::Document::CreateElem(nsTSubstring<char16_t> const&, nsAtom*, int, nsTSubstring<char16_t> const*) /gecko/dom/base/Document.cpp:11001:17
#9 0x7ff536f30c2f in mozilla::dom::Document::CreateElement(nsTSubstring<char16_t> const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) /gecko/dom/base/Document.cpp:8354:26
#10 0x7ff53880bf8e in mozilla::dom::Document_Binding::createElement(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:1506:74
#11 0x7ff538cc9cad in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3300:13
#12 0x7ff54052b131 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:387:13
#13 0x7ff54052b131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:474:12
#14 0x7ff54051777d in CallFromStack /gecko/js/src/vm/Interpreter.cpp:538:10
#15 0x7ff54051777d in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3242:16
#16 0x7ff5404fc7e1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:356:13
#17 0x7ff54052b26c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:506:13
#18 0x7ff54052d3bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:551:8
#19 0x7ff5407a054d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
#20 0x7ff5388e089f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#21 0x7ff5395143d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#22 0x7ff539512904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /gecko/dom/events/JSEventHandler.cpp:201:12
```
Bug 1740971 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Found while fuzzing m-c 20211112-b16763f1da6b (--enable-address-sanitizer --enable-fuzzing)
A test case will be attached once reduction is complete.
```
==353922==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100024a820 at pc 0x7ff301797fca bp 0x7ffc203f3110 sp 0x7ffc203f3108
READ of size 8 at 0x61100024a820 thread T0 (Web Content)
#0 0x7ff301797fc9 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
#1 0x7ff301797fc9 in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
#2 0x7ff301797fc9 in OwnerDoc src/dom/base/nsINode.h:647:12
#3 0x7ff301797fc9 in mozilla::dom::HTMLDialogElement::FocusDialog() src/dom/html/HTMLDialogElement.cpp:201:34
#4 0x7ff301798474 in mozilla::dom::HTMLDialogElement::ShowModal(mozilla::ErrorResult&) src/dom/html/HTMLDialogElement.cpp:143:3
#5 0x7ff300b899f6 in mozilla::dom::HTMLDialogElement_Binding::showModal(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HTMLDialogElementBinding.cpp:252:24
#6 0x7ff300d84cad in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3300:13
#7 0x7ff3085e6131 in CallJSNative src/js/src/vm/Interpreter.cpp:387:13
#8 0x7ff3085e6131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:474:12
#9 0x7ff3085d277d in CallFromStack src/js/src/vm/Interpreter.cpp:538:10
#10 0x7ff3085d277d in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3242:16
#11 0x7ff3085b77e1 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:356:13
#12 0x7ff3085e626c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:506:13
#13 0x7ff3085e83bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:551:8
#14 0x7ff30885b54d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
#15 0x7ff30099b89f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#16 0x7ff3015cf3d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#17 0x7ff3015cd904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
#18 0x7ff301594b48 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1123:22
#19 0x7ff30159615c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1314:17
#20 0x7ff3015842ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
#21 0x7ff301582add in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:550:16
#22 0x7ff301586d55 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1085:11
#23 0x7ff30158c269 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
#24 0x7ff2ff2cf45a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1344:17
#25 0x7ff2fed4fe0f in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) src/dom/base/nsContentUtils.cpp:4289:28
#26 0x7ff2fed4fb53 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) src/dom/base/nsContentUtils.cpp:4259:10
#27 0x7ff303db5c1f in mozilla::PendingFullscreenEvent::Dispatch() /builds/worker/workspace/obj-build/dist/include/mozilla/PendingFullscreenEvent.h:55:15
#28 0x7ff303db58b2 in nsRefreshDriver::RunFullscreenSteps() src/layout/base/nsRefreshDriver.cpp:1956:12
#29 0x7ff303db2753 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2347:7
#30 0x7ff303dbf897 in TickDriver src/layout/base/nsRefreshDriver.cpp:353:13
#31 0x7ff303dbf897 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:331:7
#32 0x7ff303dbf5fd in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:347:5
#33 0x7ff303dbf385 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:782:5
#34 0x7ff303dbe9a5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:705:16
#35 0x7ff303dbdf69 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src/layout/base/nsRefreshDriver.cpp:622:7
#36 0x7ff303dbd711 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:543:9
#37 0x7ff302f7a817 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncChild.cpp:68:15
#38 0x7ff2fd8510a4 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:200:54
#39 0x7ff2fd43db7b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6082:32
#40 0x7ff2fce54559 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2043:25
#41 0x7ff2fce51458 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:1968:9
#42 0x7ff2fce52c72 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1827:3
#43 0x7ff2fce53687 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1855:14
#44 0x7ff2fb98d1b2 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:468:16
#45 0x7ff2fb952b7d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:771:26
#46 0x7ff2fb9500d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:607:15
#47 0x7ff2fb9507e9 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:391:36
#48 0x7ff2fb996824 in operator() src/xpcom/threads/TaskController.cpp:127:37
#49 0x7ff2fb996824 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() src/xpcom/threads/nsThreadUtils.h:531:5
#50 0x7ff2fb972ed7 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1175:16
#51 0x7ff2fb97dffc in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
#52 0x7ff2fce5cee4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:107:5
#53 0x7ff2fccdc891 in RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10
#54 0x7ff2fccdc891 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#55 0x7ff2fccdc891 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#56 0x7ff30386fed7 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#57 0x7ff308303fbf in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:917:20
#58 0x7ff2fccdc891 in RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10
#59 0x7ff2fccdc891 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#60 0x7ff2fccdc891 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#61 0x7ff3083031f2 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:749:34
#62 0x55ccf10c892d in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#63 0x55ccf10c8d58 in main src/browser/app/nsBrowserApp.cpp:327:18
#64 0x7ff31a2280b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#65 0x55ccf10179f9 in _start (/home/user/workspace/browsers/m-c-20211112092317-fuzzing-asan-opt/firefox+0x5c9f9)
0x61100024a820 is located 32 bytes inside of 232-byte region [0x61100024a800,0x61100024a8e8)
freed by thread T0 (Web Content) here:
#0 0x55ccf1093d62 in __interceptor_free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:111:3
#1 0x7ff2ff07947e in Free /builds/worker/workspace/obj-build/dist/include/nsNodeInfoManager.h:121:27
#2 0x7ff2ff07947e in nsIContent::Destroy() src/dom/base/FragmentOrElement.cpp:150:1
#3 0x7ff2fb795cd2 in SnowWhiteKiller::~SnowWhiteKiller() src/xpcom/base/nsCycleCollector.cpp:2408:7
#4 0x7ff2fb795138 in nsCycleCollector::FreeSnowWhite(bool) src/xpcom/base/nsCycleCollector.cpp:2598:3
#5 0x7ff2fb79d28d in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:3581:3
#6 0x7ff2fb79c8c0 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3404:9
#7 0x7ff2fb7a00f3 in nsCycleCollector_collect(mozilla::CCReason, nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:3909:28
#8 0x7ff2ff2ea54f in nsJSContext::CycleCollectNow(mozilla::CCReason, nsICycleCollectorListener*) src/dom/base/nsJSEnvironment.cpp:1372:3
#9 0x7ff300abc522 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FuzzingFunctionsBinding.cpp:132:3
#10 0x7ff3085e6131 in CallJSNative src/js/src/vm/Interpreter.cpp:387:13
#11 0x7ff3085e6131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:474:12
#12 0x7ff3085d277d in CallFromStack src/js/src/vm/Interpreter.cpp:538:10
#13 0x7ff3085d277d in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3242:16
#14 0x7ff3085b77e1 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:356:13
#15 0x7ff3085e626c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:506:13
#16 0x7ff3085e83bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:551:8
#17 0x7ff30885b54d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
#18 0x7ff30099b89f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#19 0x7ff3015cf3d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#20 0x7ff3015cd904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
#21 0x7ff301594b48 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1123:22
#22 0x7ff30159615c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1314:17
#23 0x7ff3015842ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
#24 0x7ff301582add in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:550:16
#25 0x7ff301586d55 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1085:11
#26 0x7ff2ff2b0f73 in FocusBlurEvent::Run() src/dom/base/nsFocusManager.cpp:2723:12
#27 0x7ff2fed5bef8 in nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) src/dom/base/nsContentUtils.cpp:5734:13
#28 0x7ff2ff2657c3 in nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, nsISupports*, bool, bool, mozilla::dom::EventTarget*) src/dom/base/nsFocusManager.cpp:2862:3
#29 0x7ff2ff264a7b in nsFocusManager::SendFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::Document*, nsISupports*, bool, bool, mozilla::dom::EventTarget*) src/dom/base/nsFocusManager.cpp:2836:3
#30 0x7ff2ff26a52b in nsFocusManager::BlurImpl(mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContext*, bool, bool, mozilla::dom::Element*, unsigned long) src/dom/base/nsFocusManager.cpp:2445:7
#31 0x7ff2ff25bfaf in nsFocusManager::Blur(mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContext*, bool, bool, unsigned long, mozilla::dom::Element*) src/dom/base/nsFocusManager.cpp:2212:12
#32 0x7ff2ff255bb2 in nsFocusManager::SetFocusInner(mozilla::dom::Element*, int, bool, bool, unsigned long) src/dom/base/nsFocusManager.cpp:1744:12
previously allocated by thread T0 (Web Content) here:
#0 0x55ccf1093fcd in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x7ff2ff2c7bf0 in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/dom/DOMArena.h:43:17
#2 0x7ff2ff2c7bf0 in nsNodeInfoManager::Allocate(unsigned long) src/dom/base/nsNodeInfoManager.cpp:300:20
#3 0x7ff3017c8074 in NS_NewHTMLIFrameElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) src/dom/html/HTMLIFrameElement.cpp:23:1
#4 0x7ff3019468b5 in CreateHTMLElement(unsigned int, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) src/dom/html/nsHTMLContentSink.cpp:235:41
#5 0x7ff2fed7bccc in nsContentUtils::NewXULOrHTMLElement(mozilla::dom::Element**, mozilla::dom::NodeInfo*, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) src/dom/base/nsContentUtils.cpp:9463:18
#6 0x7ff30194683d in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) src/dom/html/nsHTMLContentSink.cpp:219:10
#7 0x7ff2ff2fc6b5 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*) src/dom/base/nsNameSpaceManager.cpp:183:12
#8 0x7ff2fefec11e in mozilla::dom::Document::CreateElem(nsTSubstring<char16_t> const&, nsAtom*, int, nsTSubstring<char16_t> const*) src/dom/base/Document.cpp:11001:17
#9 0x7ff2fefebc2f in mozilla::dom::Document::CreateElement(nsTSubstring<char16_t> const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) src/dom/base/Document.cpp:8354:26
#10 0x7ff3008c6f8e in mozilla::dom::Document_Binding::createElement(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:1506:74
#11 0x7ff300d84cad in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3300:13
#12 0x7ff3085e6131 in CallJSNative src/js/src/vm/Interpreter.cpp:387:13
#13 0x7ff3085e6131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:474:12
#14 0x7ff3085d277d in CallFromStack src/js/src/vm/Interpreter.cpp:538:10
#15 0x7ff3085d277d in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3242:16
#16 0x7ff3085b77e1 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:356:13
#17 0x7ff3085e626c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:506:13
#18 0x7ff3085e83bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:551:8
#19 0x7ff30885b54d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
#20 0x7ff30099b89f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#21 0x7ff3015cf3d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#22 0x7ff3015cd904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
#23 0x7ff301594b48 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1123:22
#24 0x7ff30159615c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1314:17
#25 0x7ff3015842ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
#26 0x7ff301582add in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:550:16
#27 0x7ff301586d55 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1085:11
#28 0x7ff303ee964f in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1087:7
#29 0x7ff3076ae813 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6333:20
#30 0x7ff3076adb0b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5722:7
#31 0x7ff3076afadf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#32 0x7ff2fdf01060 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1376:3
```
Found while fuzzing m-c 20211112-b16763f1da6b (--enable-address-sanitizer --enable-fuzzing)
A test case will be attached once reduction is complete.
```
==354821==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110002aa720 at pc 0x7f8d597d4fca bp 0x7ffea45d4790 sp 0x7ffea45d4788
READ of size 8 at 0x6110002aa720 thread T0 (Web Content)
#0 0x7f8d597d4fc9 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
#1 0x7f8d597d4fc9 in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
#2 0x7f8d597d4fc9 in OwnerDoc /builds/worker/checkouts/gecko/dom/base/nsINode.h:647:12
#3 0x7f8d597d4fc9 in mozilla::dom::HTMLDialogElement::FocusDialog() /builds/worker/checkouts/gecko/dom/html/HTMLDialogElement.cpp:201:34
#4 0x7f8d597d5474 in mozilla::dom::HTMLDialogElement::ShowModal(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/html/HTMLDialogElement.cpp:143:3
#5 0x7f8d58bc69f6 in mozilla::dom::HTMLDialogElement_Binding::showModal(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HTMLDialogElementBinding.cpp:252:24
#6 0x7f8d58dc1cad in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3300:13
#7 0x7f8d60623131 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:387:13
#8 0x7f8d60623131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:474:12
#9 0x7f8d6060f77d in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:538:10
#10 0x7f8d6060f77d in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3242:16
#11 0x7f8d605f47e1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:356:13
#12 0x7f8d6062326c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:506:13
#13 0x7f8d606253bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:551:8
#14 0x7f8d6089854d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#15 0x7f8d589d889f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#16 0x7f8d5960c3d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#17 0x7f8d5960a904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#18 0x7f8d595d1b48 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1123:22
#19 0x7f8d595d315c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:17
#20 0x7f8d595c12ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#21 0x7f8d595bfadd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#22 0x7f8d595c3d55 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1085:11
#23 0x7f8d595c9269 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#24 0x7f8d5730c45a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1344:17
#25 0x7f8d56d8ce0f in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4289:28
#26 0x7f8d56d8cb53 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4259:10
#27 0x7f8d5bdf2c1f in mozilla::PendingFullscreenEvent::Dispatch() /builds/worker/workspace/obj-build/dist/include/mozilla/PendingFullscreenEvent.h:55:15
#28 0x7f8d5bdf28b2 in nsRefreshDriver::RunFullscreenSteps() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1956:12
#29 0x7f8d5bdef753 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2347:7
#30 0x7f8d5bdfc897 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:13
#31 0x7f8d5bdfc897 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:331:7
#32 0x7f8d5bdfc5fd in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:347:5
#33 0x7f8d5bdfc385 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:782:5
#34 0x7f8d5bdfb9a5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:705:16
#35 0x7f8d5bdfaf69 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:622:7
#36 0x7f8d5bdfa711 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:543:9
#37 0x7f8d5afb7817 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
#38 0x7f8d5588e0a4 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:200:54
#39 0x7f8d5547ab7b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6082:32
#40 0x7f8d54e91559 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2043:25
#41 0x7f8d54e8e458 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1968:9
#42 0x7f8d54e8fc72 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1827:3
#43 0x7f8d54e90687 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1855:14
#44 0x7f8d539ca1b2 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:468:16
#45 0x7f8d5398fb7d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:771:26
#46 0x7f8d5398d0d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:607:15
#47 0x7f8d5398d7e9 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:391:36
#48 0x7f8d539d37f1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
#49 0x7f8d539d37f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531:5
#50 0x7f8d539afed7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1175:16
#51 0x7f8d539baffc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#52 0x7f8d54e99eef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#53 0x7f8d54d19891 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#54 0x7f8d54d19891 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#55 0x7f8d54d19891 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#56 0x7f8d5b8aced7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#57 0x7f8d60340fbf in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
#58 0x7f8d54d19891 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#59 0x7f8d54d19891 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#60 0x7f8d54d19891 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#61 0x7f8d603401f2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
#62 0x55877742c92d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#63 0x55877742cd58 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#64 0x7f8d722650b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#65 0x55877737b9f9 in _start (/home/user/workspace/browsers/m-c-20211112092317-fuzzing-asan-opt/firefox+0x5c9f9)
0x6110002aa720 is located 32 bytes inside of 232-byte region [0x6110002aa700,0x6110002aa7e8)
freed by thread T0 (Web Content) here:
#0 0x5587773f7d62 in __interceptor_free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:111:3
#1 0x7f8d570b647e in Free /builds/worker/workspace/obj-build/dist/include/nsNodeInfoManager.h:121:27
#2 0x7f8d570b647e in nsIContent::Destroy() /builds/worker/checkouts/gecko/dom/base/FragmentOrElement.cpp:150:1
#3 0x7f8d537d2cd2 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2408:7
#4 0x7f8d537d2138 in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2598:3
#5 0x7f8d537da28d in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3581:3
#6 0x7f8d537d98c0 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3404:9
#7 0x7f8d537dd0f3 in nsCycleCollector_collect(mozilla::CCReason, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3909:28
#8 0x7f8d5732754f in nsJSContext::CycleCollectNow(mozilla::CCReason, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1372:3
#9 0x7f8d58af9522 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FuzzingFunctionsBinding.cpp:132:3
#10 0x7f8d60623131 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:387:13
#11 0x7f8d60623131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:474:12
#12 0x7f8d6060f77d in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:538:10
#13 0x7f8d6060f77d in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3242:16
#14 0x7f8d605f47e1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:356:13
#15 0x7f8d6062326c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:506:13
#16 0x7f8d606253bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:551:8
#17 0x7f8d6089854d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#18 0x7f8d589d889f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#19 0x7f8d5960c3d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#20 0x7f8d5960a904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#21 0x7f8d595d1b48 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1123:22
#22 0x7f8d595d315c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:17
#23 0x7f8d595c12ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#24 0x7f8d595bfadd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#25 0x7f8d595c3d55 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1085:11
#26 0x7f8d572edf73 in FocusBlurEvent::Run() /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2723:12
#27 0x7f8d56d98ef8 in nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5734:13
#28 0x7f8d572a27c3 in nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, nsISupports*, bool, bool, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2862:3
#29 0x7f8d572a1a7b in nsFocusManager::SendFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::Document*, nsISupports*, bool, bool, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2836:3
#30 0x7f8d572a752b in nsFocusManager::BlurImpl(mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContext*, bool, bool, mozilla::dom::Element*, unsigned long) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2445:7
#31 0x7f8d57298faf in nsFocusManager::Blur(mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContext*, bool, bool, unsigned long, mozilla::dom::Element*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2212:12
#32 0x7f8d57292bb2 in nsFocusManager::SetFocusInner(mozilla::dom::Element*, int, bool, bool, unsigned long) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:1744:12
#33 0x7f8d57294995 in nsFocusManager::SetFocus(mozilla::dom::Element*, unsigned int) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:493:3
#34 0x7f8d5708339a in mozilla::dom::Element::Focus(mozilla::dom::FocusOptions const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:469:16
#35 0x7f8d597d4d12 in mozilla::dom::HTMLDialogElement::FocusDialog() /builds/worker/checkouts/gecko/dom/html/HTMLDialogElement.cpp:188:14
#36 0x7f8d597d5474 in mozilla::dom::HTMLDialogElement::ShowModal(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/html/HTMLDialogElement.cpp:143:3
#37 0x7f8d58bc69f6 in mozilla::dom::HTMLDialogElement_Binding::showModal(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HTMLDialogElementBinding.cpp:252:24
#38 0x7f8d58dc1cad in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3300:13
#39 0x7f8d60623131 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:387:13
#40 0x7f8d60623131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:474:12
#41 0x7f8d6060f77d in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:538:10
#42 0x7f8d6060f77d in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3242:16
#43 0x7f8d605f47e1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:356:13
#44 0x7f8d6062326c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:506:13
#45 0x7f8d606253bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:551:8
#46 0x7f8d6089854d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#47 0x7f8d589d889f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#48 0x7f8d5960c3d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#49 0x7f8d5960a904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#50 0x7f8d595d1b48 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1123:22
#51 0x7f8d595d315c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:17
#52 0x7f8d595c12ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#53 0x7f8d595bfadd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#54 0x7f8d595c3d55 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1085:11
#55 0x7f8d595c9269 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#56 0x7f8d5730c45a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1344:17
#57 0x7f8d56d8ce0f in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4289:28
#58 0x7f8d56d8cb53 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4259:10
#59 0x7f8d5bdf2c1f in mozilla::PendingFullscreenEvent::Dispatch() /builds/worker/workspace/obj-build/dist/include/mozilla/PendingFullscreenEvent.h:55:15
#60 0x7f8d5bdf28b2 in nsRefreshDriver::RunFullscreenSteps() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1956:12
#61 0x7f8d5bdef753 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2347:7
#62 0x7f8d5bdfc897 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:13
#63 0x7f8d5bdfc897 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:331:7
#64 0x7f8d5bdfc5fd in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:347:5
#65 0x7f8d5bdfc385 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:782:5
#66 0x7f8d5bdfb9a5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:705:16
#67 0x7f8d5bdfaf69 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:622:7
#68 0x7f8d5bdfa711 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:543:9
#69 0x7f8d5afb7817 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
#70 0x7f8d5588e0a4 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:200:54
#71 0x7f8d5547ab7b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6082:32
#72 0x7f8d54e91559 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2043:25
#73 0x7f8d54e8e458 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1968:9
#74 0x7f8d54e8fc72 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1827:3
#75 0x7f8d54e90687 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1855:14
previously allocated by thread T0 (Web Content) here:
#0 0x5587773f7fcd in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x7f8d57304bf0 in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/dom/DOMArena.h:43:17
#2 0x7f8d57304bf0 in nsNodeInfoManager::Allocate(unsigned long) /builds/worker/checkouts/gecko/dom/base/nsNodeInfoManager.cpp:300:20
#3 0x7f8d59805074 in NS_NewHTMLIFrameElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/checkouts/gecko/dom/html/HTMLIFrameElement.cpp:23:1
#4 0x7f8d599838b5 in CreateHTMLElement(unsigned int, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/checkouts/gecko/dom/html/nsHTMLContentSink.cpp:235:41
#5 0x7f8d56db8ccc in nsContentUtils::NewXULOrHTMLElement(mozilla::dom::Element**, mozilla::dom::NodeInfo*, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:9463:18
#6 0x7f8d5998383d in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) /builds/worker/checkouts/gecko/dom/html/nsHTMLContentSink.cpp:219:10
#7 0x7f8d573396b5 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*) /builds/worker/checkouts/gecko/dom/base/nsNameSpaceManager.cpp:183:12
#8 0x7f8d5702911e in mozilla::dom::Document::CreateElem(nsTSubstring<char16_t> const&, nsAtom*, int, nsTSubstring<char16_t> const*) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11001:17
#9 0x7f8d57028c2f in mozilla::dom::Document::CreateElement(nsTSubstring<char16_t> const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:8354:26
#10 0x7f8d58903f8e in mozilla::dom::Document_Binding::createElement(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:1506:74
#11 0x7f8d58dc1cad in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3300:13
#12 0x7f8d60623131 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:387:13
#13 0x7f8d60623131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:474:12
#14 0x7f8d6060f77d in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:538:10
#15 0x7f8d6060f77d in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3242:16
#16 0x7f8d605f47e1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:356:13
#17 0x7f8d6062326c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:506:13
#18 0x7f8d606253bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:551:8
#19 0x7f8d6089854d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#20 0x7f8d589d889f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#21 0x7f8d5960c3d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#22 0x7f8d5960a904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#23 0x7f8d595d1b48 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1123:22
#24 0x7f8d595d315c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:17
#25 0x7f8d595c12ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#26 0x7f8d595bfadd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#27 0x7f8d595c3d55 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1085:11
#28 0x7f8d5bf2664f in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1087:7
#29 0x7f8d5f6eb813 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6333:20
#30 0x7f8d5f6eab0b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5722:7
#31 0x7f8d5f6ecadf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#32 0x7f8d55f3e060 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1376:3
#33 0x7f8d55f3cc74 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:974:14
#34 0x7f8d55f394a2 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:793:9
#35 0x7f8d55f3b665 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:676:5
#36 0x7f8d5f724d1b in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13586:23
#37 0x7f8d53d07f6e in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:614:22
#38 0x7f8d53d0a9b3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:518:10
#39 0x7f8d57047570 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11555:18
#40 0x7f8d57001c96 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11485:9
#41 0x7f8d57025a1c in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7987:3
#42 0x7f8d570eb63f in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#43 0x7f8d570eb63f in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#44 0x7f8d570eb63f in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#45 0x7f8d5397dabf in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:144:20
#46 0x7f8d539ca1b2 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:468:16
#47 0x7f8d5398fb7d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:771:26
#48 0x7f8d5398d0d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:607:15
#49 0x7f8d5398d7e9 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:391:36
#50 0x7f8d539d37f1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
#51 0x7f8d539d37f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531:5
#52 0x7f8d539afed7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1175:16
#53 0x7f8d539baffc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#54 0x7f8d54e99eef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#55 0x7f8d54d19891 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#56 0x7f8d54d19891 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#57 0x7f8d54d19891 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#58 0x7f8d5b8aced7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#59 0x7f8d60340fbf in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
#60 0x7f8d54d19891 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#61 0x7f8d54d19891 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#62 0x7f8d54d19891 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#63 0x7f8d603401f2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
#64 0x55877742c92d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#65 0x55877742cd58 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#66 0x7f8d722650b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
```