crash in mozilla::dom::nsContentPermissionRequester::nsContentPermissionRequester

RESOLVED FIXED in Firefox 46

Status

()

--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: martijn.martijn, Assigned: smaug)

Tracking

({crash})

Trunk
mozilla46
Unspecified
macOS
crash
Points:
---

Firefox Tracking Flags

(firefox46 fixed)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
I got this crash, while doing some fuzzing. I can't really reproduce very well, but it crashes quite often in this code when I repeat it.

This bug was filed from the Socorro interface and is 
report bp-99bd37fb-8436-436a-b2a0-ae0e22151231.
=============================================================
0 	XUL 	mozilla::dom::nsContentPermissionRequester::nsContentPermissionRequester(nsPIDOMWindow*) 	xpcom/glue/nsCOMPtr.h
1 	XUL 	nsPointerLockPermissionRequest::nsPointerLockPermissionRequest(mozilla::dom::Element*, bool) 	dom/base/nsDocument.cpp
2 	XUL 	mozilla::dom::FullscreenRequest::~FullscreenRequest() 	dom/base/nsDocument.cpp
3 	XUL 	nsCallRequestFullScreen::~nsCallRequestFullScreen() 	dom/base/nsDocument.cpp
4 	XUL 	nsRunnable::Release() 	xpcom/glue/nsThreadUtils.cpp
5 	XUL 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/glue/nsCOMPtr.h
6 	XUL 	NS_ProcessPendingEvents(nsIThread*, unsigned int) 	xpcom/glue/nsThreadUtils.cpp
7 	XUL 	nsBaseAppShell::NativeEventCallback() 	widget/nsBaseAppShell.cpp
8 	XUL 	nsAppShell::ProcessGeckoEvents(void*) 	widget/cocoa/nsAppShell.mm
Looks like null + offset crash, and the relevant code indeed isn't null safe.
We may crash for example in
VisibilityChangeListener::VisibilityChangeListener when executing 
nsCOMPtr<nsIDocument> doc = aWindow->GetExtantDoc();
Assignee: nobody → bugs
Created attachment 8703732 [details] [diff] [review]
guess fix (null check)
Attachment #8703732 - Flags: review?(quanxunzhen)
Comment on attachment 8703732 [details] [diff] [review]
guess fix (null check)

Review of attachment 8703732 [details] [diff] [review]:
-----------------------------------------------------------------

Should work. Not sure how to reproduce this crash so not tested.
Attachment #8703732 - Flags: review?(quanxunzhen) → review+

Comment 5

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/96f1081a231c
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox46: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
(Reporter)

Comment 6

3 years ago
I couldn't reproduce it anymore in 46.0a1 (2016-01-05), so I'm reasonably sure this fixed the crashes I was seeing (I was also seeing crashes with other stacktraces, which I now also don't get with this build anymore).

Updated

3 years ago
Blocks: 1261933
You need to log in before you can comment on or make changes to this bug.