1245452 - NULL deref in nsFocusManager::WindowHidden()

Status: RESOLVED FIXED

Description

[Tim Taubert [:ttaubert] (inactive)]

Created attachment 8715241 [details]
[crash] webkit crash test

NULL deref is happening here:

https://hg.mozilla.org/mozilla-central/annotate/5f9ba76eb3b1/dom/base/nsFocusManager.cpp#l974

Backtrace:

* thread #1: tid = 0x4b73eb, 0x0000000100910481 XUL`nsCOMPtr<nsIDocShell>::operator->(this=0x00007fff5fbfb2c0) const + 97 at nsCOMPtr.h:733, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100910481 XUL`nsCOMPtr<nsIDocShell>::operator->(this=0x00007fff5fbfb2c0) const + 97 at nsCOMPtr.h:733
    frame #1: 0x00000001024ae47e XUL`nsFocusManager::WindowHidden(this=0x000000011d0c1f60, aWindow=0x000000016aba3c20) + 2014 at nsFocusManager.cpp:974
    frame #2: 0x0000000102281090 XUL`nsGlobalWindow::PageHidden(this=0x000000016aba6c00) + 224 at nsGlobalWindow.cpp:9732
    frame #3: 0x0000000102281039 XUL`nsGlobalWindow::PageHidden(this=0x000000016aba3c00) + 137 at nsGlobalWindow.cpp:9724
    frame #4: 0x00000001022810dc XUL`non-virtual thunk to nsGlobalWindow::PageHidden(this=0x000000016aba3c00) + 28 at nsGlobalWindow.cpp:9722
    frame #5: 0x0000000104cc8455 XUL`nsDocumentViewer::PageHide(this=0x0000000133e975e0, aIsUnload=true) + 357 at nsDocumentViewer.cpp:1284
    frame #6: 0x0000000105430f66 XUL`nsDocShell::FirePageHideNotification(this=0x0000000130440800, aIsUnload=true) + 246 at nsDocShell.cpp:1685
    frame #7: 0x000000010541b543 XUL`nsDocShell::CreateContentViewer(this=0x0000000130440800, aContentType=0x000000011d1926e0, aRequest=0x000000012ff34d80, aContentHandler=0x000000011d1926c8) + 867 at nsDocShell.cpp:8926
    frame #8: 0x000000010541a83d XUL`nsDSURIContentListener::DoContent(this=0x000000011d192580, aContentType=0x000000011d1926e0, aIsContentPreferred=false, aRequest=0x000000012ff34d80, aContentHandler=0x000000011d1926c8, aAbortProcess=0x00007fff5fbfbae7) + 845 at nsDSURIContentListener.cpp:129
    frame #9: 0x0000000101ba9741 XUL`nsDocumentOpenInfo::TryContentListener(this=0x000000011d1926a0, aListener=0x000000011d192580, aChannel=0x000000012ff34d80) + 1393 at nsURILoader.cpp:721
    frame #10: 0x0000000101ba7d8d XUL`nsDocumentOpenInfo::DispatchContent(this=0x000000011d1926a0, request=0x000000012ff34d80, aCtxt=0x0000000000000000) + 1293 at nsURILoader.cpp:398
    frame #11: 0x0000000101ba764e XUL`nsDocumentOpenInfo::OnStartRequest(this=0x000000011d1926a0, request=0x000000012ff34d80, aCtxt=0x0000000000000000) + 894 at nsURILoader.cpp:259
    frame #12: 0x00000001008f0a9e XUL`nsBaseChannel::OnStartRequest(this=0x000000012ff34d80, request=0x000000011d18d140, ctxt=0x0000000000000000) + 494 at nsBaseChannel.cpp:800
    frame #13: 0x00000001008f0d67 XUL`non-virtual thunk to nsBaseChannel::OnStartRequest(this=0x000000012ff34d80, request=0x000000011d18d140, ctxt=0x0000000000000000) + 55 at nsBaseChannel.cpp:781
    frame #14: 0x000000010092bbb4 XUL`nsInputStreamPump::OnStateStart(this=0x000000011d18d140) + 388 at nsInputStreamPump.cpp:525
    frame #15: 0x000000010092b6d1 XUL`nsInputStreamPump::OnInputStreamReady(this=0x000000011d18d140, stream=0x0000000131682e00) + 433 at nsInputStreamPump.cpp:427
    frame #16: 0x000000010092c82f XUL`non-virtual thunk to nsInputStreamPump::OnInputStreamReady(this=0x000000011d18d140, stream=0x0000000131682e00) + 47 at nsInputStreamPump.cpp:393

Comment 1

[Tim Taubert [:ttaubert] (inactive)]

The tab with the crash test needs to be focused. Reloading when focused should crash reliably.

Comment 2

[Andrew Overholt [:overholt]]

smaug, can you take a look?

Comment 3

[Olli Pettay [:smaug]]

Created attachment 8716363 [details] [diff] [review]
patch

Docshell sure it being destroyed (or in fact has been destroyed) if outer window doesn't have a pointer to it anymore.

Comment 4

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/42212b5cca4c

Comment 5

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/42212b5cca4c