Closed Bug 1254853 Opened 8 years ago Closed 8 years ago

IndexedDB - Crash in nsHostObjectProtocolHandler::AddRef()

Categories

(Core :: Storage: IndexedDB, defect)

Product:
Core
Component:
Storage: IndexedDB
Version:
48 Branch
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla48
Tracking Flags:
Tracking Status
firefox48 --- verified

People

(Reporter: loobenyang, Assigned: bevis, Mentored)

Details

(Keywords: crash, csectype-nullptr, sec-low, Whiteboard: [tw-dom][adv-main48-])

Attachments

(3 files, 3 obsolete files)

Crash_AddRef_Repro.html
249 bytes, text/html
Details
Crash_AddRef_Repro2.html
623 bytes, text/plain
Details
Patch (v4): Add a Helper to Report a ScriptError to the Main Thread. r=khuey
21.06 KB, patch
bevis
: review+
Details | Diff | Splinter Review 
Open the repro in Firefox, Firefox crashes in nsHostObjectProtocolHandler::AddRef():


Firefox version: 48.0a1 (2016-03-07)

=================================================================
==16581==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3cc83fab37 sp 0x7f3ca128e0f0 bp 0x7f3ca128e100 T21)
    #0 0x7f3cc83fab36 in operator++ /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsISupportsImpl.h:329
    #1 0x7f3cc83fab36 in nsHostObjectProtocolHandler::AddRef() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsHostObjectProtocolHandler.cpp:480
    #2 0x7f3cc5bb499c in NS_TableDrivenQI(void*, nsID const&, void**, QITableEntry const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsISupportsImpl.cpp:17
    #3 0x7f3cc5b163ff in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/components/nsComponentManager.cpp:1509
    #4 0x7f3cc5ceddfc in CallGetService<nsIProtocolHandler> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsServiceManagerUtils.h:89
    #5 0x7f3cc5ceddfc in nsIOService::GetProtocolHandler(char const*, nsIProtocolHandler**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsIOService.cpp:520
    #6 0x7f3cc5cee795 in nsIOService::NewURI(nsACString_internal const&, char const*, nsIURI*, nsIURI**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsIOService.cpp:621
    #7 0x7f3cc5d1ced1 in NS_NewURI(nsIURI**, nsACString_internal const&, char const*, nsIURI*, nsIIOService*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsNetUtil.inl:115
    #8 0x7f3cc5d1d155 in NS_NewURI(nsIURI**, nsAString_internal const&, char const*, nsIURI*, nsIIOService*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsNetUtil.inl:126
    #9 0x7f3cc7170887 in nsScriptErrorBase::InitWithWindowID(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, unsigned int, unsigned int, unsigned int, nsACString_internal const&, unsigned long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/xpconnect/src/nsScriptError.cpp:188
    #10 0x7f3ccb2ffa3d in mozilla::dom::IndexedDatabaseManager::CommonPostHandleEvent(mozilla::EventChainPostVisitor&, mozilla::dom::IDBFactory*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/indexedDB/IndexedDatabaseManager.cpp:560
    #11 0x7f3ccb2eb798 in mozilla::dom::IDBOpenDBRequest::PostHandleEvent(mozilla::EventChainPostVisitor&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/indexedDB/IDBRequest.cpp:630
    #12 0x7f3cca397fbe in PostHandleEvent /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/EventDispatcher.cpp:271
    #13 0x7f3cca397fbe in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/EventDispatcher.cpp:318
    #14 0x7f3cca398677 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/EventDispatcher.cpp:364
    #15 0x7f3cca39c292 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/EventDispatcher.cpp:653
    #16 0x7f3cca377978 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/EventDispatcher.cpp:719
    #17 0x7f3cca377639 in mozilla::DOMEventTargetHelper::DispatchEvent(nsIDOMEvent*, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/DOMEventTargetHelper.cpp:253
    #18 0x7f3ccb2848dc in mozilla::dom::indexedDB::(anonymous namespace)::DispatchErrorEvent(mozilla::dom::IDBRequest*, nsresult, mozilla::dom::IDBTransaction*, nsIDOMEvent*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/indexedDB/ActorsChild.cpp:738
    #19 0x7f3ccb28738d in get_nsresult /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/indexedDB/ActorsChild.cpp:1280
    #20 0x7f3ccb28738d in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::Recv__delete__(mozilla::dom::indexedDB::FactoryRequestResponse const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/indexedDB/ActorsChild.cpp:1370
    #21 0x7f3ccb28777c in non-virtual thunk to mozilla::dom::indexedDB::BackgroundFactoryRequestChild::Recv__delete__(mozilla::dom::indexedDB::FactoryRequestResponse const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/indexedDB/Unified_cpp_dom_indexedDB0.cpp:1395
    #22 0x7f3cc6a0fc08 in mozilla::dom::indexedDB::PBackgroundIDBFactoryRequestChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBFactoryRequestChild.cpp:176
    #23 0x7f3cc662cc46 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1721
    #24 0x7f3cc65641d3 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1618
    #25 0x7f3cc6561215 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1556
    #26 0x7f3cc654f2b2 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1523
    #27 0x7f3cc64d3c14 in RunTask /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:364
    #28 0x7f3cc64d3c14 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:372
    #29 0x7f3cc64d4cc7 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:459
    #30 0x7f3cc656c532 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:220
    #31 0x7f3cc5b4d6e0 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:994
    #32 0x7f3cc5bc6c3a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #33 0x7f3ccb4e2e2e in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:4520
    #34 0x7f3ccb469986 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:2632
    #35 0x7f3cc5b4d6e0 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:994
    #36 0x7f3cc5bc6c3a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #37 0x7f3cc656caef in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:326
    #38 0x7f3cc64d279c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #39 0x7f3cc64d279c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #40 0x7f3cc64d279c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #41 0x7f3cc5b4912b in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:396
    #42 0x7f3cd3f873cf in _pt_root /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
    #43 0x7f3cd41b2181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #44 0x7f3cc34c547c (/lib/x86_64-linux-gnu/libc.so.6+0xfa47c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsISupportsImpl.h:329 operator++
Thread T21 (DOM Worker) created by T0 (Web Content) here:
    #0 0x4618d5 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f3cd3f83b20 in _PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:457
    #2 0x7f3cd3f8368a in PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:548
    #3 0x7f3cc5b4a8bd in nsThread::Init() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:526
    #4 0x7f3ccb54d28a in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerThread.cpp:90
    #5 0x7f3ccb421880 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:1686
    #6 0x7f3ccb41f2e5 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:1510
    #7 0x7f3ccb4b3426 in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:4087
    #8 0x7f3ccb4df836 in Constructor /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:4021
    #9 0x7f3ccb4df836 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:3962
    #10 0x7f3cc97ac72e in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/WorkerBinding.cpp:780
    #11 0x7f3ccfc9fc09 in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:235
    #12 0x7f3ccfc9fc09 in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:268
    #13 0x7f3ccfc9fc09 in InternalConstruct(JSContext*, JS::CallArgs const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:567
    #14 0x7f3ccfc8ddf5 in ConstructFromStack /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:594
    #15 0x7f3ccfc8ddf5 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2794
    #16 0x7f3ccfc6f28e in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:428
    #17 0x7f3ccfca0a2b in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:684
    #18 0x7f3ccfca102f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:716
    #19 0x7f3ccf7a74e4 in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4459
    #20 0x7f3ccf7a7f57 in Evaluate /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4486
    #21 0x7f3ccf7a7f57 in JS::Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4547
    #22 0x7f3cc8437a61 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:224
    #23 0x7f3cc84386e1 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:286
    #24 0x7f3cc84c3b73 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:1142
    #25 0x7f3cc84c08d4 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:961
    #26 0x7f3cc84ba15c in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:726
    #27 0x7f3cc84b6b1e in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptElement.cpp:142
    #28 0x7f3cc7731ef4 in operator-> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsIScriptElement.h:221
    #29 0x7f3cc7731ef4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:666
    #30 0x7f3cc7730544 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:491
    #31 0x7f3cc773671b in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5StreamParser.cpp:128
    #32 0x7f3cc5b4d6e0 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:994
    #33 0x7f3cc5bc6c3a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #34 0x7f3cc656bb69 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95
    #35 0x7f3cc64d279c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #36 0x7f3cc64d279c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #37 0x7f3cc64d279c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #38 0x7f3ccba0ca67 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:156
    #39 0x7f3ccd9812c2 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:786
    #40 0x7f3cc64d279c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #41 0x7f3cc64d279c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #42 0x7f3cc64d279c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #43 0x7f3ccd9809ba in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:622
    #44 0x48d6f0 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:237
    #45 0x7f3cc33ecec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

==16581==ABORTING
In IndexedDatabaseManager::CommonPostHandleEvent[0] we handle the bubbling of IndexedDB error messages.  We fire a DOM event but we also attempt to log to the developer console[1]. It's not safe to do the latter off the main thread though!  So we'll need to move the second half of this function to run on the main thread in all cases.

btseng, want to take this one too?  It's not urgent but it is important to fix this eventually.

[0] http://hg.mozilla.org/mozilla-central/annotate/4657041c6f77/dom/indexedDB/IndexedDatabaseManager.cpp#l444
[1] http://hg.mozilla.org/mozilla-central/annotate/4657041c6f77/dom/indexedDB/IndexedDatabaseManager.cpp#l550
Flags: needinfo?(btseng)
Whiteboard: [tw-dom]
Sure! I'll look into this one once bug 1198093 is fixed.
Flags: needinfo?(btseng)
Reproduction test case:

<html><body></body>
<script type="text/javascript">
var blob = new Blob(['dbreq0 = indexedDB.open("TestDb1",  {version: 5, storage: "temporary"});'],{type: "text/javascript"});
var wk = new Worker(window.URL.createObjectURL(blob));
</script></html>
Assignee: nobody → btseng
(In reply to Looben Yang from comment #3)
> Reproduction test case:
> 
> <html><body></body>
> <script type="text/javascript">
> var blob = new Blob(['dbreq0 = indexedDB.open("TestDb1",  {version: 5,
> storage: "temporary"});'],{type: "text/javascript"});
> var wk = new Worker(window.URL.createObjectURL(blob));
> </script></html>

Thanks for providing this test steps.

Before fixing the bug, I'd like to see if I could reproduce it locally for further verification of the change.
After several trials with Nightly build (48.0a1 2016-03-13) on multiple platforms (Ubuntu, OS X, Window 10) locally, unfortunately, I didn't see any crash after loading this page.

Would you mind describing more on how firefox crashed after loading this page? Thanks!

BTW, here is the test steps I've tried:
1. Saving the content in comment 3 as test.html locally.
2. Open Firefox nightly.
3a. Open File... -> Choose "test.html" (Nothing happened)
3b1. $ python -m SimpleHTTPServer.
3b2. Load "http://127.0.0.1:8000/test.html" with firefox Nightly. (Nothing happened)
Flags: needinfo?(loobenyang)
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #1)
> In IndexedDatabaseManager::CommonPostHandleEvent[0] we handle the bubbling
> of IndexedDB error messages.  We fire a DOM event but we also attempt to log
> to the developer console[1]. It's not safe to do the latter off the main
> thread though!  So we'll need to move the second half of this function to
> run on the main thread in all cases.
> 
> btseng, want to take this one too?  It's not urgent but it is important to
> fix this eventually.
> 
> [0]
> http://hg.mozilla.org/mozilla-central/annotate/4657041c6f77/dom/indexedDB/
> IndexedDatabaseManager.cpp#l444
> [1]
> http://hg.mozilla.org/mozilla-central/annotate/4657041c6f77/dom/indexedDB/
> IndexedDatabaseManager.cpp#l550

After further review of current implementation, I'd like to define a IDBLog::Print(aLevel, ...) revised from IDBDatabase::LogWarning that can be used by IndexedDatabaseManager & IDBDatabase.
(In reply to Bevis Tseng[:bevistseng][:btseng] from comment #4)
> (In reply to Looben Yang from comment #3)
> > Reproduction test case:
> > 
> > <html><body></body>
> > <script type="text/javascript">
> > var blob = new Blob(['dbreq0 = indexedDB.open("TestDb1",  {version: 5,
> > storage: "temporary"});'],{type: "text/javascript"});
> > var wk = new Worker(window.URL.createObjectURL(blob));
> > </script></html>
> 
> Thanks for providing this test steps.
> 
> Before fixing the bug, I'd like to see if I could reproduce it locally for
> further verification of the change.
> After several trials with Nightly build (48.0a1 2016-03-13) on multiple
> platforms (Ubuntu, OS X, Window 10) locally, unfortunately, I didn't see any
> crash after loading this page.
> 
> Would you mind describing more on how firefox crashed after loading this
> page? Thanks!
> 
> BTW, here is the test steps I've tried:
> 1. Saving the content in comment 3 as test.html locally.
> 2. Open Firefox nightly.
> 3a. Open File... -> Choose "test.html" (Nothing happened)
> 3b1. $ python -m SimpleHTTPServer.
> 3b2. Load "http://127.0.0.1:8000/test.html" with firefox Nightly. (Nothing
> happened)

I just drag and drop the html file to Firefox and it crashes.
Flags: needinfo?(loobenyang)
Would you have a try with test case 2 (Crash_AddRef_Repro2.html)?


ASAN:SIGSEGV
=================================================================
==11771==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5d85860257 sp 0x7f5d4dc0b3f0 bp 0x7f5d4dc0b400 T50)
    #0 0x7f5d85860256 in operator++ /builds/slave/try-l64-asan-00000000000000000/build/src/obj-firefox/dist/include/nsISupportsImpl.h:329
    #1 0x7f5d85860256 in nsHostObjectProtocolHandler::AddRef() /builds/slave/try-l64-asan-00000000000000000/build/src/dom/base/nsHostObjectProtocolHandler.cpp:480
    #2 0x7f5d82feba2c in NS_TableDrivenQI(void*, nsID const&, void**, QITableEntry const*) /builds/slave/try-l64-asan-00000000000000000/build/src/xpcom/glue/nsISupportsImpl.cpp:17
    #3 0x7f5d82f4d50f in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/slave/try-l64-asan-00000000000000000/build/src/xpcom/components/nsComponentManager.cpp:1509
    #4 0x7f5d83125c6c in CallGetService<nsIProtocolHandler> /builds/slave/try-l64-asan-00000000000000000/build/src/obj-firefox/dist/include/nsServiceManagerUtils.h:89
    #5 0x7f5d83125c6c in nsIOService::GetProtocolHandler(char const*, nsIProtocolHandler**) /builds/slave/try-l64-asan-00000000000000000/build/src/netwerk/base/nsIOService.cpp:520
    #6 0x7f5d83126605 in nsIOService::NewURI(nsACString_internal const&, char const*, nsIURI*, nsIURI**) /builds/slave/try-l64-asan-00000000000000000/build/src/netwerk/base/nsIOService.cpp:621
    #7 0x7f5d83154b61 in NS_NewURI(nsIURI**, nsACString_internal const&, char const*, nsIURI*, nsIIOService*) /builds/slave/try-l64-asan-00000000000000000/build/src/netwerk/base/nsNetUtil.inl:115
    #8 0x7f5d83154de5 in NS_NewURI(nsIURI**, nsAString_internal const&, char const*, nsIURI*, nsIIOService*) /builds/slave/try-l64-asan-00000000000000000/build/src/netwerk/base/nsNetUtil.inl:126
    #9 0x7f5d845af757 in nsScriptErrorBase::InitWithWindowID(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, unsigned int, unsigned int, unsigned int, nsACString_internal const&, unsigned long) /builds/slave/try-l64-asan-00000000000000000/build/src/js/xpconnect/src/nsScriptError.cpp:188
    #10 0x7f5d887736dd in mozilla::dom::IndexedDatabaseManager::CommonPostHandleEvent(mozilla::EventChainPostVisitor&, mozilla::dom::IDBFactory*) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/indexedDB/IndexedDatabaseManager.cpp:560
    #11 0x7f5d8875f438 in mozilla::dom::IDBOpenDBRequest::PostHandleEvent(mozilla::EventChainPostVisitor&) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/indexedDB/IDBRequest.cpp:631
    #12 0x7f5d877f809e in PostHandleEvent /builds/slave/try-l64-asan-00000000000000000/build/src/dom/events/EventDispatcher.cpp:271
    #13 0x7f5d877f809e in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/events/EventDispatcher.cpp:318
    #14 0x7f5d877f8757 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/events/EventDispatcher.cpp:364
    #15 0x7f5d877fc372 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/events/EventDispatcher.cpp:653
    #16 0x7f5d877d7a58 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/events/EventDispatcher.cpp:719
    #17 0x7f5d877d7719 in mozilla::DOMEventTargetHelper::DispatchEvent(nsIDOMEvent*, bool*) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/events/DOMEventTargetHelper.cpp:253
    #18 0x7f5d886f856c in mozilla::dom::indexedDB::(anonymous namespace)::DispatchErrorEvent(mozilla::dom::IDBRequest*, nsresult, mozilla::dom::IDBTransaction*, nsIDOMEvent*) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:738
    #19 0x7f5d886fb01d in get_nsresult /builds/slave/try-l64-asan-00000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:1280
    #20 0x7f5d886fb01d in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::Recv__delete__(mozilla::dom::indexedDB::FactoryRequestResponse const&) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:1370
    #21 0x7f5d886fb40c in non-virtual thunk to mozilla::dom::indexedDB::BackgroundFactoryRequestChild::Recv__delete__(mozilla::dom::indexedDB::FactoryRequestResponse const&) /builds/slave/try-l64-asan-00000000000000000/build/src/obj-firefox/dom/indexedDB/Unified_cpp_dom_indexedDB0.cpp:1395
    #22 0x7f5d83e4b118 in mozilla::dom::indexedDB::PBackgroundIDBFactoryRequestChild::OnMessageReceived(IPC::Message const&) /builds/slave/try-l64-asan-00000000000000000/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBFactoryRequestChild.cpp:176
    #23 0x7f5d83a67276 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/slave/try-l64-asan-00000000000000000/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1721
    #24 0x7f5d8399e743 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/glue/MessageChannel.cpp:1616
    #25 0x7f5d8399b785 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/glue/MessageChannel.cpp:1554
    #26 0x7f5d83989852 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/glue/MessageChannel.cpp:1521
    #27 0x7f5d8390dfa4 in RunTask /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:364
    #28 0x7f5d8390dfa4 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:372
    #29 0x7f5d8390f057 in MessageLoop::DoWork() /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:459
    #30 0x7f5d839a6aa2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/glue/MessagePump.cpp:222
    #31 0x7f5d82f847f0 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/try-l64-asan-00000000000000000/build/src/xpcom/threads/nsThread.cpp:994
    #32 0x7f5d82ffdcca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/try-l64-asan-00000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #33 0x7f5d8895731e in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4518
    #34 0x7f5d888ddb36 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/try-l64-asan-00000000000000000/build/src/dom/workers/RuntimeService.cpp:2632
    #35 0x7f5d82f847f0 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/try-l64-asan-00000000000000000/build/src/xpcom/threads/nsThread.cpp:994
    #36 0x7f5d82ffdcca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/try-l64-asan-00000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #37 0x7f5d839a705f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/glue/MessagePump.cpp:332
    #38 0x7f5d8390cb2c in RunInternal /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #39 0x7f5d8390cb2c in RunHandler /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #40 0x7f5d8390cb2c in MessageLoop::Run() /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #41 0x7f5d82f8023b in nsThread::ThreadFunc(void*) /builds/slave/try-l64-asan-00000000000000000/build/src/xpcom/threads/nsThread.cpp:396
    #42 0x7f5d99d673cf in _pt_root /builds/slave/try-l64-asan-00000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
    #43 0x7f5d9d289181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #44 0x7f5d9c38a47c (/lib/x86_64-linux-gnu/libc.so.6+0xfa47c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/try-l64-asan-00000000000000000/build/src/obj-firefox/dist/include/nsISupportsImpl.h:329 operator++
Thread T50 (DOM Worker) created by T0 here:
    #0 0x45ea55 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f5d99d63b20 in _PR_CreateThread /builds/slave/try-l64-asan-00000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:457
    #2 0x7f5d99d6368a in PR_CreateThread /builds/slave/try-l64-asan-00000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:548
    #3 0x7f5d82f819cd in nsThread::Init() /builds/slave/try-l64-asan-00000000000000000/build/src/xpcom/threads/nsThread.cpp:526
    #4 0x7f5d889c175a in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/workers/WorkerThread.cpp:92
    #5 0x7f5d888958d0 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/workers/RuntimeService.cpp:1686
    #6 0x7f5d88893335 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/workers/RuntimeService.cpp:1510
    #7 0x7f5d88927ec5 in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4085
    #8 0x7f5d88953d26 in Constructor /builds/slave/try-l64-asan-00000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4019
    #9 0x7f5d88953d26 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/workers/WorkerPrivate.cpp:3960
    #10 0x7f5d86c0d67e in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/try-l64-asan-00000000000000000/build/src/obj-firefox/dom/bindings/WorkerBinding.cpp:780
    #11 0x7f5d8d0a6119 in CallJSNative /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/jscntxtinlines.h:235
    #12 0x7f5d8d0a6119 in CallJSNativeConstructor /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/jscntxtinlines.h:268
    #13 0x7f5d8d0a6119 in InternalConstruct(JSContext*, JS::CallArgs const&) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:567
    #14 0x7f5d8d094305 in ConstructFromStack /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:594
    #15 0x7f5d8d094305 in Interpret(JSContext*, js::RunState&) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:2794
    #16 0x7f5d8d07579e in js::RunScript(JSContext*, js::RunState&) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:428
    #17 0x7f5d8d0a6f3b in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:684
    #18 0x7f5d8d0a753f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:716
    #19 0x7f5d8cbeb10d in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/jsapi.cpp:4464
    #20 0x7f5d8cbebad7 in Evaluate /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/jsapi.cpp:4491
    #21 0x7f5d8cbebad7 in JS::Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/jsapi.cpp:4552
    #22 0x7f5d8589cda6 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/base/nsJSUtils.cpp:213
    #23 0x7f5d8589da61 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/base/nsJSUtils.cpp:280
    #24 0x7f5d85928b8b in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/base/nsScriptLoader.cpp:1142
    #25 0x7f5d859258f4 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/base/nsScriptLoader.cpp:962
    #26 0x7f5d8591f17c in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/try-l64-asan-00000000000000000/build/src/dom/base/nsScriptLoader.cpp:726
    #27 0x7f5d8591bb3e in nsScriptElement::MaybeProcessScript() /builds/slave/try-l64-asan-00000000000000000/build/src/dom/base/nsScriptElement.cpp:142
    #28 0x7f5d84b7f464 in operator-> /builds/slave/try-l64-asan-00000000000000000/build/src/dom/base/nsIScriptElement.h:221
    #29 0x7f5d84b7f464 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/try-l64-asan-00000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:666
    #30 0x7f5d84b7dab4 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/try-l64-asan-00000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:491
    #31 0x7f5d84b83c8b in nsHtml5ExecutorFlusher::Run() /builds/slave/try-l64-asan-00000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:128
    #32 0x7f5d82f847f0 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/try-l64-asan-00000000000000000/build/src/xpcom/threads/nsThread.cpp:994
    #33 0x7f5d82ffdcca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/try-l64-asan-00000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #34 0x7f5d839a60d9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/glue/MessagePump.cpp:97
    #35 0x7f5d8390cb2c in RunInternal /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #36 0x7f5d8390cb2c in RunHandler /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #37 0x7f5d8390cb2c in MessageLoop::Run() /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #38 0x7f5d88e81067 in nsBaseAppShell::Run() /builds/slave/try-l64-asan-00000000000000000/build/src/widget/nsBaseAppShell.cpp:156
    #39 0x7f5d8ad18e78 in nsAppStartup::Run() /builds/slave/try-l64-asan-00000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281
    #40 0x7f5d8ae1738a in XREMain::XRE_mainRun() /builds/slave/try-l64-asan-00000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4299
    #41 0x7f5d8ae185f6 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/try-l64-asan-00000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4396
    #42 0x7f5d8ae1943e in XRE_main /builds/slave/try-l64-asan-00000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4502
    #43 0x48a793 in do_main /builds/slave/try-l64-asan-00000000000000000/build/src/browser/app/nsBrowserApp.cpp:220
    #44 0x48a793 in main /builds/slave/try-l64-asan-00000000000000000/build/src/browser/app/nsBrowserApp.cpp:360
    #45 0x7f5d9c2b1ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

==11771==ABORTING
(In reply to Looben Yang from comment #7)
> Created attachment 8730534 [details]
> Crash_AddRef_Repro2.html
> 
> Would you have a try with test case 2 (Crash_AddRef_Repro2.html)?
> 
> 
Thanks for providing this test case.

I got crash with this test case in different assertion: MOZ_ASSERT(NS_IsMainThread());
However, the root cause shall be similar that we should keep logging logic in the main thread instead.

--
[Switching to Thread 0x7fffbaafe700 (LWP 11540)]
0x00007fffe50cdea2 in pref_HashTableLookup (key=0x7fffbaafc4b0 "network.protocol-handler.external.blob") at /data/Projects/Builds/gecko/src/modules/libpref/prefapi.cpp:693
693         MOZ_ASSERT(NS_IsMainThread());
(gdb) bt
#0  0x00007fffe50cdea2 in pref_HashTableLookup(char const*) (key=0x7fffbaafc4b0 "network.protocol-handler.external.blob") at /data/Projects/Builds/gecko/src/modules/libpref/prefapi.cpp:693
#1  0x00007fffe50cd627 in PREF_GetBoolPref(char const*, bool*, bool) (pref_name=0x7fffbaafc4b0 "network.protocol-handler.external.blob", return_value=0x7fffbaafc40b, get_default=false)
    at /data/Projects/Builds/gecko/src/modules/libpref/prefapi.cpp:505
#2  0x00007fffe50d89b9 in nsPrefBranch::GetBoolPref(char const*, bool*) (this=0x7fffe219d800, aPrefName=0x7fffbaafc4b0 "network.protocol-handler.external.blob", _retval=0x7fffbaafc40b)
    at /data/Projects/Builds/gecko/src/modules/libpref/nsPrefBranch.cpp:152
#3  0x00007fffe50de02b in mozilla::Preferences::GetBoolPref(char const*, bool*) (this=0x7fffe1352ac0, aPrefName=0x7fffbaafc4b0 "network.protocol-handler.external.blob", _retval=0x7fffbaafc40b)
    at /data/Projects/Builds/gecko/src/obj-firefox/dist/include/mozilla/Preferences.h:47
#4  0x00007fffe5181046 in nsIOService::GetProtocolHandler(char const*, nsIProtocolHandler**) (this=0x7fffe2136180, scheme=0x7fffbaafc5c0 "blob", result=0x7fffbaafc580)
    at /data/Projects/Builds/gecko/src/netwerk/base/nsIOService.cpp:509
#5  0x00007fffe51815ed in nsIOService::NewURI(nsACString_internal const&, char const*, nsIURI*, nsIURI**) (this=0x7fffe2136180, aSpec=..., aCharset=0x0, aBaseURI=0x0, result=0x7fffbaafc790)
    at /data/Projects/Builds/gecko/src/netwerk/base/nsIOService.cpp:621
#6  0x00007fffe5194ea6 in NS_NewURI(nsIURI**, nsACString_internal const&, char const*, nsIURI*, nsIIOService*) (result=0x7fffbaafc790, spec=..., charset=0x0, baseURI=0x0, ioService=0x7fffe2136180)
    at /data/Projects/Builds/gecko/src/netwerk/base/nsNetUtil.inl:115
#7  0x00007fffe5194f40 in NS_NewURI(nsIURI**, nsAString_internal const&, char const*, nsIURI*, nsIIOService*) (result=0x7fffbaafc790, spec=..., charset=0x0, baseURI=0x0, ioService=0x0)
    at /data/Projects/Builds/gecko/src/netwerk/base/nsNetUtil.inl:126
#8  0x00007fffe5e69f9d in nsScriptErrorBase::InitWithWindowID(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, unsigned int, unsigned int, unsigned int, nsACString_internal const&
, unsigned long) (this=0x7fffbcbffdc0, message=..., sourceName=..., sourceLine=..., lineNumber=2, columnNumber=14, flags=0, category=..., aInnerWindowID=13)
    at /data/Projects/Builds/gecko/src/js/xpconnect/src/nsScriptError.cpp:188
#9  0x00007fffe81d0e65 in mozilla::dom::IndexedDatabaseManager::CommonPostHandleEvent(mozilla::EventChainPostVisitor&, mozilla::dom::IDBFactory*) (aVisitor=..., aFactory=0x7fffc01a1180)
    at /data/Projects/Builds/gecko/src/dom/indexedDB/IndexedDatabaseManager.cpp:560
#10 0x00007fffe81b9bda in mozilla::dom::IDBOpenDBRequest::PostHandleEvent(mozilla::EventChainPostVisitor&) (this=0x7fffbbfbc420, aVisitor=...) at /data/Projects/Builds/gecko/src/dom/indexedDB/IDBRequest.cpp:631
#11 0x00007fffe798d24f in mozilla::EventTargetChainItem::PostHandleEvent(mozilla::EventChainPostVisitor&) (this=0x7fffbf181708, aVisitor=...)
Group: core-security → dom-core-security
Calling this sec-moderate. We shouldn't be reading prefs from the wrong thread but it's not terrible if we're not modifying them, and the ASAN crashes look like null derefs.
Keywords: sec-moderate
Patch has been verified locally with positive result.

Wait for treeherder result:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=961f1afc9684
Comment on attachment 8731165 [details] [diff] [review]
Patch (v1): Add Helper to Dump ScriptError in MainThread.

1. Define ScriptErrorHelper to dump the message to the console via main thread.
2. Adopt this helper in  IDBDatabase.cpp and IndexedDatabaseManager.cpp.
3. MOZ_ASSERT(scriptError) instead of MOZ_ASSERT(consoleService) after creating nsIScriptError instance.

Hi Kyle,

May I have your review for these change?

Thanks!
Attachment #8731165 - Flags: review?(khuey)
Comment on attachment 8731165 [details] [diff] [review]
Patch (v1): Add Helper to Dump ScriptError in MainThread.

Review of attachment 8731165 [details] [diff] [review]:
-----------------------------------------------------------------

suspend the review before the following problem is clarified.

::: dom/indexedDB/IDBDatabase.cpp
@@ +1217,5 @@
>    MOZ_ASSERT(aMessageName);
>  
> +  nsXPIDLString localizedMessage;
> +  if (NS_WARN_IF(NS_FAILED(
> +    nsContentUtils::GetLocalizedString(nsContentUtils::eDOM_PROPERTIES,

I'd like to double confirm if nsContentUtils::GetLocalizedString() is safe to be used off main thread.
Attachment #8731165 - Flags: review?(khuey)
Revise patch v1 to provide ScriptErrorHelper::DumpLocalizedMessage() for the use case in IDBDatabase to find the localized message of given message name in the main thread.

Hi Kyle,

May I have your review for this change?

Thanks!
Attachment #8731165 - Attachment is obsolete: true
Attachment #8732073 - Flags: review?(khuey)
Comment on attachment 8732073 [details] [diff] [review]
Patch (v2): Add Helper to Dump ScriptError in MainThread.

Review of attachment 8732073 [details] [diff] [review]:
-----------------------------------------------------------------

Very nice.  Only minor comments.

::: dom/indexedDB/ScriptErrorHelper.cpp
@@ +17,5 @@
> +namespace mozilla {
> +namespace dom {
> +namespace indexedDB {
> +
> +namespace {

Please put the anonymous namespace and its contents outside the mozilla::dom::indexedDB.  I've seen this confuse Visual Studio in really weird ways before.

@@ +149,5 @@
> +
> +    MOZ_ALWAYS_TRUE(NS_SUCCEEDED(consoleService->LogMessage(scriptError)));
> +  }
> +
> +  NS_DECL_ISUPPORTS_INHERITED

You didn't add any interfaces on top of what the subclass does, and you didn't change the refcounting at all, so there's no need to redeclare nsISupports.

@@ +152,5 @@
> +
> +  NS_DECL_ISUPPORTS_INHERITED
> +
> +private:
> +  ~ScriptErrorRunnable() {}

virtual

@@ +154,5 @@
> +
> +private:
> +  ~ScriptErrorRunnable() {}
> +
> +  NS_DECL_NSIRUNNABLE

in the public: section please.

@@ +157,5 @@
> +
> +  NS_DECL_NSIRUNNABLE
> +};
> +
> +NS_IMPL_ISUPPORTS_INHERITED0(ScriptErrorRunnable, nsRunnable)

Or reimplement it here.

::: dom/indexedDB/ScriptErrorHelper.h
@@ +12,5 @@
> +namespace mozilla {
> +namespace dom {
> +namespace indexedDB {
> +
> +// Helper to dump ScriptError in main thread.

Helper to report a script error to the main thread.

@@ +33,5 @@
> +                                   bool aIsChrome,
> +                                   uint64_t aInnerWindowID);
> +private:
> +  ScriptErrorHelper() {}
> +  virtual ~ScriptErrorHelper() {}

You never create an instance of this class, so there's no reason to have a ctor/dtor.
Attachment #8732073 - Flags: review?(khuey)
address issues in comment 15.
Attachment #8732073 - Attachment is obsolete: true
Attachment #8733778 - Flags: review?(khuey)
Comment on attachment 8733778 [details] [diff] [review]
Patch (v3): Add a Helper to Report a ScriptError to the Main Thread.

Review of attachment 8733778 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/indexedDB/ScriptErrorHelper.cpp
@@ +145,5 @@
> +
> +    MOZ_ALWAYS_TRUE(NS_SUCCEEDED(consoleService->LogMessage(scriptError)));
> +  }
> +
> +  NS_IMETHODIMP Run() override

If you write it inline like this I think it's just supposed to be NS_IMETHOD.  Also, \n before Run please.
Attachment #8733778 - Flags: review?(khuey) → review+
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #18)
> > +  NS_IMETHODIMP Run() override
> 
> If you write it inline like this I think it's just supposed to be
> NS_IMETHOD.  Also, \n before Run please.
Thanks for pointing out this!
The treeherder result in comment 20 is good.
It seems not necessary to request sec-approval for the bug marked |sec-moderate| according to [1], so I marked |checkin-needed| here without other approval.

[1] https://wiki.mozilla.org/Security/Bug_Approval_Process
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/e3d7ad16257a
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox48: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Group: dom-core-security → core-security-release
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty-
Keywords: sec-moderatecrash, csectype-nullptr, sec-low
Alias: CVE-2016-5257
Whiteboard: [tw-dom] → [tw-dom][adv-main48+]
Since this is a null-deref, we're not going to do an advisory for this. Removing the CVE as well.
Alias: CVE-2016-5257
Whiteboard: [tw-dom][adv-main48+] → [tw-dom][adv-main48-]
I've managed to reproduced the initial issue on an older tinderbox-build from 2016-03-07 (Nightly), using Ubuntu 16.04 LTS, x64.

This is verified fixed on 48.0 RC2 - tinderbox-build, running Ubuntu 16.04 LTS, x64. This is verified fixed on 48.0-build2 (RC2), using Ubuntu 16.04 LTS x64.
Status: RESOLVED → VERIFIED
status-firefox48: fixedverified
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: