Closed
Bug 1341693
Opened 7 years ago
Closed 7 years ago
Crash [@mozilla::dom::WindowBinding::get_customElements]
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla54
People
(Reporter: jkratzer, Assigned: edgar)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase, Whiteboard: dom-ce-m1)
Attachments
(2 files, 1 obsolete file)
393 bytes,
text/html
|
Details | |
6.25 KB,
patch
|
wchen
:
review+
|
Details | Diff | Splinter Review |
Testcase found by fuzzing on mozilla-central rev 20170216-a9ec72f82299. Testcase requires the following pref in order to crash: //user_pref("dom.webcomponents.enabled", true); ==25071==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7fe5f40c9570 bp 0x7ffc3ec3d4d0 sp 0x7ffc3ec3d4b0 T0) #0 0x7fe5f40c956f in HasWrapperFlag /home/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:312:15 #1 0x7fe5f40c956f in IsDOMBinding /home/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:155 #2 0x7fe5f40c956f in CouldBeDOMBinding /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:717 #3 0x7fe5f40c956f in DoGetOrCreateDOMReflector<mozilla::dom::CustomElementRegistry, mozilla::dom::binding_detail::GetOrCreateReflectorWrapBehavior::eWrapIntoContextCompartment> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:908 #4 0x7fe5f40c956f in GetOrCreateDOMReflector<mozilla::dom::CustomElementRegistry> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:992 #5 0x7fe5f40c956f in mozilla::dom::WindowBinding::get_customElements(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitGetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:1441 #6 0x7fe5f40c65dd in mozilla::dom::WindowBinding::genericGetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15660:13 #7 0x7fe5fa320e24 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:281:15 #8 0x7fe5fa320e24 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:463 #9 0x7fe5fa3223be in InternalCall /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:508:12 #10 0x7fe5fa3223be in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527 #11 0x7fe5fa3223be in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:641 #12 0x7fe5fb23e1e7 in CallGetter /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1806:16 #13 0x7fe5fb23e1e7 in GetExistingProperty<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1854 #14 0x7fe5fb23e1e7 in NativeGetPropertyInline<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2083 #15 0x7fe5fb23e1e7 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2117
Flags: in-testsuite?
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → echen
Assignee | ||
Comment 1•7 years ago
|
||
The problem is: - Removing iframe from documentElement triggers nsGlobalWindow::DetachFromDocShell() and mCustomElements be nulled out in nsGlobalWindow::CleanUp(); - Then we try to get iframe.customElements again, but CustomElementRegistry::Create() returns nullptr due to aWindow->GetDocShell() check.
Assignee | ||
Comment 2•7 years ago
|
||
Assignee | ||
Comment 3•7 years ago
|
||
Attachment #8840370 -
Attachment is obsolete: true
Assignee | ||
Comment 4•7 years ago
|
||
Comment on attachment 8840745 [details] [diff] [review] Patch, v2 Review of attachment 8840745 [details] [diff] [review]: ----------------------------------------------------------------- Try result: https://treeherder.allizom.org/#/jobs?repo=try&revision=c0ff853d3283665f445cf4ca818bdc29bfb5b2a6&filter-tier=1&group_state=expanded&selectedJob=74252826
Attachment #8840745 -
Flags: review?(wchen)
Updated•7 years ago
|
Attachment #8840745 -
Flags: review?(wchen) → review+
Pushed by echen@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/2dd1002e793b Don't need to check GetDocShell() when creating CustomElementRegistry; r=wchen
Comment 6•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/2dd1002e793b
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox54:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Updated•7 years ago
|
Whiteboard: dom-ce-m1
Updated•7 years ago
|
status-firefox52:
--- → disabled
status-firefox53:
--- → disabled
status-firefox-esr52:
--- → disabled
Flags: in-testsuite? → in-testsuite+
Assignee | ||
Updated•6 years ago
|
Blocks: custom-elements-initial-release
Assignee | ||
Updated•6 years ago
|
Comment 8•6 years ago
|
||
15 crashes in the last 6 months on ESR52. Doesn't seem worth caring about.
You need to log in
before you can comment on or make changes to this bug.
Description
•