Closed Bug 1342184 Opened 8 years ago Closed 8 years ago

Assertion failure: mRawPtr != nullptr (You can't dereference a NULL nsCOMPtr with operator->().)

Categories

(Core :: DOM: Navigation, defect, P2)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1341657

People

(Reporter: jkratzer, Assigned: freesamael)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase)

Attachments

(1 file)

index.html
437 bytes, text/html
Details
Attached file index.html
Testcase found by fuzzing on mozilla-central rev 20170222-7abeac2f2d66. [20601] ###!!! ASSERTION: A frame but no DOM element!?: 'requestingElement', file /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp, line 9901 Assertion failure: mRawPtr != nullptr (You can't dereference a NULL nsCOMPtr with operator->().), at /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:763 ==20601==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa5dd5a7657 bp 0x7ffd7b77b6b0 sp 0x7ffd7b77b6b0 T0) #0 0x7fa5dd5a7656 in nsCOMPtr<mozilla::dom::Element>::operator->() const /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:762:5 #1 0x7fa5e3fc56db in nsDocShell::InternalLoad(nsIURI*, nsIURI*, bool, nsIURI*, unsigned int, nsIPrincipal*, nsIPrincipal*, unsigned int, nsAString_internal const&, char const*, nsAString_internal const&, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsAString_internal const&, nsIDocShell*, nsIURI*, bool, nsIDocShell**, nsIRequest**) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9902:19 #2 0x7fa5e3fc2bfd in nsDocShell::LoadURI(nsIURI*, nsIDocShellLoadInfo*, unsigned int, bool) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:1564:10 #3 0x7fa5deddc755 in mozilla::dom::Location::SetURI(nsIURI*, bool) /home/worker/workspace/build/src/dom/base/Location.cpp:288:12 #4 0x7fa5dedde23a in mozilla::dom::Location::SetHrefWithBase(nsAString_internal const&, nsIURI*, bool) /home/worker/workspace/build/src/dom/base/Location.cpp:550:12 #5 0x7fa5deddde9f in mozilla::dom::Location::SetHrefWithContext(JSContext*, nsAString_internal const&, bool) /home/worker/workspace/build/src/dom/base/Location.cpp:503:10 #6 0x7fa5dedddc53 in mozilla::dom::Location::SetHref(nsAString_internal const&) /home/worker/workspace/build/src/dom/base/Location.cpp:472:10 #7 0x7fa5df3c4eed in mozilla::dom::Location::SetHref(nsAString_internal const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Location.h:89:14 #8 0x7fa5df3c4d37 in mozilla::dom::LocationBinding::set_href(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Location*, JSJitSetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/LocationBinding.cpp:96:3 #9 0x7fa5df3c4473 in mozilla::dom::LocationBinding::genericCrossOriginSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/LocationBinding.cpp:968:8 #10 0x7fa5e4b5321a in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/worker/workspace/build/src/js/src/jscntxtinlines.h:281:15 #11 0x7fa5e4b52c20 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:463:16 #12 0x7fa5e4b53bae in InternalCall(JSContext*, js::AnyInvokeArgs const&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:508:12 #13 0x7fa5e4b53dd1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:10 #14 0x7fa5e4b55310 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:654:12 #15 0x7fa5e5587cec in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/proxy/BaseProxyHandler.cpp:245:10
Flags: in-testsuite?
Maybe Samael knows what's up with *this* docshell crash :)
Flags: needinfo?(sawang)
It seems nsDocShell::LoadURI caused by `o2.location = 'foo';` happens after nsFrameLoader::StartDestroy has been called, which sets frame element to nullptr [1], while before nsFrameLoaderDestroyRunnable is being executed and actually destroys the docshell. Looks like a tricky case which needs to carefully handled. [1] http://searchfox.org/mozilla-central/rev/60ae6514e4c559c0c234f0e7aefccb101b8beb2e/dom/base/nsFrameLoader.cpp#2022
Assignee: nobody → sawang
Flags: needinfo?(sawang)
Priority: -- → P2
I kinda think if the only case mFrameElement could be null out here is when frame loader starts destorying we may want to just cancel the load, but I guess the nullptr check implemented in bug 1341657 is a less risky way.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Blocks: domino
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: