1402364 - crash near null in [@ mozilla::IMEStateManager::SetIMEState]

Status: RESOLVED WORKSFORME

(Core :: DOM: Events, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: test_case.html

==89876==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7ff1fe0800ee bp 0x7fffb92d0750 sp 0x7fffb92d0520 T0)
==89876==The signal is caused by a READ memory access.
==89876==Hint: address points to the zero page.
    #0 0x7ff1fe0800ed in get  /src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27
    #1 0x7ff1fe0800ed in operator->  /src/obj-firefox/dist/include/mozilla/RefPtr.h:319
    #2 0x7ff1fe0800ed in IsHTMLElement  /src/obj-firefox/dist/include/nsIContent.h:284
    #3 0x7ff1fe0800ed in mozilla::IMEStateManager::SetIMEState(mozilla::widget::IMEState const&, nsPresContext*, nsIContent*, nsIWidget*, mozilla::widget::InputContextAction, mozilla::widget::InputContext::Origin)  /src/dom/events/IMEStateManager.cpp:1322
    #4 0x7ff1fe0822e2 in mozilla::IMEStateManager::OnChangeFocusInternal(nsPresContext*, nsIContent*, mozilla::widget::InputContextAction)  /src/dom/events/IMEStateManager.cpp:686:7
    #5 0x7ff1fe0847d8 in mozilla::IMEStateManager::OnInstalledMenuKeyboardListener(bool)  /src/dom/events/IMEStateManager.cpp:737:3
    #6 0x7ff200956d52 in nsXULPopupManager::UpdateKeyboardListeners()  /src/layout/xul/nsXULPopupManager.cpp:1960:7
    #7 0x7ff20095b3e5 in nsXULPopupManager::ShowPopupCallback(nsIContent*, nsMenuPopupFrame*, bool, bool)  /src/layout/xul/nsXULPopupManager.cpp:970:3
    #8 0x7ff20096914e in nsXULPopupPositionedEvent::Run()  /src/layout/xul/nsXULPopupManager.cpp:2821:13
    #9 0x7ff1f961191d in nsThread::ProcessNextEvent(bool, bool*)  /src/xpcom/threads/nsThread.cpp:1039:14
    #10 0x7ff1f9617658 in NS_ProcessNextEvent(nsIThread*, bool)  /src/xpcom/threads/nsThreadUtils.cpp:521:10
    #11 0x7ff1fa3bb9b1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)  /src/ipc/glue/MessagePump.cpp:97:21
    #12 0x7ff1fa31d87b in RunInternal  /src/ipc/chromium/src/base/message_loop.cc:326:10
    #13 0x7ff1fa31d87b in RunHandler  /src/ipc/chromium/src/base/message_loop.cc:319
    #14 0x7ff1fa31d87b in MessageLoop::Run()  /src/ipc/chromium/src/base/message_loop.cc:299
    #15 0x7ff1ffac965f in nsBaseAppShell::Run()  /src/widget/nsBaseAppShell.cpp:158:27
    #16 0x7ff203c23a21 in nsAppStartup::Run()  /src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #17 0x7ff203e0456b in XREMain::XRE_mainRun()  /src/toolkit/xre/nsAppRunner.cpp:4701:22
    #18 0x7ff203e06168 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)  /src/toolkit/xre/nsAppRunner.cpp:4865:8
    #19 0x7ff203e0759b in XRE_main(int, char**, mozilla::BootstrapConfig const&)  /src/toolkit/xre/nsAppRunner.cpp:4960:21
    #20 0x4ebea3 in do_main  /src/browser/app/nsBrowserApp.cpp:236:22
    #21 0x4ebea3 in main  /src/browser/app/nsBrowserApp.cpp:309
    #22 0x7ff216f4282f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #23 0x41d9f8 in _start (firefox+0x41d9f8)

Comment 1

[Tyson Smith [:tsmith]]

Attachment: prefs.js

Comment 3

[Andrew McCreight [:mccr8]]

Tyson, do you know if this crash still reproduces? I tried opening the test case (without messing with the prefs) and couldn't reproduce on MacOS, for whatever that is worth. Thanks.

In any event it probably doesn't need to be an S2. I looked for crashes in the last few months with OnInstalledMenuKeyboardListener or OnChangeFocusInternal and didn't find many crashes that looked similar.

Comment 4

[Tyson Smith [:tsmith]]

I was also unable to reproduce this issue.

It was last reported by fuzzer targeting m-c 20200110-feb7d997f961.

Comment 5

[Andrew McCreight [:mccr8]]

Thanks for checking.