Closed Bug 1410260 Opened 3 years ago Closed 3 years ago

stack overflow in [@ nsGlobalWindow::OpenInternal]


(Core :: DOM: Core & HTML, defect)

56 Branch
Not set



Tracking Status
firefox-esr52 --- unaffected
firefox56 --- wontfix
firefox57 --- affected
firefox58 --- affected


(Reporter: tsmith, Unassigned)


(Blocks 1 open bug)


(Keywords: crash, testcase)


(2 files)

Attached file test_case.html
==26893==ERROR: AddressSanitizer: stack-overflow on address 0x7ffefca3eff8 (pc 0x7fc9e732b818 bp 0x7ffefca3f010 sp 0x7ffefca3f000 T0)
    #0 0x7fc9e732b817 in nsTSubstring<char>::ReplacePrep(unsigned int, unsigned int, unsigned int) /src/xpcom/string/nsTSubstring.cpp:200
    #1 0x7fc9e73393ef in ReplaceASCII /src/xpcom/string/nsTSubstring.cpp:710:13
    #2 0x7fc9e73393ef in ReplaceASCII /src/xpcom/string/nsTSubstring.cpp:684
    #3 0x7fc9e73393ef in AppendASCII /src/xpcom/string/nsTSubstring.h:386
    #4 0x7fc9e73393ef in PrintfAppend<char>::append(char const*, unsigned long) /src/xpcom/string/nsTSubstring.cpp:1096
    #5 0x4fcca6 in emit /src/obj-firefox/dist/include/mozilla/Printf.h:98:16
    #6 0x4fcca6 in mozilla::PrintfTarget::fill_n(char const*, int, int, int, int, int) /src/mozglue/misc/Printf.cpp:173
    #7 0x4ff0aa in mozilla::PrintfTarget::vprint(char const*, __va_list_tag*) /src/mozglue/misc/Printf.cpp
    #8 0x7fc9e732dff3 in nsTSubstring<char>::AppendPrintf(char const*, ...) /src/xpcom/string/nsTSubstring.cpp:1112:21
    #9 0x7fc9e77248f2 in AppendInt /src/obj-firefox/dist/include/nsTSubstring.h:409:5
    #10 0x7fc9e77248f2 in mozilla::net::nsStandardURL::BuildNormalizedSpec(char const*, mozilla::Encoding const*) /src/netwerk/base/nsStandardURL.cpp:830
    #11 0x7fc9e7731faa in mozilla::net::nsStandardURL::SetSpecWithEncoding(nsTSubstring<char> const&, mozilla::Encoding const*) /src/netwerk/base/nsStandardURL.cpp:1742:14
    #12 0x7fc9e774aef5 in mozilla::net::nsStandardURL::Init(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*) /src/netwerk/base/nsStandardURL.cpp:3478:16
    #13 0x7fc9e7e44f77 in NewURI /src/netwerk/protocol/http/nsHttpHandler.cpp:134:24
    #14 0x7fc9e7e44f77 in mozilla::net::nsHttpHandler::NewURI(nsTSubstring<char> const&, char const*, nsIURI*, nsIURI**) /src/netwerk/protocol/http/nsHttpHandler.cpp:2131
    #15 0x7fc9e768260f in mozilla::net::nsIOService::NewURI(nsTSubstring<char> const&, char const*, nsIURI*, nsIURI**) /src/netwerk/base/nsIOService.cpp:702:21
    #16 0x7fc9e76bea5b in NS_NewURI /src/netwerk/base/nsNetUtil.cpp:1493:25
    #17 0x7fc9e76bea5b in NS_NewURI(nsIURI**, char const*, nsIURI*, nsIIOService*) /src/netwerk/base/nsNetUtil.cpp:1535
    #18 0x7fc9f34a15e2 in nsWindowWatcher::URIfromURL(char const*, mozIDOMWindowProxy*, nsIURI**) /src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:1707:10
    #19 0x7fc9f349586f in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:707:10
    #20 0x7fc9f349c59e in OpenWindow2 /src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:444:10
    #21 0x7fc9f349c59e in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #22 0x7fc9ea1e4424 in nsGlobalWindow::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /src/dom/base/nsGlobalWindow.cpp:12951:21
    #23 0x7fc9ea1e54fa in OpenNoNavigate /src/dom/base/nsGlobalWindow.cpp:9024:10
    #24 0x7fc9ea1e54fa in non-virtual thunk to nsGlobalWindow::OpenNoNavigate(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsPIDOMWindowOuter**) /src/dom/base/nsGlobalWindow.cpp
    #25 0x7fc9f2930d13 in nsDocShell::InternalLoad(nsIURI*, nsIURI*, mozilla::Maybe<nsCOMPtr<nsIURI> > const&, bool, nsIURI*, unsigned int, nsIPrincipal*, nsIPrincipal*, unsigned int, nsTSubstring<char16_t> const&, char const*, nsTSubstring<char16_t> const&, nsIInputStream*, long, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsTSubstring<char16_t> const&, nsIDocShell*, nsIURI*, bool, nsIDocShell**, nsIRequest**) /src/docshell/base/nsDocShell.cpp:10204:17
    #26 0x7fc9f29b147e in nsDocShell::OnLinkClickSync(nsIContent*, nsIURI*, char16_t const*, nsTSubstring<char16_t> const&, nsIInputStream*, long, nsIInputStream*, bool, nsIDocShell**, nsIRequest**, nsIPrincipal*) /src/docshell/base/nsDocShell.cpp:14462:17
    #27 0x7fc9f29d5ce5 in OnLinkClickEvent::Run() /src/docshell/base/nsDocShell.cpp:14210:17
    #28 0x7fc9e74c33c4 in mozilla::SchedulerGroup::Runnable::Run() /src/xpcom/threads/SchedulerGroup.cpp:396:25
    #29 0x7fc9e74e8f18 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1037:14
    #30 0x7fc9e7503be8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:512:10
    #31 0x7fc9ee71d0a1 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /src/dom/ipc/ContentChild.cpp:1036:24)> /src/obj-firefox/dist/include/nsThreadUtils.h:323:25
    #32 0x7fc9ee71d0a1 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool*, mozIDOMWindowProxy**) /src/dom/ipc/ContentChild.cpp:1036
Flags: in-testsuite?
Attached file prefs.js
Wow, more pure evil care of the fuzzers :)

INFO: Last good revision: 5cac74206e4e96e652289c80f2499827c0907162
INFO: First bad revision: a1e773337202d436865cbdd1fa375277efada840
INFO: Pushlog:
Has Regression Range: --- → yes
Flags: needinfo?(nika)
Version: Trunk → 56 Branch
So, this isn't really a new failure. This in particular is caused by the fact that calling can cause a nested event loop to spin. My patch in particular just increased the chance of this happening. In a non-e10s window this would probably also reproduce if opening _blank links in new tabs was disabled (which also spins a nested event loop).

Basically, this program is just taking advantage of the fact that it's possible to run JS from your page during a nested event loop (which we don't have a way around right now - We don't have a good way to actually prevent a page from running JS in a nested event loop), and is causing a nesting of nested event loops enough layers deep to blow out the stack.

I'm not sure if there's anything which can be done about this. ni? smaug to see if he has any ideas of how we could mitigate this.
Flags: needinfo?(nika) → needinfo?(bugs)
aha, based on some other bug reports, someone has added such fuzzing which causes either stack overflows or too-much-recursion in JS.
In general we don't have any way to protect against that, and there are trivial ways to cause stack overflows.
Flags: needinfo?(bugs)
Marking as wontfix for the reasons in comment 4.
Closed: 3 years ago
Resolution: --- → WONTFIX
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.