Open Bug 1412184 Opened 3 years ago Updated 2 years ago

Crash near null [@ mozilla::dom::AudioNode::AudioNode]

Categories

(Core :: Web Audio, defect, P2, critical)

53 Branch
defect

Tracking

()

Tracking Status
firefox-esr52 --- unaffected
firefox56 --- wontfix
firefox57 --- fix-optional
firefox58 --- affected

People

(Reporter: jkratzer, Assigned: padenot)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [fuzzblocker])

Attachments

(3 files)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev d734e6acf777.  Testcase must be served by a local webserver in order to reproduce.

=================================================================
==20888==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f42119573be bp 0x7ffe8e682990 sp 0x7ffe8e682880 T0)
==20888==The signal is caused by a READ memory access.
==20888==Hint: address points to the zero page.
    #0 0x7f42119573bd in mozilla::dom::AudioNode::AudioNode(mozilla::dom::AudioContext*, unsigned int, mozilla::dom::ChannelCountMode, mozilla::dom::ChannelInterpretation) /builds/worker/workspace/build/src/dom/media/webaudio/AudioNode.cpp:57:53
    #1 0x7f4211967d2d in mozilla::dom::AudioScheduledSourceNode::AudioScheduledSourceNode(mozilla::dom::AudioContext*, unsigned int, mozilla::dom::ChannelCountMode, mozilla::dom::ChannelInterpretation) /builds/worker/workspace/build/src/dom/media/webaudio/AudioScheduledSourceNode.cpp:17:5
    #2 0x7f42119b9f9e in mozilla::dom::ConstantSourceNode::ConstantSourceNode(mozilla::dom::AudioContext*) /builds/worker/workspace/build/src/dom/media/webaudio/ConstantSourceNode.cpp:148:5
    #3 0x7f42119bae61 in mozilla::dom::ConstantSourceNode::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::AudioContext&, mozilla::dom::ConstantSourceOptions const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/media/webaudio/ConstantSourceNode.cpp:195:43
    #4 0x7f42103a1629 in mozilla::dom::ConstantSourceNodeBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ConstantSourceNodeBinding.cpp:345:64
    #5 0x7f42170302bd in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #6 0x7f42170302bd in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:324
    #7 0x7f42170302bd in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:580
    #8 0x7f421701992e in ConstructFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:606:12
    #9 0x7f421701992e in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3059
    #10 0x7f42170015fa in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #11 0x7f4217031bc6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15
    #12 0x7f4217032402 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:738:12
    #13 0x7f4217a86029 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4709:12
    #14 0x7f420efc9809 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:268:8
    #15 0x7f42126ec973 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2255:25
    #16 0x7f42126e7db6 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1895:10
    #17 0x7f42126cb8ca in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1596:10
    #18 0x7f42126c7db8 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
    #19 0x7f420dee752f in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:231:18
    #20 0x7f420dee752f in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:700
    #21 0x7f420dee1684 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:501:7
    #22 0x7f420deebb0f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:55:18
    #23 0x7f420c0efe86 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #24 0x7f420c10a348 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #25 0x7f420cedb011 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #26 0x7f420ce3b54b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #27 0x7f420ce3b54b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #28 0x7f420ce3b54b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #29 0x7f421284eabf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #30 0x7f4216b81ec1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #31 0x7f4216d7854b in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4686:22
    #32 0x7f4216d7a115 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4848:8
    #33 0x7f4216d7b4c6 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4943:21
    #34 0x4ec4ec in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #35 0x4ec4ec in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #36 0x7f422a14f82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #37 0x41dbc8 in _start (/home/forb1dden/builds/mc-asan/firefox+0x41dbc8)
Component: API: Web Audio → Web Audio
Product: Developer Documentation → Core
Version: unspecified → 58 Branch
Attached file fuzzer.js
Assignee: nobody → padenot
Rank: 10
Priority: -- → P1
Has Regression Range: --- → yes
Version: 58 Branch → 53 Branch
Comment on attachment 8923497 [details]
Bug 1412184 - Set the main thread after BindToOwner in AudioNode ctor.

https://reviewboard.mozilla.org/r/194642/#review199672

Please verify the code using AbstractMainThread() can deal with nullptr, and fix if needed, or explain why it is safe. And
rename AbstractMainThread().

::: dom/media/webaudio/AudioNode.cpp:63
(Diff revision 1)
>  {
>    MOZ_ASSERT(aContext);
>    DOMEventTargetHelper::BindToOwner(aContext->GetParentObject());
> +
> +  if (aContext->GetOwnerGlobal()) {
> +    mAbstractMainThread =

So  AbstractMainThread() should be called
GetAbstractMainThread(), since it may return null.
http://searchfox.org/mozilla-central/rev/1ebd2eff44617df3b82eea7d2f3ca1b60cc591a0/dom/media/webaudio/AudioNode.h#230

And I'm having hard time to see what guarantees the code using AbstractMainThread() can deal with nullptr
Attachment #8923497 - Flags: review?(bugs) → review-
Priority: P1 → P2
You need to log in before you can comment on or make changes to this bug.