Open Bug 1421492 Opened 2 years ago Updated 2 years ago

Null crash [@ mozilla::EventStateManager::SetPointerLock]

Categories

(Core :: DOM: Events, defect, P3, critical)

defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev c2248f853469.

==13443==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f01172c8d2e bp 0x7fff36099f10 sp 0x7fff36099e40 T0)
==13443==The signal is caused by a READ memory access.
==13443==Hint: address points to the zero page.
    #0 0x7f01172c8d2d in mozilla::EventStateManager::SetPointerLock(nsIWidget*, nsIContent*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:4614:14
    #1 0x7f0114efdd41 in nsDocument::SetPointerLock(mozilla::dom::Element*, int) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:12630:3
    #2 0x7f0114efc744 in PointerLockRequest::Run() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:12541:21
    #3 0x7f0111d6c9fe in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #4 0x7f0111d88780 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #5 0x7f011cd0ad63 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:2001:24)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
    #6 0x7f011cd0ad63 in nsXULWindow::CreateNewContentWindow(int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, nsIXULWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:2001
    #7 0x7f011d4cd032 in nsAppStartup::CreateChromeWindow2(nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, bool*, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:659:18
    #8 0x7f011d6425b7 in nsWindowWatcher::CreateChromeWindow(nsTSubstring<char> const&, nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:496:21
    #9 0x7f011d63cf79 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:965:14
    #10 0x7f011d6422cc in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:444:10
    #11 0x7f011d6422cc in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #12 0x7f0114bb8bd5 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:7205:21
    #13 0x7f0114bb79fd in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5613:10
    #14 0x7f0114bb79fd in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5588
    #15 0x7f0114b581c2 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:3759:3
    #16 0x7f01164ef954 in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2190:56
    #17 0x7f01164edd50 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15333:13
    #18 0x7f011d9ba5c1 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #19 0x7f011d9ba5c1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #20 0x7f011dc0105b in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2551:14
    #21 0x1266cf01153a  (<unknown module>)
Flags: in-testsuite?
Hi Xidorn, do you have time to take a look at this? Feel free to say no :)
Flags: needinfo?(xidorn+moz)
I took a brief look with this, but it doesn't trigger any issue for me.

EventStateManager.cpp:4614 currently points to
> aWidget->SynthesizeNativeMouseMove(
>   sLastRefPoint + aWidget->WidgetToScreenOffset(), nullptr);
so it sounds like aWidget is null in this case, which should trigger the MOZ_ASSERT slightly before this line in a debug build. I don't see anything from the testcase.

I have also tried adding a button and click for running the code (since otherwise neither fullscreen nor pointerlock would take effect), but there is still nothing happens.
Flags: needinfo?(xidorn+moz)
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.