Closed Bug 1421525 Opened 7 years ago Closed 1 year ago

Null crash [@ nsGlobalWindow::ClearDocumentDependentSlots]

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files, 1 obsolete file)

trigger.html
425 bytes, text/html
Details
prefs.js
9.96 KB, application/javascript
Details
Attached file trigger.html (obsolete) — 
Testcase found while fuzzing mozilla-central rev c2248f853469.

==23861==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdcc73fa97f bp 0x7ffe6164fe30 sp 0x7ffe6164fd60 T0)
==23861==The signal is caused by a WRITE memory access.
==23861==Hint: address points to the zero page.
    #0 0x7fdcc73fa97e in ClearDocumentDependentSlots /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:7295:5
    #1 0x7fdcc73fa97e in nsGlobalWindowInner::InnerSetNewDocument(JSContext*, nsIDocument*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:1726
    #2 0x7fdcc7451596 in nsGlobalWindowOuter::SetNewDocument(nsIDocument*, nsISupports*, bool) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:2018:23
    #3 0x7fdccc16cf4b in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:928:22
    #4 0x7fdccc16c337 in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:659:10
    #5 0x7fdccf4fb4b1 in nsDocShell::SetupNewViewer(nsIContentViewer*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9663:7
    #6 0x7fdccf4f9e5b in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7480:17
    #7 0x7fdccf5088da in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8361:14
    #8 0x7fdccf49fed7 in nsDocShell::EnsureContentViewer() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8216:17
    #9 0x7fdccf4d9a47 in GetDocument /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:4728:3
    #10 0x7fdccf4d9a47 in non-virtual thunk to nsDocShell::GetDocument() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #11 0x7fdcc747a239 in MaybeCreateDoc /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:7861:48
    #12 0x7fdcc747a239 in GetDoc /builds/worker/workspace/build/src/obj-firefox/dist/include/nsPIDOMWindow.h:882
    #13 0x7fdcc747a239 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:7260
    #14 0x7fdcc74789fd in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5613:10
    #15 0x7fdcc74789fd in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5588
    #16 0x7fdcc74191c2 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:3759:3
    #17 0x7fdcc8db0954 in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2190:56
    #18 0x7fdcc8daed50 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15333:13
    #19 0x7fdc7bdee1a5  (<unknown module>)
Flags: in-testsuite?
Hi John,
Per the test case, this issue could be custom elements related. Please help take a look, thank you.
Flags: needinfo?(jdai)
Priority: -- → P2
Sure, I'll take a look. Keep NI for tracking.
Unfortunately, I had no luck reproducing this crash by enable dom.webcomponents.customelements.enabled and dom.webcomponents.enabled preference. However, I still can get a JavaScript error: file:///home/john/Downloads/trigger.html, line 7: too much recursion. This error also happens on Chrome and Safari. Did I miss something to reproduce this crash?
Flags: needinfo?(jdai) → needinfo?(jkratzer)
Attached file trigger.html 
Apologies - it looks like I attached a broken testcase.  Please try again with this one.
Attachment #8932739 - Attachment is obsolete: true
Flags: needinfo?(jkratzer)
NI John to inform him the updated test case.
Flags: needinfo?(jdai)
(In reply to Hsin-Yi Tsai [:hsinyi] from comment #5)
> NI John to inform him the updated test case.

This time, I enable dom.webcomponents.customelements.enabled and allow pop up windows with updated test case. Unfortunately, it doesn't get any crash. Did I miss anything to reproduce this bug?
Flags: needinfo?(jdai) → needinfo?(jkratzer)
Attached file prefs.js 
Flags: needinfo?(jkratzer)

    
    

    
  
(In reply to John Dai[:jdai] from comment #6)
> (In reply to Hsin-Yi Tsai [:hsinyi] from comment #5)
> > NI John to inform him the updated test case.
> 
> This time, I enable dom.webcomponents.customelements.enabled and allow pop
> up windows with updated test case. Unfortunately, it doesn't get any crash.
> Did I miss anything to reproduce this bug?

I've just confirmed that this issue still repros.  Please try again using the attached prefs.js.

    
    

    
  
In a debug build, I get:

[Child 10607, Main Thread] WARNING: Overrecursion in SetNewDocument: file /home/bzbarsky/mozilla/debug/mozilla/dom/base/nsGlobalWindowOuter.cpp, line 1671
[Child 10607, Main Thread] WARNING: ContentViewer Initialization failed: file /home/bzbarsky/mozilla/debug/mozilla/docshell/base/nsDocShell.cpp, line 8813
[Child 10607, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /home/bzbarsky/mozilla/debug/mozilla/docshell/base/nsDocShell.cpp, line 6633
[Child 10607, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /home/bzbarsky/mozilla/debug/mozilla/docshell/base/nsDocShell.cpp, line 7515
[Child 10607, Main Thread] WARNING: NS_ENSURE_TRUE(mContentViewer) failed: file /home/bzbarsky/mozilla/debug/mozilla/docshell/base/nsDocShell.cpp, line 7367
[Child 10607, Main Thread] WARNING: NS_ENSURE_SUCCESS(EnsureContentViewer(), NS_ERROR_FAILURE) failed with result 0x8000FFFF: file /home/bzbarsky/mozilla/debug/mozilla/docshell/base/nsDocShell.cpp, line 4967
Assertion failure: presShell, at /home/bzbarsky/mozilla/debug/mozilla/dom/ipc/TabChild.cpp:1453

That's coming from https://searchfox.org/mozilla-central/rev/eac6295c397133b7346822ad31867197e30d7e94/dom/base/nsGlobalWindowOuter.cpp#1670 failing due to the testcase setting up a deep stack.  The custom element bits are only relevant for that deep stack bit, due to creating a "custom-something" element in the constructor for a "custom-something" element.

The relevant TabChild code is:

  nsCOMPtr<nsIPresShell> presShell = GetPresShell();
  MOZ_ASSERT(presShell);

but GetPresShell() does:

  if (nsCOMPtr<nsIDocument> doc = GetDocument()) {
    result = doc->GetShell();
  }
  return result.forget();

so can return null if GetDocument() does.  And GetDocument() calls nsDocShell::GetDocument which is what ends up with the failing EnsureContentViewer() and returns null.   So that "MOZ_ASSERT(presShell)" seems bogus to me.

If I comment out that assert, then I'm not getting a crash in a debug build.   The testcase opens a lot of tabs, but no obvious crash...
Component: DOM → DOM: Core & HTML

    
  
Severity: critical → S2

    
    

    
  
I wasn't able to reproduce a crash. Custom elements don't appear to be behind a crash. This test case seems to spam open a ton of windows so I don't know if that's something we're really going to be able to avoid in general.


Severity: S2 → S3
Priority: P2 → P3

    
    

    
  
This issue hasn't been seen by the fuzzers since 2022/02/02.  I'll close this for now and if we see it again I'll file a new issue.


Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: