Closed Bug 1421525 Opened 7 years ago Closed 2 years ago

Null crash [@ nsGlobalWindow::ClearDocumentDependentSlots]

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files, 1 obsolete file)

trigger.html
425 bytes, text/html
Details
prefs.js
9.96 KB, application/javascript
Details
Attached file trigger.html (obsolete) —
Testcase found while fuzzing mozilla-central rev c2248f853469. ==23861==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdcc73fa97f bp 0x7ffe6164fe30 sp 0x7ffe6164fd60 T0) ==23861==The signal is caused by a WRITE memory access. ==23861==Hint: address points to the zero page. #0 0x7fdcc73fa97e in ClearDocumentDependentSlots /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:7295:5 #1 0x7fdcc73fa97e in nsGlobalWindowInner::InnerSetNewDocument(JSContext*, nsIDocument*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:1726 #2 0x7fdcc7451596 in nsGlobalWindowOuter::SetNewDocument(nsIDocument*, nsISupports*, bool) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:2018:23 #3 0x7fdccc16cf4b in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:928:22 #4 0x7fdccc16c337 in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:659:10 #5 0x7fdccf4fb4b1 in nsDocShell::SetupNewViewer(nsIContentViewer*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9663:7 #6 0x7fdccf4f9e5b in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7480:17 #7 0x7fdccf5088da in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8361:14 #8 0x7fdccf49fed7 in nsDocShell::EnsureContentViewer() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8216:17 #9 0x7fdccf4d9a47 in GetDocument /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:4728:3 #10 0x7fdccf4d9a47 in non-virtual thunk to nsDocShell::GetDocument() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp #11 0x7fdcc747a239 in MaybeCreateDoc /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:7861:48 #12 0x7fdcc747a239 in GetDoc /builds/worker/workspace/build/src/obj-firefox/dist/include/nsPIDOMWindow.h:882 #13 0x7fdcc747a239 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:7260 #14 0x7fdcc74789fd in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5613:10 #15 0x7fdcc74789fd in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5588 #16 0x7fdcc74191c2 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:3759:3 #17 0x7fdcc8db0954 in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2190:56 #18 0x7fdcc8daed50 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15333:13 #19 0x7fdc7bdee1a5 (<unknown module>)
Flags: in-testsuite?
Hi John, Per the test case, this issue could be custom elements related. Please help take a look, thank you.
Flags: needinfo?(jdai)
Priority: -- → P2
Sure, I'll take a look. Keep NI for tracking.
Unfortunately, I had no luck reproducing this crash by enable dom.webcomponents.customelements.enabled and dom.webcomponents.enabled preference. However, I still can get a JavaScript error: file:///home/john/Downloads/trigger.html, line 7: too much recursion. This error also happens on Chrome and Safari. Did I miss something to reproduce this crash?
Flags: needinfo?(jdai) → needinfo?(jkratzer)
Attached file trigger.html
Apologies - it looks like I attached a broken testcase. Please try again with this one.
Attachment #8932739 - Attachment is obsolete: true
Flags: needinfo?(jkratzer)
NI John to inform him the updated test case.
Flags: needinfo?(jdai)
(In reply to Hsin-Yi Tsai [:hsinyi] from comment #5) > NI John to inform him the updated test case. This time, I enable dom.webcomponents.customelements.enabled and allow pop up windows with updated test case. Unfortunately, it doesn't get any crash. Did I miss anything to reproduce this bug?
Flags: needinfo?(jdai) → needinfo?(jkratzer)
Attached file prefs.js
Flags: needinfo?(jkratzer)
(In reply to John Dai[:jdai] from comment #6) > (In reply to Hsin-Yi Tsai [:hsinyi] from comment #5) > > NI John to inform him the updated test case. > > This time, I enable dom.webcomponents.customelements.enabled and allow pop > up windows with updated test case. Unfortunately, it doesn't get any crash. > Did I miss anything to reproduce this bug? I've just confirmed that this issue still repros. Please try again using the attached prefs.js.
In a debug build, I get: [Child 10607, Main Thread] WARNING: Overrecursion in SetNewDocument: file /home/bzbarsky/mozilla/debug/mozilla/dom/base/nsGlobalWindowOuter.cpp, line 1671 [Child 10607, Main Thread] WARNING: ContentViewer Initialization failed: file /home/bzbarsky/mozilla/debug/mozilla/docshell/base/nsDocShell.cpp, line 8813 [Child 10607, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /home/bzbarsky/mozilla/debug/mozilla/docshell/base/nsDocShell.cpp, line 6633 [Child 10607, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /home/bzbarsky/mozilla/debug/mozilla/docshell/base/nsDocShell.cpp, line 7515 [Child 10607, Main Thread] WARNING: NS_ENSURE_TRUE(mContentViewer) failed: file /home/bzbarsky/mozilla/debug/mozilla/docshell/base/nsDocShell.cpp, line 7367 [Child 10607, Main Thread] WARNING: NS_ENSURE_SUCCESS(EnsureContentViewer(), NS_ERROR_FAILURE) failed with result 0x8000FFFF: file /home/bzbarsky/mozilla/debug/mozilla/docshell/base/nsDocShell.cpp, line 4967 Assertion failure: presShell, at /home/bzbarsky/mozilla/debug/mozilla/dom/ipc/TabChild.cpp:1453 That's coming from https://searchfox.org/mozilla-central/rev/eac6295c397133b7346822ad31867197e30d7e94/dom/base/nsGlobalWindowOuter.cpp#1670 failing due to the testcase setting up a deep stack. The custom element bits are only relevant for that deep stack bit, due to creating a "custom-something" element in the constructor for a "custom-something" element. The relevant TabChild code is: nsCOMPtr<nsIPresShell> presShell = GetPresShell(); MOZ_ASSERT(presShell); but GetPresShell() does: if (nsCOMPtr<nsIDocument> doc = GetDocument()) { result = doc->GetShell(); } return result.forget(); so can return null if GetDocument() does. And GetDocument() calls nsDocShell::GetDocument which is what ends up with the failing EnsureContentViewer() and returns null. So that "MOZ_ASSERT(presShell)" seems bogus to me. If I comment out that assert, then I'm not getting a crash in a debug build. The testcase opens a lot of tabs, but no obvious crash...
Component: DOM → DOM: Core & HTML
Severity: critical → S2

I wasn't able to reproduce a crash. Custom elements don't appear to be behind a crash. This test case seems to spam open a ton of windows so I don't know if that's something we're really going to be able to avoid in general.

Severity: S2 → S3
Priority: P2 → P3

This issue hasn't been seen by the fuzzers since 2022/02/02. I'll close this for now and if we see it again I'll file a new issue.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: