1422409 - AddressSanitizer: SEGV dom/base/nsDocument.cpp:7798 in nsIDocument::GetURL(nsTString<char16_t>&) const

Status: NEW

(Core :: DOM: Core & HTML, defect, P3)

Description

[Raymond Forbes[:rforbes]]

testcase found by fuzzing on mozilla-central rev f5f03ee9e6ab

==40867==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000a0 (pc 0x7fc533d36750 bp 0x7ffcb632bc70 sp 0x7ffcb632bb60 T0)
==40867==The signal is caused by a READ memory access.
==40867==Hint: address points to the zero page.
    #0 0x7fc533d3674f in nsIDocument::GetURL(nsTString<char16_t>&) const /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7798
    #1 0x7fc533a1d485 in nsGlobalWindowOuter::CloseOuter(bool) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5984:23
    #2 0x7fc533a1de91 in Close /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:6032:3
    #3 0x7fc533a1de91 in non-virtual thunk to nsGlobalWindowOuter::Close() /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp
    #4 0x7fc53b9f2569 in MaybeCloseWindowHelper::Notify(nsITimer*) /builds/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:78:19
    #5 0x7fc530bdea1c in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:704:40
    #6 0x7fc530bae079 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:286:11
    #7 0x7fc530bbdbee in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #8 0x7fc530bd9970 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #9 0x7fc53753febc in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1071:24)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
    #10 0x7fc53753febc in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1071
    #11 0x7fc5375ca8d5 in mozilla::dom::TabChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1059:16
    #12 0x7fc53c46b2e6 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:852:24
    #13 0x7fc53c47041c in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:444:10
    #14 0x7fc53c47041c in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #15 0x7fc533a19385 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:7205:21
    #16 0x7fc533a181ad in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5613:10
    #17 0x7fc533a181ad in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5588
    #18 0x7fc5339b8972 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:3757:3
    #19 0x7fc5353105d4 in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2190:56
    #20 0x7fc53530e9d0 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15333:13
    #21 0x1587dc808165  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7798 in nsIDocument::GetURL(nsTString<char16_t>&) const

Comment 1

[Raymond Forbes[:rforbes]]

Attachment: testcase

Comment 2

[Raymond Forbes[:rforbes]]

Attachment: 1015563-1.html

Comment 3

[Raymond Forbes[:rforbes]]

Attachment: prefs.js

Comment 4

[Hsin-Yi Tsai (she/her) [:hsinyi]]

Nika, do you have ideas of what's up here?

Comment 5

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210223085042-916497e295fe.

Comment 6

[Jens Stutte [:jstutte]]

Can we have an updated stack or even better a pernosco session here? Thanks!

Comment 7

[Jason Kratzer [:jkratzer]]

The testcase now triggers the following crash which appears to be a duplicate of bug 1405521. I'm working on getting a pernsoco session for this issue and will link it here once complete.

    #0 0x7f434693e1f7 in ClearDocumentDependentSlots /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:7240:5
    #1 0x7f434693e1f7 in nsGlobalWindowInner::InitDocumentDependentState(JSContext*) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:1749:3
    #2 0x7f43469860cb in nsGlobalWindowOuter::SetNewDocument(mozilla::dom::Document*, nsISupports*, bool, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:2408:23
    #3 0x7f434b67564a in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::dom::WindowGlobalChild*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:916:22
    #4 0x7f434b674bfa in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:700:10
    #5 0x7f434e0cdbd0 in nsDocShell::SetupNewViewer(nsIContentViewer*, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8246:7
    #6 0x7f434e0ccc5c in nsDocShell::Embed(nsIContentViewer*, mozilla::dom::WindowGlobalChild*, bool, bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5758:17
    #7 0x7f434e0d8752 in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIPrincipal*, nsIContentSecurityPolicy*, nsIURI*, mozilla::Maybe<nsILoadInfo::CrossOriginEmbedderPolicy> const&, bool, bool, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6826:14
    #8 0x7f434e09ba06 in nsDocShell::EnsureContentViewer() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6643:17
    #9 0x7f434e0b5a77 in GetDocument /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:3240:3
    #10 0x7f434e0b5a77 in non-virtual thunk to nsDocShell::GetDocument() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #11 0x7f43469b38d8 in nsPIDOMWindowOuter::MaybeCreateDoc() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:7582:45
    #12 0x7f43469a7f15 in nsPIDOMWindowOuter::GetDoc() /builds/worker/checkouts/gecko/dom/base/nsPIDOMWindow.h:851:7
    #13 0x7f43469a3a47 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsGlobalWindowOuter::PrintKind, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:7101:39
    #14 0x7f43469a869f in nsGlobalWindowOuter::OpenJS(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5721:10
    #15 0x7f43469a80ee in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5685:17
    #16 0x7f4346952098 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:3995:3
    #17 0x7f4347f73094 in mozilla::dom::Window_Binding::open(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:2712:59
    #18 0x7f43486d21c5 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3235:13
    #19 0x3179d820795f  (<unknown module>)

Comment 8

[Jason Kratzer [:jkratzer]]

A pernosco session for this bug can be found at:
https://pernos.co/debug/9JBcw4RzjYy86q-bwT4fog/index.html

Comment 9

[Jens Stutte [:jstutte]]

It seems, we have a similar situation here as in bug 1445974: An over-recursion that gets reported in the log but continues.

Comment 10

[Jens Stutte [:jstutte]]

And this happens also in the wild, it seems from bug 1405521.