Closed
Bug 1429465
Opened 6 years ago
Closed 6 years ago
Crash near null [@ xpc::WrapperFactory::PrepareForWrapping]
Categories
(Core :: XPConnect, defect, P2)
Tracking
()
RESOLVED
INCOMPLETE
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Attachments
(1 file)
|
1.80 KB,
text/html
|
Details |
Found while fuzzing mozilla-central rev b98c074c0b72. I don't currently have a testcase but will update if one becomes available.
Marking as SS just in case.
==28601==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000d (pc 0x7fc8f9862486 bp 0x7fff4bc48ff0 sp 0x7fff4bc48be0 T0)
==28601==The signal is caused by a READ memory access.
==28601==Hint: address points to the zero page.
#0 0x7fc8f9862485 in xpc::WrapperFactory::PrepareForWrapping(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) /builds/worker/workspace/build/src/js/xpconnect/wrappers/WrapperFactory.cpp:199:43
#1 0x7fc9048b8f14 in JSCompartment::getNonWrapperObjectForCurrentCompartment(JSContext*, JS::MutableHandle<JSObject*>) /builds/worker/workspace/build/src/js/src/jscompartment.cpp:407:9
#2 0x7fc90486cdc1 in JSCompartment::wrap(JSContext*, JS::MutableHandle<JSObject*>) /builds/worker/workspace/build/src/js/src/jscompartment.cpp:473:10
#3 0x7fc903e99167 in JSCompartment::wrap(JSContext*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jscompartmentinlines.h:155:10
#4 0x7fc9048a5ddd in JSContext::getPendingException(JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jscntxt.cpp:1428:25
#5 0x7fc8ff1eb5ed in PeekException /builds/worker/workspace/build/src/dom/script/ScriptSettings.cpp:643:8
#6 0x7fc8ff1eb5ed in StealException /builds/worker/workspace/build/src/dom/script/ScriptSettings.cpp:652
#7 0x7fc8ff1eb5ed in mozilla::dom::AutoJSAPI::ReportException() /builds/worker/workspace/build/src/dom/script/ScriptSettings.cpp:590
#8 0x7fc8ff1eaf18 in mozilla::dom::AutoJSAPI::~AutoJSAPI() /builds/worker/workspace/build/src/dom/script/ScriptSettings.cpp:327:3
#9 0x7fc8ff1df2ac in mozilla::dom::ScriptLoader::AttemptAsyncScriptCompile(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1843:1
#10 0x7fc8ff1daa3b in CompileOffThreadOrProcessRequest /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1855:17
#11 0x7fc8ff1daa3b in mozilla::dom::ScriptLoader::ProcessPendingRequests() /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2599
#12 0x7fc8ff1c8ea7 in mozilla::dom::ScriptLoader::OnStreamComplete(nsIIncrementalStreamLoader*, mozilla::dom::ScriptLoadRequest*, nsresult, nsresult, mozilla::dom::SRICheckDataVerifier*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2948:3
#13 0x7fc8ff1c7303 in mozilla::dom::ScriptLoadHandler::OnStreamComplete(nsIIncrementalStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*) /builds/worker/workspace/build/src/dom/script/ScriptLoadHandler.cpp:385:23
#14 0x7fc8f80c19d7 in nsIncrementalStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsIncrementalStreamLoader.cpp:102:30
#15 0x7fc8f99eca2b in nsJARChannel::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp:1111:20
#16 0x7fc8f99f261c in non-virtual thunk to nsJARChannel::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp
#17 0x7fc8f80ca17b in nsInputStreamPump::OnStateStop() /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:700:20
#18 0x7fc8f80c84c6 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:428:25
#19 0x7fc8f7e9ca92 in nsInputStreamReadyEvent::Run() /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:97:20
#20 0x7fc8f7f0a706 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
#21 0x7fc8f7f261f0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:510:10
#22 0x7fc8f7f09162 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:796:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
#23 0x7fc8f7f09162 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:796
#24 0x7fc8fdc03d8a in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:139:14
#25 0x7fc8f7ee6acb in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
#26 0x7fc8f7f0a706 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
#27 0x7fc8f7f261f0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:510:10
#28 0x7fc8ff183573 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3110:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
#29 0x7fc8ff183573 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3110
#30 0x7fc8ff184c44 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2895:11
#31 0x7fc8fc8a9eee in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1249:9
#32 0x7fc8fd1c6027 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3042:13
#33 0x7fc8a6b606e5 (<unknown module>)Flags: in-testsuite?
|
Reporter | |
Comment 1•6 years ago
|
||
Our reducers produced the following testcase but it doesn't work for me. Adding in the hopes that it'll help pinpoint this issue.
|
||
Updated•6 years ago
|
Group: dom-core-security
|
|
||
Updated•6 years ago
|
Priority: -- → P2
|
|
||
Comment 2•6 years ago
|
||
Since there's been no reproduceable test case and we don't have much to go on, I'm going to mark this as incomplete.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
|
||
Updated•4 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•