Open Bug 1441259 Opened 2 years ago Updated 2 years ago

crash near null in [@ attachVRController]

Categories

(Core :: WebVR, defect, P2)

defect

Tracking

()

Tracking Status
firefox60 --- affected

People

(Reporter: tsmith, Assigned: kip)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [fuzzblocker])

Attachments

(1 file)

10.78 KB, application/x-javascript
Details
Attached file prefs.js
Found in m-c:
BuildID=20180221215042
SourceStamp=994a684a7564c2735d98d6910a78d079a68f0b25

Running cross_fuzz triggers this crash very quickly with the attached prefs file. http://lcamtuf.coredump.cx/cross_fuzz/

==8943==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f9474948dbf bp 0x7ffe357e8990 sp 0x7ffe357e8960 T0)
==8943==The signal is caused by a READ memory access.
==8943==Hint: address points to the zero page.
    #0 0x7f9474948dbe in exposeToActiveJS src/obj-firefox/dist/include/js/RootingAPI.h:274:43
    #1 0x7f9474948dbe in get src/obj-firefox/dist/include/js/RootingAPI.h:277
    #2 0x7f9474948dbe in operator JSObject *const & src/obj-firefox/dist/include/js/RootingAPI.h:268
    #3 0x7f9474948dbe in PromiseObj src/obj-firefox/dist/include/mozilla/dom/Promise.h:152
    #4 0x7f9474948dbe in mozilla::dom::ToJSValue(JSContext*, mozilla::dom::Promise&, JS::MutableHandle<JS::Value>) src/dom/bindings/ToJSValue.cpp:69
    #5 0x7f9473a473a0 in ToJSValue<mozilla::dom::Promise> src/obj-firefox/dist/include/mozilla/dom/ToJSValue.h:211:10
    #6 0x7f9473a473a0 in attachVRController src/obj-firefox/dom/bindings/VRServiceTestBinding.cpp:1479
    #7 0x7f9473a473a0 in mozilla::dom::VRServiceTestBinding::attachVRController_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::VRServiceTest*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/VRServiceTestBinding.cpp:1488
    #8 0x7f9474934daf in mozilla::dom::GenericPromiseReturningBindingMethod(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3073:13
    #9 0x7f947b38d758 in CallJSNative src/js/src/vm/JSContext-inl.h:290:15
    #10 0x7f947b38d758 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:468
    #11 0x7f947b38e7c2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:536:10
    #12 0x7f947bf7b192 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/Wrapper.cpp:175:12
    #13 0x7f947bf264cd in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
    #14 0x7f947bf59181 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) src/js/src/proxy/Proxy.cpp:510:21
    #15 0x7f947bf5ba14 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) src/js/src/proxy/Proxy.cpp:769:12
    #16 0x7f947b38def1 in CallJSNative src/js/src/vm/JSContext-inl.h:290:15
    #17 0x7f947b38def1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:450
    #18 0x7f947b372ec0 in CallFromStack src/js/src/vm/Interpreter.cpp:523:12
    #19 0x7f947b372ec0 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3091
    #20 0x7f947b35f6fa in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:418:12
    #21 0x7f947b390754 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) src/js/src/vm/Interpreter.cpp:701:15
    #22 0x7f947b3f8015 in js::DirectEvalStringFromIon(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Handle<JS::Value>, JS::Handle<JSString*>, unsigned char*, JS::MutableHandle<JS::Value>) src/js/src/builtin/Eval.cpp:401:12
    #23 0x18d7e011965f  (<unknown module>)
kip, could you take a look and a set a priority to remove this from triage? Thanks! (Does XR have its own component somewhere?)
Flags: needinfo?(kgilbert)
Anything VR/AR/MR/XR related can be filed in the "WebVR" component.

I'll investigate this one, first to verify if the crash is specific to our test harness (VRServiceTest) or if it can happen in normal use on real hardware.

Thanks for spotting this one!
Component: DOM → WebVR
Flags: needinfo?(kgilbert)
Priority: -- → P2
Assignee: nobody → kgilbert
You need to log in before you can comment on or make changes to this bug.