Closed Bug 1466972 Opened 6 years ago Closed 6 years ago

Crash at null in [@ xpc::XrayTraits::attachExpandoObject]

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox62 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

testcase.html
372 bytes, text/html
Details
Attached file testcase.html 
reduced with m-c:
BuildID=20180605135234
SourceStamp=752465b44c793318cef36df46ca5ff00c3d8854a

==42893==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f00425108a4 bp 0x7ffc762f8330 sp 0x7ffc762f7f80 T0)
==42893==The signal is caused by a READ memory access.
==42893==Hint: address points to the zero page.
    #0 0x7f00425108a3 in xpc::XrayTraits::attachExpandoObject(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, nsIPrincipal*) src/js/xpconnect/wrappers/XrayWrapper.cpp:1222
    #1 0x7f0042511799 in xpc::XrayTraits::cloneExpandoChain(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>) src/js/xpconnect/wrappers/XrayWrapper.cpp:1332:34
    #2 0x7f004252315f in xpc::TransplantObjectRetainingXrayExpandos(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>) src/js/xpconnect/wrappers/WrapperFactory.cpp:666:38
    #3 0x7f00462f1917 in mozilla::dom::ReparentWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::ErrorResult&) src/dom/bindings/BindingUtils.cpp:2346:10
    #4 0x7f0043fa2bd8 in nsNodeUtils::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsCOMArray<nsINode>*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsNodeUtils.cpp:580:9
    #5 0x7f0043fa338e in nsNodeUtils::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsCOMArray<nsINode>*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsNodeUtils.cpp:613:9
    #6 0x7f0043fa338e in nsNodeUtils::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsCOMArray<nsINode>*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsNodeUtils.cpp:613:9
    #7 0x7f0043e81bad in Adopt src/dom/base/nsNodeUtils.h:220:30
    #8 0x7f0043e81bad in nsIDocument::AdoptNode(nsINode&, mozilla::ErrorResult&) src/dom/base/nsDocument.cpp:7105
    #9 0x7f0045ae23b2 in mozilla::dom::DocumentBinding::adoptNode(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/DocumentBinding.cpp:1634:45
    #10 0x7f00462de8f1 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3285:13
    #11 0x7f004cba8957 in CallJSNative src/js/src/vm/JSContext-inl.h:274:15
    #12 0x7f004cba8957 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:471
    #13 0x7f004cb934ec in CallFromStack src/js/src/vm/Interpreter.cpp:526:12
    #14 0x7f004cb934ec in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3122
    #15 0x7f004cb79536 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:421:12
    #16 0x7f004cba86d5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:493:15
    #17 0x7f004cba9952 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:539:10
    #18 0x7f004d6c7d5a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2969:12
    #19 0x7f0045a8e429 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
    #20 0x7f0046a481ca in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #21 0x7f0046a45b34 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
    #22 0x7f0046a0c4fd in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1124:52
    #23 0x7f0046a0dc30 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1298:20
    #24 0x7f00469f61b1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:620:16
    #25 0x7f00469fb730 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1086:9
    #26 0x7f0048cfc768 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1166:7
    #27 0x7f004be79022 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7161:21
    #28 0x7f004be75449 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6954:7
    #29 0x7f004be7cc4f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
    #30 0x7f0042aca6d7 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1309:3
    #31 0x7f0042ac975a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:852:14
    #32 0x7f0042ac6338 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:741:9
    #33 0x7f0042ac82fc in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:627:5
    #34 0x7f0042ac931c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #35 0x7f0040f4aeda in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28
    #36 0x7f0043e8d8ba in DoUnblockOnload src/dom/base/nsDocument.cpp:8343:18
    #37 0x7f0043e8d8ba in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8265
    #38 0x7f00480d1419 in nsBindingManager::DoProcessAttachedQueue() src/dom/xbl/nsBindingManager.cpp:414:10
    #39 0x7f00481345b4 in applyImpl<nsBindingManager, void (nsBindingManager::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1165:12
    #40 0x7f00481345b4 in apply<nsBindingManager, void (nsBindingManager::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1171
    #41 0x7f00481345b4 in mozilla::detail::RunnableMethodImpl<nsBindingManager*, void (nsBindingManager::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1216
    #42 0x7f0040d3cbb1 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #43 0x7f0040d5bd16 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1088:14
    #44 0x7f0040d77f30 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #45 0x7f0041c5bb7a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #46 0x7f0041bb0b19 in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #47 0x7f0041bb0b19 in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #48 0x7f0041bb0b19 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #49 0x7f004865ba7a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #50 0x7f004c8debeb in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #51 0x7f0041bb0b19 in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #52 0x7f0041bb0b19 in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #53 0x7f0041bb0b19 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #54 0x7f004c8de5b0 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #55 0x4f16e5 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #56 0x4f16e5 in main src/browser/app/nsBrowserApp.cpp:282
    #57 0x7f00605bd82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #58 0x420db8 in _start (firefox+0x420db8)
Flags: in-testsuite?
Crash Signature: [@ xpc::XrayTraits::attachExpandoObject]
Jan, can you see if this crashes with your recent work here?
Flags: needinfo?(jdemooij)
(In reply to Andrew Overholt [:overholt] from comment #1)
> Jan, can you see if this crashes with your recent work here?

None of my changes should affect this. However I just tried the testcase in a debug build on Mac and it doesn't crash for me. Tyson, does this still repro for you?
Flags: needinfo?(jdemooij) → needinfo?(twsmith)
I cannot reproduce the crash.
Tested with m-c:
BuildID=20180723154916
SourceStamp=ff3fab43d24dfdaa8971d92cc4caaf4dc9f54dba
Flags: needinfo?(twsmith)
Any idea what change fixed it or should it be marked as WORKSFORME?
I think we can close this then, yeah.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Resolution: WONTFIX → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: