Closed Bug 1516282 Opened 5 years ago Closed 5 years ago

crash near null in [@ mozilla::EventListenerManager::SetEventHandlerInternal]

Categories

(Core :: Storage: localStorage & sessionStorage, defect)

Product:
Core
Component:
Storage: localStorage & sessionStorage
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- disabled
firefox66 --- disabled
firefox67 --- fixed

People

(Reporter: tsmith, Assigned: ytausky)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-other, testcase, Whiteboard: [post-critsmash-triage])

Attachments

(1 file)

testcase.html
322 bytes, text/html
Details
Attached file testcase.html 
Could this be related to (or a dup of) bug 1516018 or bug 1516277? They appeared around the same time.

Marking as s-s to be safe since the above bugs are both s-s.

==29768==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000013 (pc 0x7f70afcd39bc bp 0x7ffc3c802b10 sp 0x7ffc3c8029c0 T0)
==29768==The signal is caused by a READ memory access.
==29768==Hint: address points to the zero page.
    #0 0x7f70afcd39bb in mozilla::EventListenerManager::SetEventHandlerInternal(nsAtom*, mozilla::TypedEventHandler const&, bool) src/dom/events/EventListenerManager.cpp
    #1 0x7f70afcdb950 in mozilla::EventListenerManager::SetEventHandler(nsAtom*, mozilla::dom::EventHandlerNonNull*) src/dom/events/EventListenerManager.cpp:1537:3
    #2 0x7f70af3160a8 in mozilla::dom::HTMLBodyElement_Binding::set_onstorage(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLBodyElement*, JSJitSetterCallArgs) src/obj-firefox/dom/bindings/HTMLBodyElementBinding.cpp:1540:9
    #3 0x7f70af622a10 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3014:8
    #4 0x7f70b4c51315 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:443:13
    #5 0x7f70b4c508b7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:535:12
    #6 0x7f70b4c52368 in InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:590:10
    #7 0x7f70b4c5258e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:606:8
    #8 0x7f70b4c53e42 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/vm/Interpreter.cpp:744:10
    #9 0x7f70b5250f75 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2945:8
    #10 0x7f70b525076f in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2974:14
    #11 0x7f70b4c6cb04 in js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/ObjectOperations-inl.h:283:10
    #12 0x7f70b4c80d28 in SetPropertyOperation(JSContext*, JSOp, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>) src/js/src/vm/Interpreter.cpp:266:10
    #13 0x7f70b4c3fd14 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3099:12
    #14 0x7f70b4c30bcb in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:423:10
    #15 0x7f70b4c508eb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:563:13
    #16 0x7f70b4c52368 in InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:590:10
    #17 0x7f70b4c5258e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:606:8
    #18 0x7f70b576757a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2649:10
    #19 0x7f70af0dfad3 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37
    #20 0x7f70afcfedb4 in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #21 0x7f70afcfd586 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:205:12
    #22 0x7f70afcd6d76 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1043:51
    #23 0x7f70afcd8106 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1238:17
    #24 0x7f70afcc8e0a in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:350:17
    #25 0x7f70afcc7fb2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:552:16
    #26 0x7f70afccb020 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1042:11
    #27 0x7f70afcce589 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
    #28 0x7f70adca6829 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1029:17
    #29 0x7f70ad894fea in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) src/dom/base/nsContentUtils.cpp:4065:28
    #30 0x7f70ad894d20 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) src/dom/base/nsContentUtils.cpp:4035:10
    #31 0x7f70affac5f1 in mozilla::dom::HTMLTrackElement::DispatchTrustedEvent(nsTSubstring<char16_t> const&) src/dom/html/HTMLTrackElement.cpp:429:3
    #32 0x7f70affcc9b5 in mozilla::detail::RunnableMethodImpl<mozilla::dom::HTMLTrackElement*, void (mozilla::dom::HTMLTrackElement::*)(nsTSubstring<char16_t> const&), true, (mozilla::RunnableKind)0, nsTString<char16_t> const>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1158:13
    #33 0x7f70ab052919 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:299:32
    #34 0x7f70ab0905a5 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1157:14
    #35 0x7f70ab09704c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10
    #36 0x7f70abe1cc25 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #37 0x7f70abd4c82c in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:314:10
    #38 0x7f70abd4c6a0 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289:3
    #39 0x7f70b16371ba in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #40 0x7f70b4a3a464 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:915:20
    #41 0x7f70abe1d8f9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9
    #42 0x7f70abd4c82c in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:314:10
    #43 0x7f70abd4c6a0 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289:3
    #44 0x7f70b4a399f4 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:753:34
    #45 0x55bb876e1bf7 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
    #46 0x55bb876e1e7e in main src/browser/app/nsBrowserApp.cpp:265:18
    #47 0x7f70cca2682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #48 0x55bb876079f4 in _start (firefox+0x349f4)
Flags: in-testsuite?
Blocks: 1286798
Component: DOM: Events → DOM: Web Storage
We can wait and see on those other bugs.
See Also: → 1516018, 1516277

sec-other because it's hidden while we investigate the similar bugs.

Keywords: sec-other

This was solved alongside bug 1516277.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Assignee: nobody → ytausky
Group: dom-core-security → core-security-release
status-firefox65: --- → disabled
status-firefox66: affecteddisabled
status-firefox67: --- → fixed
status-firefox-esr60: --- → unaffected
Depends on: 1516277
Target Milestone: --- → mozilla67
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: