AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/nsICookieSettings.h in GetCookieBehavior
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox66 | --- | unaffected |
| firefox67 | --- | wontfix |
| firefox68 | --- | fixed |
People
(Reporter: jkratzer, Assigned: baku)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, regression, testcase)
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev f4c23517cec8.
==23099==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fab8f64c555 bp 0x7ffc45ed0010 sp 0x7ffc45ecfe00 T0)
==23099==The signal is caused by a READ memory access.
==23099==Hint: address points to the zero page.
#0 0x7fab8f64c554 in GetCookieBehavior /builds/worker/workspace/build/src/obj-firefox/dist/include/nsICookieSettings.h
#1 0x7fab8f64c554 in mozilla::dom::Document::RequestStorageAccess(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Document.cpp:12339
#2 0x7fab920b6ddd in requestStorageAccess /builds/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:6604:45
#3 0x7fab920b6ddd in mozilla::dom::Document_Binding::requestStorageAccess_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Document*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:6618
#4 0x7fab92a2fa03 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3144:13
#5 0x7fab9a0a6db7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#6 0x7fab9a0a6db7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#7 0x7fab9a08e4b7 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:593:10
#8 0x7fab9a08e4b7 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3075
#9 0x7fab9a071898 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
#10 0x7fab9a0a7726 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
#11 0x7fab9a0a9372 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#12 0x7fab9aca4c19 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2623:10
#13 0x7fab9203b2e9 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#14 0x7fab93290ff2 in HandleEvent<mozilla::dom::EventTarget > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#15 0x7fab93290ff2 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1038
#16 0x7fab93293623 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1237:17
#17 0x7fab932737a0 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:350:5
#18 0x7fab932737a0 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:351
#19 0x7fab932719c8 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:553:16
#20 0x7fab93278613 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1048:11
#21 0x7fab96120b77 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1102:7
#22 0x7fab98f646ec in nsDocShell::EndPageLoad(nsIWebProgress, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6560:21
#23 0x7fab98f63818 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6361:7
#24 0x7fab98f69387 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#25 0x7fab8ddc3d55 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1313:3
#26 0x7fab8ddc293c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:872:14
#27 0x7fab8ddbcf71 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:710:9
#28 0x7fab8ddc0b90 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:598:5
#29 0x7fab8ddc2464 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#30 0x7fab8b58a557 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
#31 0x7fab8f5e5fda in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:7727:18
#32 0x7fab8f5e5fda in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:7659
#33 0x7fab8f5e4a3f in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:4804:3
#34 0x7fab8f6e873b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#35 0x7fab8f6e873b in apply<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#36 0x7fab8f6e873b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#37 0x7fab8b2cb6a5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#38 0x7fab8b30af31 in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1179:14
#39 0x7fab8b31333d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#40 0x7fab8c5b7c1f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#41 0x7fab8c48c4ce in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#42 0x7fab8c48c4ce in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#43 0x7fab8c48c4ce in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#44 0x7fab9588b353 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#45 0x7fab99dc843e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20
#46 0x7fab8c48c4ce in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#47 0x7fab8c48c4ce in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#48 0x7fab8c48c4ce in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#49 0x7fab99dc7593 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34
#50 0x55ea6b0eb874 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#51 0x55ea6b0eb874 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:265
#52 0x7fabaea19b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
Hi :baku, this looks regressed from bug 1525245. Could you please take a look? Could we have a solution for 67? Thanks!
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 2•5 years ago
|
||
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/74b3da8c8c6c Document should check if its mCookieSettings exists before using it, r=Ehsan
|
||
Comment 4•5 years ago
|
||
Backed out changeset 74b3da8c8c6c (Bug 1534343) for test_xmlDocument.html failures
Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=74b3da8c8c6c64fac8719bd54bc2bdaf9f672008&selectedJob=234622458
Backout link: https://hg.mozilla.org/integration/autoland/rev/66f76326e8d33aaf91c3422376abc72f953997d6
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=234622458&repo=autoland&lineNumber=1806
[task 2019-03-18T21:10:11.754Z] 21:10:11 INFO - 199 INFO TEST-START | netwerk/cookie/test/mochitest/test_xhr.html
[task 2019-03-18T21:10:42.423Z] 21:10:42 INFO - 200 INFO TEST-OK | netwerk/cookie/test/mochitest/test_xhr.html | took 34544ms
[task 2019-03-18T21:10:42.424Z] 21:10:42 INFO - 201 INFO TEST-START | netwerk/cookie/test/mochitest/test_xmlDocument.html
[task 2019-03-18T21:10:52.645Z] 21:10:52 INFO - 202 INFO TEST-UNEXPECTED-FAIL | netwerk/cookie/test/mochitest/test_xmlDocument.html | uncaught exception - TypeError: doc.requestStorageAccess is not a function at @https://example.com/tests/netwerk/cookie/test/mochitest/test_xmlDocument.html:12:5
[task 2019-03-18T21:10:52.646Z] 21:10:52 INFO - simpletestOnerror@https://example.com/tests/SimpleTest/SimpleTest.js:1665:24
[task 2019-03-18T21:10:52.646Z] 21:10:52 INFO - 203 INFO TEST-OK | netwerk/cookie/test/mochitest/test_xmlDocument.html | took 4465ms
|
|
Assignee | |
Updated•5 years ago
|
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a0fb9b7bcfe7 Document should check if its mCookieSettings exists before using it, r=Ehsan
|
||
Comment 6•5 years ago
|
||
Backed out changeset a0fb9b7bcfe7 (bug 1534343) for mochitest failures at netwerk/cookie/test/mochitest/test_xmlDocument.html
Backout: https://hg.mozilla.org/integration/autoland/rev/7da042469ac075f8504be068c505ff0a868a8b77
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=234745243&repo=autoland&lineNumber=1785
[task 2019-03-19T12:08:00.483Z] 12:08:00 INFO - 201 INFO TEST-START | netwerk/cookie/test/mochitest/test_xmlDocument.html
[task 2019-03-19T12:13:27.500Z] 12:13:27 INFO - 202 INFO TEST-UNEXPECTED-FAIL | netwerk/cookie/test/mochitest/test_xmlDocument.html | Test timed out.
[task 2019-03-19T12:13:27.500Z] 12:13:27 INFO - SimpleTest.ok@https://example.com/tests/SimpleTest/SimpleTest.js:275:18
[task 2019-03-19T12:13:27.501Z] 12:13:27 INFO - reportError@https://example.com/tests/SimpleTest/TestRunner.js:121:22
[task 2019-03-19T12:13:27.502Z] 12:13:27 INFO - TestRunner._checkForHangs@https://example.com/tests/SimpleTest/TestRunner.js:142:7
[task 2019-03-19T12:13:27.502Z] 12:13:27 INFO - 203 INFO TEST-OK | netwerk/cookie/test/mochitest/test_xmlDocument.html | took 328069ms
|
|
Assignee | |
Updated•5 years ago
|
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bdefd9c7fc99 Document should check if its mCookieSettings exists before using it, r=Ehsan
|
|
||
Comment 8•5 years ago
|
||
Backed out changeset bdefd9c7fc99 (bug 1534343) for mochitest failures at netwerk/cookie/test/mochitest/test_xmlDocument.html on Android
Backout: https://hg.mozilla.org/integration/autoland/rev/22a25f360f553b9bff4fca2c29432c7771aa5832
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=234792959&repo=autoland&lineNumber=1916
task 2019-03-19T15:14:54.606Z] 15:14:54 INFO - 331 INFO TEST-START | netwerk/cookie/test/mochitest/test_xmlDocument.html
[task 2019-03-19T15:20:10.236Z] 15:20:10 INFO - 332 INFO TEST-UNEXPECTED-FAIL | netwerk/cookie/test/mochitest/test_xmlDocument.html | Test timed out.
[task 2019-03-19T15:20:10.236Z] 15:20:10 INFO - SimpleTest.ok@https://example.com/tests/SimpleTest/SimpleTest.js:275:18
[task 2019-03-19T15:20:10.237Z] 15:20:10 INFO - reportError@https://example.com/tests/SimpleTest/TestRunner.js:121:22
[task 2019-03-19T15:20:10.237Z] 15:20:10 INFO - TestRunner._checkForHangs@https://example.com/tests/SimpleTest/TestRunner.js:142:7
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/184c209dca37 Document should check if its mCookieSettings exists before using it, r=Ehsan
|
||
Comment 10•5 years ago
|
||
| bugherder | ||
|
||
Comment 11•5 years ago
|
||
No obvious signs of this crash in the wild, so I think this fix can ride the trains. Feel free to nominate if you feel strongly otherwise, however.
|
||
Updated•4 years ago
|
Description
•