Open Bug 1539304 Opened 1 year ago Updated 1 year ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/script/ScriptSettings.cpp:388:46 in AutoJSAPI

Categories

(Core :: Audio/Video: Playback, defect, P2, critical)

defect

Tracking

()

Tracking Status
firefox68 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 4572f6055a6a.

The testcase leverages the FuzzingFunctions.garbageCollect() function which is only available on builds with --enable-fuzzing. The testcase will trigger without this line but may take significantly longer.

==16358==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fab7346f61e bp 0x7fffae09b1b0 sp 0x7fffae09b130 T0)
==16358==The signal is caused by a READ memory access.
==16358==Hint: address points to the zero page.
#0 0x7fab7346f61d in AutoJSAPI /builds/worker/workspace/build/src/dom/script/ScriptSettings.cpp:388:46
#1 0x7fab7346f61d in mozilla::dom::AutoEntryScript::AutoEntryScript(nsIGlobalObject*, char const*, bool) /builds/worker/workspace/build/src/dom/script/ScriptSettings.cpp:566
#2 0x7fab7175dc76 in MaybeSomething<nsresult &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Promise.h:242:21
#3 0x7fab7175dc76 in MaybeReject /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Promise.h:94
#4 0x7fab7175dc76 in mozilla::dom::PlayPromise::MaybeReject(nsresult) /builds/worker/workspace/build/src/dom/html/PlayPromise.cpp:105
#5 0x7fab7162f906 in RejectPromises /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:200:14
#6 0x7fab7162f906 in mozilla::dom::HTMLMediaElement::nsResolveOrRejectPendingPlayPromisesRunner::ResolveOrReject() /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:318
#7 0x7fab716b533f in mozilla::dom::HTMLMediaElement::nsResolveOrRejectPendingPlayPromisesRunner::Run() /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:324:7
#8 0x7fab69212c65 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#9 0x7fab692525e1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#10 0x7fab6925a9ed in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#11 0x7fab6a53168f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#12 0x7fab6a407c5e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#13 0x7fab6a407c5e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#14 0x7fab6a407c5e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#15 0x7fab738b5eb3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#16 0x7fab77ea6c7e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:933:20
#17 0x7fab6a407c5e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#18 0x7fab6a407c5e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#19 0x7fab6a407c5e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#20 0x7fab77ea5e0c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:771:34
#21 0x563d1585a834 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#22 0x563d1585a834 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#23 0x7fab8cb68b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?

Debug builds produce the following assertion:

Assertion failure: PromiseObj(), at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Promise.h:240

rax = 0x000055e20ad03e20 rdx = 0x0000000000000000
rcx = 0x00007fb900ed2c71 rbx = 0x00007fb8f4366ec0
rsi = 0x00007fb90ceae8b0 rdi = 0x00007fb90cead680
rbp = 0x00007ffc9927fcb0 rsp = 0x00007ffc9927fba0
r8 = 0x00007fb90ceae8b0 r9 = 0x00007fb90e00b740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007fb903595e60 r13 = 0x00000000806e0001
r14 = 0x00007fb8f3fb1570 r15 = 0x00007fb8f2b7d510
rip = 0x00007fb8fde4ac55
OS|Linux|0.0.0 Linux 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::dom::PlayPromise::MaybeReject(nsresult)|hg:hg.mozilla.org/mozilla-central:dom/promise/Promise.h:4572f6055a6a9377d213afe14a26556e6c410344|93|0x0
0|1|libxul.so|mozilla::dom::RejectPromises|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLMediaElement.cpp:4572f6055a6a9377d213afe14a26556e6c410344|200|0x13
0|2|libxul.so|mozilla::dom::HTMLMediaElement::nsResolveOrRejectPendingPlayPromisesRunner::Run()|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLMediaElement.cpp:4572f6055a6a9377d213afe14a26556e6c410344|324|0x8
0|3|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:4572f6055a6a9377d213afe14a26556e6c410344|295|0x15
0|4|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:4572f6055a6a9377d213afe14a26556e6c410344|1180|0x15
0|5|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:4572f6055a6a9377d213afe14a26556e6c410344|482|0x11
0|6|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4572f6055a6a9377d213afe14a26556e6c410344|88|0xa
0|7|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4572f6055a6a9377d213afe14a26556e6c410344|315|0x17
0|8|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4572f6055a6a9377d213afe14a26556e6c410344|308|0x8
0|9|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:4572f6055a6a9377d213afe14a26556e6c410344|137|0xd
0|10|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:4572f6055a6a9377d213afe14a26556e6c410344|933|0x11
0|11|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4572f6055a6a9377d213afe14a26556e6c410344|238|0x5
0|12|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4572f6055a6a9377d213afe14a26556e6c410344|315|0x17
0|13|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4572f6055a6a9377d213afe14a26556e6c410344|308|0x8
0|14|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:4572f6055a6a9377d213afe14a26556e6c410344|771|0xc
0|15|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:4572f6055a6a9377d213afe14a26556e6c410344|56|0x14
0|16|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:4572f6055a6a9377d213afe14a26556e6c410344|263|0x11
0|17|libc-2.27.so||||0x21b97
0|18|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:4572f6055a6a9377d213afe14a26556e6c410344|184|0x5

Component: DOM: Core & HTML → Audio/Video
Component: Audio/Video → Audio/Video: Playback
Priority: -- → P2
You need to log in before you can comment on or make changes to this bug.