1541085 - Crash [@get] near [@GetOuterWindow]

Status: RESOLVED FIXED

(Core :: DOM: Web Authentication, defect, P1)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev ea0977445697.

==8259==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7fa68a759dd1 bp 0x7ffdb9e8c870 sp 0x7ffdb9e8c830 T0)
==8259==The signal is caused by a READ memory access.
==8259==Hint: address points to the zero page.
#0 0x7fa68a759dd0 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:823:48
#1 0x7fa68a759dd0 in operator nsPIDOMWindowOuter * /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:831
#2 0x7fa68a759dd0 in GetOuterWindow /builds/worker/workspace/build/src/dom/base/nsPIDOMWindow.h:154
#3 0x7fa68a759dd0 in StopListeningForVisibilityEvents /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManagerBase.cpp:103
#4 0x7fa68a759dd0 in mozilla::dom::WebAuthnManager::ClearTransaction() /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManager.cpp:170
#5 0x7fa68120d484 in nsCycleCollector::CollectWhite() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3088:26
#6 0x7fa681210e04 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3434:24
#7 0x7fa68121086f in nsCycleCollector::ShutdownCollect() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3355:10
#8 0x7fa681216015 in Shutdown /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3643:5
#9 0x7fa681216015 in nsCycleCollector_shutdown(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3997
#10 0x7fa681489761 in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:728:3
#11 0x7fa68f216c4d in XRE_TermEmbedding() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:222:3
#12 0x7fa68263d3d1 in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/workspace/build/src/ipc/glue/ScopedXREEmbed.cpp:90:5
#13 0x7fa68f217a2e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:761:16
#14 0x564604cc77bc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#15 0x564604cc77bc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#16 0x7fa6a3bc6b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Comment 1

[J.C. Jones [:jcj] (he/they)]

Thanks! This looks like it's a follow-on to Bug 1540378, also caused by bug 1448408.

It is not the same as Bug 1540658 which has its own patch for an IPC issue. This is still cycle-collection, where bug 1540378 wasn't enough.

Comment 2

[J.C. Jones [:jcj] (he/they)]

This stack is pretty clear that calling StopListeningForVisibilityEvents (via ClearTransaction) is a no-go from the cycle collector. We need to instead just do the minimum version of bug 1540378, just reset mTransaction and move on.

Comment 3

[J.C. Jones [:jcj] (he/they)]

Attachment: Bug 1541085 - Web Authentication - Only reset mTransaction on cycle collection

This stack is pretty clear that calling StopListeningForVisibilityEvents
(via ClearTransaction) is a no-go from the cycle collector. We need to instead
just do the minimum version of bug 1540378, just reset mTransaction and move on.

Comment 4

[Pulsebot]

Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1e35279977a4
Web Authentication - Only reset mTransaction on cycle collection r=keeler

Comment 5

[Raul Gurzau (:RaulG)]

https://hg.mozilla.org/mozilla-central/rev/1e35279977a4