Closed Bug 1541085 Opened 1 year ago Closed 1 year ago

Crash [@get] near [@GetOuterWindow]

Categories

(Core :: DOM: Web Authentication, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: jkratzer, Assigned: jcj)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev ea0977445697.

==8259==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7fa68a759dd1 bp 0x7ffdb9e8c870 sp 0x7ffdb9e8c830 T0)
==8259==The signal is caused by a READ memory access.
==8259==Hint: address points to the zero page.
#0 0x7fa68a759dd0 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:823:48
#1 0x7fa68a759dd0 in operator nsPIDOMWindowOuter * /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:831
#2 0x7fa68a759dd0 in GetOuterWindow /builds/worker/workspace/build/src/dom/base/nsPIDOMWindow.h:154
#3 0x7fa68a759dd0 in StopListeningForVisibilityEvents /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManagerBase.cpp:103
#4 0x7fa68a759dd0 in mozilla::dom::WebAuthnManager::ClearTransaction() /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManager.cpp:170
#5 0x7fa68120d484 in nsCycleCollector::CollectWhite() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3088:26
#6 0x7fa681210e04 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3434:24
#7 0x7fa68121086f in nsCycleCollector::ShutdownCollect() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3355:10
#8 0x7fa681216015 in Shutdown /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3643:5
#9 0x7fa681216015 in nsCycleCollector_shutdown(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3997
#10 0x7fa681489761 in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:728:3
#11 0x7fa68f216c4d in XRE_TermEmbedding() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:222:3
#12 0x7fa68263d3d1 in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/workspace/build/src/ipc/glue/ScopedXREEmbed.cpp:90:5
#13 0x7fa68f217a2e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:761:16
#14 0x564604cc77bc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#15 0x564604cc77bc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#16 0x7fa6a3bc6b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?

Thanks! This looks like it's a follow-on to Bug 1540378, also caused by bug 1448408.

It is not the same as Bug 1540658 which has its own patch for an IPC issue. This is still cycle-collection, where bug 1540378 wasn't enough.

Assignee: nobody → jjones
Status: NEW → ASSIGNED
Priority: -- → P1
Regressed by: 1448408

This stack is pretty clear that calling StopListeningForVisibilityEvents (via ClearTransaction) is a no-go from the cycle collector. We need to instead just do the minimum version of bug 1540378, just reset mTransaction and move on.

This stack is pretty clear that calling StopListeningForVisibilityEvents
(via ClearTransaction) is a no-go from the cycle collector. We need to instead
just do the minimum version of bug 1540378, just reset mTransaction and move on.

Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1e35279977a4
Web Authentication - Only reset mTransaction on cycle collection r=keeler
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Crash Signature: [@ mozilla::dom::WebAuthnManagerBase::StopListeningForVisibilityEvents]
You need to log in before you can comment on or make changes to this bug.