Crash [@get] near [@GetOuterWindow]

RESOLVED FIXED in Firefox 68

Status

()

defect
P1
critical
RESOLVED FIXED
3 months ago
2 months ago

People

(Reporter: jkratzer, Assigned: jcj)

Tracking

(Blocks 1 bug, Regression, {crash, regression, testcase})

Trunk
mozilla68
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox66 unaffected, firefox67 unaffected, firefox68 fixed)

Details

(crash signature)

Attachments

(2 attachments)

Reporter

Description

3 months ago
Posted file testcase.html

Testcase found while fuzzing mozilla-central rev ea0977445697.

==8259==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7fa68a759dd1 bp 0x7ffdb9e8c870 sp 0x7ffdb9e8c830 T0)
==8259==The signal is caused by a READ memory access.
==8259==Hint: address points to the zero page.
#0 0x7fa68a759dd0 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:823:48
#1 0x7fa68a759dd0 in operator nsPIDOMWindowOuter * /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:831
#2 0x7fa68a759dd0 in GetOuterWindow /builds/worker/workspace/build/src/dom/base/nsPIDOMWindow.h:154
#3 0x7fa68a759dd0 in StopListeningForVisibilityEvents /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManagerBase.cpp:103
#4 0x7fa68a759dd0 in mozilla::dom::WebAuthnManager::ClearTransaction() /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManager.cpp:170
#5 0x7fa68120d484 in nsCycleCollector::CollectWhite() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3088:26
#6 0x7fa681210e04 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3434:24
#7 0x7fa68121086f in nsCycleCollector::ShutdownCollect() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3355:10
#8 0x7fa681216015 in Shutdown /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3643:5
#9 0x7fa681216015 in nsCycleCollector_shutdown(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3997
#10 0x7fa681489761 in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:728:3
#11 0x7fa68f216c4d in XRE_TermEmbedding() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:222:3
#12 0x7fa68263d3d1 in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/workspace/build/src/ipc/glue/ScopedXREEmbed.cpp:90:5
#13 0x7fa68f217a2e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:761:16
#14 0x564604cc77bc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#15 0x564604cc77bc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#16 0x7fa6a3bc6b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?
Assignee

Comment 1

3 months ago

Thanks! This looks like it's a follow-on to Bug 1540378, also caused by bug 1448408.

It is not the same as Bug 1540658 which has its own patch for an IPC issue. This is still cycle-collection, where bug 1540378 wasn't enough.

Assignee: nobody → jjones
Status: NEW → ASSIGNED
Priority: -- → P1
Regressed by: 1448408
Assignee

Comment 2

3 months ago

This stack is pretty clear that calling StopListeningForVisibilityEvents (via ClearTransaction) is a no-go from the cycle collector. We need to instead just do the minimum version of bug 1540378, just reset mTransaction and move on.

Assignee

Comment 3

3 months ago

This stack is pretty clear that calling StopListeningForVisibilityEvents
(via ClearTransaction) is a no-go from the cycle collector. We need to instead
just do the minimum version of bug 1540378, just reset mTransaction and move on.

Comment 4

3 months ago
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1e35279977a4
Web Authentication - Only reset mTransaction on cycle collection r=keeler

Comment 5

3 months ago
bugherder
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Assignee

Updated

2 months ago
Duplicate of this bug: 1540818
Crash Signature: [@ mozilla::dom::WebAuthnManagerBase::StopListeningForVisibilityEvents]
You need to log in before you can comment on or make changes to this bug.