Crash [@ get] near mozilla::dom::OffscreenCanvas::ToBlob
Categories
(Core :: Graphics: Canvas2D, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox66 | --- | unaffected |
firefox67 | - | wontfix |
firefox68 | + | fixed |
People
(Reporter: jkratzer, Assigned: ehsan.akhgari)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker])
Crash Data
Attachments
(2 files)
182 bytes,
text/html
|
Details | |
47 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta-
|
Details | Review |
Testcase found while fuzzing mozilla-central rev 831918f009f6.
==22986==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000b0 (pc 0x7f21f0f589f4 bp 0x7ffc0e4373f0 sp 0x7ffc0e4372e0 T0)
==22986==The signal is caused by a READ memory access.
==22986==Hint: address points to the zero page.
#0 0x7f21f0f589f3 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:823:48
#1 0x7f21f0f589f3 in operator nsIPrincipal * /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:831
#2 0x7f21f0f589f3 in GetPrincipal /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/WorkerPrivate.h:662
#3 0x7f21f0f589f3 in mozilla::dom::OffscreenCanvas::ToBlob(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/OffscreenCanvas.cpp:260
#4 0x7f21ee96f7d0 in toBlob /builds/worker/workspace/build/src/obj-firefox/dom/bindings/OffscreenCanvasBinding.cpp:297:45
#5 0x7f21ee96f7d0 in mozilla::dom::OffscreenCanvas_Binding::toBlob_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::OffscreenCanvas*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/OffscreenCanvasBinding.cpp:311
#6 0x7f21f0d5cb7e in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3153:13
#7 0x7f21f85f9950 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#8 0x7f21f85f9950 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#9 0x7f21f85da0b4 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:593:10
#10 0x7f21f85da0b4 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3079
#11 0x7f21f85c3b88 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
#12 0x7f21f85fa2c3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
#13 0x7f21f85fbf42 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#14 0x7f21f9269548 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2636:10
#15 0x7f21f035e4c0 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#16 0x7f21f162cfc2 in HandleEvent<mozilla::dom::EventTarget > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#17 0x7f21f162cfc2 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1039
#18 0x7f21f162f07e in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1240:17
#19 0x7f21f160f8b1 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:355:5
#20 0x7f21f160f8b1 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
#21 0x7f21f160dae6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
#22 0x7f21f161481e in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1046:11
#23 0x7f21f45f0050 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1100:7
#24 0x7f21f746df36 in nsDocShell::EndPageLoad(nsIWebProgress, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6625:20
#25 0x7f21f746cff0 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6425:7
#26 0x7f21f7472cc7 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#27 0x7f21ec055635 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1313:3
#28 0x7f21ec05422a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:872:14
#29 0x7f21ec04e8f3 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:710:9
#30 0x7f21ec0524d5 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:598:5
#31 0x7f21ec053d74 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#32 0x7f21e971f7f8 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
#33 0x7f21ed93dcf8 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:7971:18
#34 0x7f21ed93dcf8 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:7903
#35 0x7f21ed93c785 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:5087:3
#36 0x7f21eda467fb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#37 0x7f21eda467fb in apply<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#38 0x7f21eda467fb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#39 0x7f21e9434e35 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#40 0x7f21e9474df1 in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#41 0x7f21e947ca14 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#42 0x7f21ea7d7caf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#43 0x7f21ea6b0e2e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#44 0x7f21ea6b0e2e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#45 0x7f21ea6b0e2e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#46 0x7f21f3d3bd93 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#47 0x7f21f831526e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#48 0x7f21ea6b0e2e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#49 0x7f21ea6b0e2e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#50 0x7f21ea6b0e2e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#51 0x7f21f83143dc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:757:34
#52 0x557a5a76c6ce in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#53 0x557a5a76c6ce in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#54 0x7f220d4adb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Comment 1•5 years ago
|
||
I couldn't reproduce, but it appears https://searchfox.org/mozilla-central/rev/ec489aa170b6486891cf3625717d6fa12bcd11c1/dom/canvas/OffscreenCanvas.cpp#258 can yield a nullptr?
Assignee | ||
Comment 3•5 years ago
|
||
To reproduce, the gfx.offscreencanvas.enabled
pref must be set to true.
Assignee | ||
Comment 4•5 years ago
|
||
I didn't realize this API has a mainthread path too. :-(
Assignee | ||
Comment 5•5 years ago
|
||
Updated•5 years ago
|
Comment 6•5 years ago
|
||
Changing the priority to p1 as the bug is tracked by a release manager for the current beta.
See What Do You Triage for more information
Updated•5 years ago
|
Assignee | ||
Comment 8•5 years ago
|
||
Comment on attachment 9060294 [details]
Bug 1546390 - Enable determining whether the current document should respect resist fingerprinting mode on the main thread in OffscreenCanvas.toBlob();
Beta/Release Uplift Approval Request
- User impact if declined: The OffscreenCanvas API is disabled by default, so the original bug really only affects users who go out of their way to turn this feature on by setting the pref manually. The buggy code here is disabled by default.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): As said above, the fix for this bug is in code that is disabled by default.
- String changes made/needed: None
Assignee | ||
Comment 9•5 years ago
|
||
(but of course the fix itself isn't risky either.)
Comment 10•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Comment 11•5 years ago
|
||
Comment on attachment 9060294 [details]
Bug 1546390 - Enable determining whether the current document should respect resist fingerprinting mode on the main thread in OffscreenCanvas.toBlob();
Using the testcase and changing the pref on beta, I forced a crash myself to generate a signature and get an idea of the impact on people that may have changed the pref manually. There was only one crash report probably trigered by the testers here. I think it can ride the trains as there is no practical user impact since this is not a normal configuration.
Updated•5 years ago
|
Description
•