Open Bug 1546731 Opened 11 months ago Updated 2 months ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCacheInlines.h:14:13 in GetWrapperPreserveColor

Categories

(Toolkit :: Video/Audio Controls, defect, P2, critical)

defect

Tracking

()

Tracking Status
firefox-esr68 --- affected
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- wontfix
firefox72 --- affected
firefox73 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 87829648b0e5.

==28197==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f9389c49f68 bp 0x7ffe8e8da030 sp 0x7ffe8e8d9f40 T0)
==28197==The signal is caused by a READ memory access.
==28197==Hint: address points to the zero page.
#0 0x7f9389c49f67 in GetWrapperPreserveColor /builds/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCacheInlines.h:14:13
#1 0x7f9389c49f67 in nsWrapperCache::GetWrapper() const /builds/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCacheInlines.h:27
#2 0x7f938faf4ed9 in DoGetOrCreateDOMReflector<mozilla::dom::Element, mozilla::dom::binding_detail::eWrapIntoContextCompartment> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1051:26
#3 0x7f938faf4ed9 in GetOrCreateDOMReflector<mozilla::dom::Element> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1126
#4 0x7f938faf4ed9 in mozilla::dom::ShadowRoot_Binding::get_host(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ShadowRoot*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ShadowRootBinding.cpp:105
#5 0x7f9391503641 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3049:13
#6 0x7f9398dbbd80 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#7 0x7f9398dbbd80 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#8 0x7f9398dc0673 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:589:10
#9 0x7f9398dc0673 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605
#10 0x7f9398dc0673 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:729
#11 0x7f939942998f in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2216:12
#12 0x7f939942998f in GetExistingProperty<js::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2268
#13 0x7f939942998f in NativeGetPropertyInline<js::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2517
#14 0x7f939942998f in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2554
#15 0x7f9398dc8a1d in GetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:117:10
#16 0x7f9398dc8a1d in GetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:124
#17 0x7f9398dc8a1d in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4486
#18 0x7f9398d9588f in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:215:10
#19 0x7f9398d9588f in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2766
#20 0x7f9398d85fb8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
#21 0x7f9398dbc6f3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
#22 0x7f9398dbe372 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#23 0x7f9399b06edf in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:162:10
#24 0x7f9399ae682d in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:504:19
#25 0x7f9398dbcdea in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:508:14
#26 0x7f9398dbe372 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#27 0x7f9399b06edf in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:162:10
#28 0x7f9399ac01f1 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:237:19
#29 0x7f938c025636 in xpc::WaiveXrayWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/xpconnect/wrappers/WaiveXrayWrapper.cpp:53:35
#30 0x7f9399ae682d in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:504:19
#31 0x7f9398dbcdea in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:508:14
#32 0x7f9398d9c4e4 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:593:10
#33 0x7f9398d9c4e4 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3079
#34 0x7f9398d85fb8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
#35 0x7f9398dbc6f3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
#36 0x7f9398dbe372 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#37 0x7f939a0360f2 in js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/VMFunctions.cpp:259:10
#38 0x7f939a036ebb in js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*) /builds/worker/workspace/build/src/js/src/jit/VMFunctions.cpp:288:8
#39 0x1f0fcdac3f63 (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCacheInlines.h:14:13 in GetWrapperPreserveColor
==28197==ABORTING

Flags: in-testsuite?

ni smaug due to Shadow DOM being involved.

Flags: needinfo?(bugs)
Priority: -- → P2
Duplicate of this bug: 1583078

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Flags: needinfo?(bugs)
Keywords: regression
Flags: needinfo?(bugs)

This is UAWidget issue.

Component: DOM: Core & HTML → Video/Audio Controls
Flags: needinfo?(bugs)
Product: Core → Toolkit
You need to log in before you can comment on or make changes to this bug.