AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsIGlobalObject.cpp:33:22 in nsIGlobalObject::PrincipalOrNull()
Categories
(Core :: Graphics: CanvasWebGL, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox67 | --- | fixed |
| firefox68 | --- | fixed |
People
(Reporter: jkratzer, Assigned: ehsan.akhgari)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: crash, regression, testcase)
Attachments
(3 files)
|
484 bytes,
text/html
|
Details | |
|
14.37 KB,
application/x-javascript
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details | Review |
Testcase found while fuzzing mozilla-central rev 0ec836eceb96.
==23910==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5c34e9cc02 bp 0x7ffeb8138550 sp 0x7ffeb8138540 T0)
==23910==The signal is caused by a READ memory access.
==23910==Hint: address points to the zero page.
#0 0x7f5c34e9cc01 in nsIGlobalObject::PrincipalOrNull() /builds/worker/workspace/build/src/dom/base/nsIGlobalObject.cpp:33:22
#1 0x7f5c381d3049 in mozilla::WebGLContext::InitAndValidateGL(mozilla::WebGLContext::FailureReason*) /builds/worker/workspace/build/src/dom/canvas/WebGLContextValidate.cpp:481:51
#2 0x7f5c38174994 in mozilla::WebGLContext::CreateAndInitGL(bool, std::vector<mozilla::WebGLContext::FailureReason, std::allocator<mozilla::WebGLContext::FailureReason> >) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:622:8
#3 0x7f5c3817847a in mozilla::WebGLContext::SetDimensions(int, int) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:843:8
#4 0x7f5c380966af in mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:216:24
#5 0x7f5c38095ff3 in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:174:19
#6 0x7f5c381148a6 in mozilla::dom::OffscreenCanvas::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/OffscreenCanvas.cpp:113:62
#7 0x7f5c35b17ad1 in mozilla::dom::OffscreenCanvas_Binding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::OffscreenCanvas*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/OffscreenCanvasBinding.cpp:201:49
#8 0x7f5c37f194f2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3153:13
#9 0x7f5c3f7c6150 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:443:13
#10 0x7f5c3f7c6150 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
#11 0x7f5c3f7a68b4 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:594:10
#12 0x7f5c3f7a68b4 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3080
#13 0x7f5c3f790388 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
#14 0x7f5c3f7c6ac3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:563:13
#15 0x7f5c3f7c8742 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:606:8
#16 0x7f5c40436ae8 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2636:10
#17 0x7f5c37d99075 in mozilla::dom::IntersectionCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Sequence<mozilla::OwningNonNull<mozilla::dom::DOMIntersectionObserverEntry> > const&, mozilla::dom::DOMIntersectionObserver&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/IntersectionObserverBinding.cpp:836:8
#18 0x7f5c347269ad in Call<mozilla::dom::DOMIntersectionObserver > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/IntersectionObserverBinding.h:486:12
#19 0x7f5c347269ad in Call<mozilla::dom::DOMIntersectionObserver > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/IntersectionObserverBinding.h:508
#20 0x7f5c347269ad in mozilla::dom::DOMIntersectionObserver::Notify() /builds/worker/workspace/build/src/dom/base/DOMIntersectionObserver.cpp:465
#21 0x7f5c34b4e7db in mozilla::dom::Document::NotifyIntersectionObservers() /builds/worker/workspace/build/src/dom/base/Document.cpp:11813:17
#22 0x7f5c34bf79ab in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#23 0x7f5c34bf79ab in apply<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#24 0x7f5c34bf79ab in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#25 0x7f5c306182c1 in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#26 0x7f5c3061fee4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#27 0x7f5c3197e80f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#28 0x7f5c3185798e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#29 0x7f5c3185798e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#30 0x7f5c3185798e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#31 0x7f5c3af00b43 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#32 0x7f5c3f1c8da0 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:270:30
#33 0x7f5c3f4d9027 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4584:22
#34 0x7f5c3f4dba44 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4722:8
#35 0x7f5c3f4dd299 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4803:21
#36 0x55b17c4c63da in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:212:22
#37 0x55b17c4c63da in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:291
#38 0x7f5c54683b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#39 0x55b17c3e7e1c in _start (/home/forb1dden/builds/mc-asan/firefox+0x2fe1c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsIGlobalObject.cpp:33:22 in nsIGlobalObject::PrincipalOrNull()
==23910==ABORTING
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 1•5 years ago
|
||
Jason, could you please give me some information on how to reproduce this bug? I set the offscreen canvas pref, and I noticed that the test case also opens an XHR so I downloaded it and ran it from a python -m SimpleHTTPServer server instance, but retrieving /1 from that server results in a 404 error, so I created an empty file named 1 to make sure that fetch results in a 200 success code, but that also didn't help me reproduce. Any other tips would be hugely appreciated. Thanks!
|
Reporter | |
Comment 2•5 years ago
|
||
Ehsan, I've attached the prefs I used to reproduce this testcase here. Regarding the XHR, the file does not need to exist.
Steps to reproduce:
- Start webserver in testcase directory
- python -m SimpleHTTPServer &
- Download and install ffpuppet
- Launch the testcase using ffpuppet
- python -m ffpuppet -p prefs.js --xvfb -d -l log ~/mc-asan/firefox -u http://localhost:8000/testcase.html
Expected output:
[2019-04-26 11:56:06] Launching Firefox...
[2019-04-26 11:56:10] Running Firefox (pid: 15645)...
127.0.0.1 - - [26/Apr/2019 11:56:11] "GET /testcase.html HTTP/1.1" 200 -
[2019-04-26 11:56:12] Shutting down...
[2019-04-26 11:56:12] Firefox process closed
[2019-04-26 11:56:12] Dumping browser log...
===
=== Dumping 'log_ffp_asan_15631.log.15645.txt' (7.01KB)
===
=================================================================
==15645==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f276ccd9d02 bp 0x7ffd0e5cfb90 sp 0x7ffd0e5cfb80 T0)
==15645==The signal is caused by a READ memory access.
==15645==Hint: address points to the zero page.
#0 0x7f276ccd9d01 in nsIGlobalObject::PrincipalOrNull() /builds/worker/workspace/build/src/dom/base/nsIGlobalObject.cpp:33:22
Feel free to NI if you still aren't able to trigger it.
|
|
Assignee | |
Comment 3•5 years ago
|
||
Thanks, I can reproduce now.
|
|
Assignee | |
Comment 4•5 years ago
|
||
First our offscreen canvas object gets disconnected from its owner under this call stack:
(rr) bt
#0 0x00007f7c75928e6b in mozilla::DOMEventTargetHelper::DisconnectFromOwner() (this=0x7f7c5f2e2700) at /home/ehsan/moz/src/dom/events/DOMEventTargetHelper.cpp:126
#1 0x00007f7c7409a717 in nsIGlobalObject::DisconnectEventTargetObjects()::$_0::operator()(mozilla::DOMEventTargetHelper*, bool*) const (this=0x7fffcda6f708, aTarget=0x7f7c5f2e2700, aDoneOut=0x7fffcda6f4af)
at /home/ehsan/moz/src/dom/base/nsIGlobalObject.cpp:160
#2 0x00007f7c7409a5ba in std::_Function_handler<void (mozilla::DOMEventTargetHelper*, bool*), nsIGlobalObject::DisconnectEventTargetObjects()::$_0>::_M_invoke(std::_Any_data const&, mozilla::DOMEventTargetHelper*&&, bool*&&
) (__functor=..., __args=@0x7fffcda6f400: 0x7f7c5f2e2700, __args=@0x7fffcda6f3f8: 0x7fffcda6f4af) at /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/std_function.h:316
#3 0x00007f7c7409ba69 in std::function<void (mozilla::DOMEventTargetHelper*, bool*)>::operator()(mozilla::DOMEventTargetHelper*, bool*) const (this=0x7fffcda6f708, __args=0x7f7c5f2e2700, __args=0x7fffcda6f4af)
at /usr/lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/std_function.h:706
#4 0x00007f7c74068e04 in nsIGlobalObject::ForEachEventTargetObject(std::function<void (mozilla::DOMEventTargetHelper*, bool*)> const&) const (this=0x7f7c4b89f900, aFunc=...)
at /home/ehsan/moz/src/dom/base/nsIGlobalObject.cpp:151
#5 0x00007f7c74068643 in nsIGlobalObject::DisconnectEventTargetObjects() (this=0x7f7c4b89f900) at /home/ehsan/moz/src/dom/base/nsIGlobalObject.cpp:159
#6 0x00007f7c73d234b9 in nsGlobalWindowInner::FreeInnerObjects() (this=0x7f7c4b89f800) at /home/ehsan/moz/src/dom/base/nsGlobalWindowInner.cpp:1196
#7 0x00007f7c73d699bd in nsGlobalWindowOuter::DetachFromDocShell() (this=0x7f7c524fe020) at /home/ehsan/moz/src/dom/base/nsGlobalWindowOuter.cpp:2444
#8 0x00007f7c791ac7f7 in nsDocShell::Destroy() (this=0x7f7c524b9800) at /home/ehsan/moz/src/docshell/base/nsDocShell.cpp:5011
#9 0x00007f7c7403c53d in nsFrameLoader::DestroyDocShell() (this=0x7f7c524db400) at /home/ehsan/moz/src/dom/base/nsFrameLoader.cpp:1934
#10 0x00007f7c7403c387 in nsFrameLoaderDestroyRunnable::Run() (this=0x7f7c4c5b8d40) at /home/ehsan/moz/src/dom/base/nsFrameLoader.cpp:1870
#11 0x00007f7c73e5f43e in mozilla::dom::Document::MaybeInitializeFinalizeFrameLoaders() (this=0x7f7c50ed1000) at /home/ehsan/moz/src/dom/base/Document.cpp:6334
#12 0x00007f7c73f005ee in mozilla::detail::RunnableMethodArguments<>::applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()>(mozilla::dom::Document*, void (mozilla::dom::Document::*)(), mozilla::Tuple<>&, std:
:integer_sequence<unsigned long>) (o=0x7f7c50ed1000, m=(void (mozilla::dom::Document::*)(mozilla::dom::Document * const)) 0x7f7c73e5f190 <mozilla::dom::Document::MaybeInitializeFinalizeFrameLoaders()>, args=...)
at /home/ehsan/moz/src/obj-ff-dbg/dist/include/nsThreadUtils.h:1122
#13 0x00007f7c73f0055d in _ZN7mozilla6detail23RunnableMethodArgumentsIJEE5applyINS_3dom8DocumentEMS5_FvvEEEDTcl9applyImplfp_fp0_dtdefpT10mArgumentstlSt16integer_sequenceImJEEEEEPT_T0_ (this=0x7f7c4b79f190, o=0x7f7c50ed1000,
m=(void (mozilla::dom::Document::*)(mozilla::dom::Document * const)) 0x7f7c73e5f190 <mozilla::dom::Document::MaybeInitializeFinalizeFrameLoaders()>) at /home/ehsan/moz/src/obj-ff-dbg/dist/include/nsThreadUtils.h:1128
#14 0x00007f7c73f003be in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() (this=0x7f7c4b79f150)
at /home/ehsan/moz/src/obj-ff-dbg/dist/include/nsThreadUtils.h:1174
#15 0x00007f7c73cae9ed in nsContentUtils::RemoveScriptBlocker() () at /home/ehsan/moz/src/dom/base/nsContentUtils.cpp:5258
#16 0x00007f7c73378469 in nsAutoScriptBlocker::~nsAutoScriptBlocker() (this=0x7fffcda6fed0) at /home/ehsan/moz/src/dom/base/nsContentUtils.h:3610
#17 0x00007f7c77267ca2 in nsDocumentViewer::Destroy() (this=0x7f7c512cf120) at /home/ehsan/moz/src/layout/base/nsDocumentViewer.cpp:1853
#18 0x00007f7c791ac758 in nsDocShell::Destroy() (this=0x7f7c5120d800) at /home/ehsan/moz/src/docshell/base/nsDocShell.cpp:5001
#19 0x00007f7c7924a0cf in nsXULWindow::Destroy() (this=0x7f7c591292e0) at /home/ehsan/moz/src/xpfe/appshell/nsXULWindow.cpp:499
#20 0x00007f7c79235f77 in nsWebShellWindow::Destroy() (this=0x7f7c591292e0) at /home/ehsan/moz/src/xpfe/appshell/nsWebShellWindow.cpp:730
#21 0x00007f7c79242538 in nsContentTreeOwner::Destroy() (this=0x7f7c524e99d0) at /home/ehsan/moz/src/xpfe/appshell/nsContentTreeOwner.cpp:481
#22 0x00007f7c73d7c77f in nsGlobalWindowOuter::ReallyCloseWindow() (this=0x7f7c524fe020) at /home/ehsan/moz/src/dom/base/nsGlobalWindowOuter.cpp:6287
#23 0x00007f7c73d8d528 in nsCloseEvent::Run() (this=0x7f7c5f2752c0) at /home/ehsan/moz/src/dom/base/nsGlobalWindowOuter.cpp:6080
#24 0x00007f7c719ff582 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7f7c87951fc0, aMayWait=true, aResult=0x7fffcda70aa7) at /home/ehsan/moz/src/xpcom/threads/nsThread.cpp:1180
#25 0x00007f7c71a02b93 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=0x7f7c87951fc0, aMayWait=true) at /home/ehsan/moz/src/xpcom/threads/nsThreadUtils.cpp:486
#26 0x00007f7c76bae6ed in mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool)::$_0>(mozilla::dom::XMLHttpRequestM
ainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool)::$_0&&, nsIThread*) (aPredicate=..., aThread=0x0) at /home/ehsan/moz/src/obj-ff-dbg/dist/include/nsThreadUtils.h:348
#27 0x00007f7c76badb0d in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool) (this=0x7f7c4e7d8c00, aBody=0x0, aBodyIsDocumentOrString=false)
at /home/ehsan/moz/src/dom/xhr/XMLHttpRequestMainThread.cpp:2907
#28 0x00007f7c76bacafd in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::Err
orResult&) (this=0x7f7c4e7d8c00, aCx=0x7f7c61124000, aData=..., aRv=...) at /home/ehsan/moz/src/dom/xhr/XMLHttpRequestMainThread.cpp:2681
#29 0x00007f7c74eb5c37 in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) (cx=0x7f7c61124000, obj=(JSObject * const) 0x10b1b384e130 [ob
ject XMLHttpRequest], self=0x7f7c4e7d8c00, args=...) at XMLHttpRequestBinding.cpp:1345
#30 0x00007f7c7540fd87 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) (cx=0x7f7c61124000, a
rgc=0, vp=0x7f7c4bc0a098) at /home/ehsan/moz/src/dom/bindings/BindingUtils.cpp:3153
#31 0x00007f7c79b47852 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (cx=0x7f7c61124000, native=0x7f7c7540fab0 <mozilla::dom::binding_detail::GenericMethod<mozilla::dom::bin
ding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/ehsan/moz/src/js/src/vm/Interpreter.cpp:443
#32 0x00007f7c79b31fba in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=0x7f7c61124000, args=..., construct=js::NO_CONSTRUCT) at /home/ehsan/moz/src/js/src/vm/Interpreter.cpp:535
#33 0x00007f7c79b32695 in InternalCall(JSContext*, js::AnyInvokeArgs const&) (cx=0x7f7c61124000, args=...) at /home/ehsan/moz/src/js/src/vm/Interpreter.cpp:590
#34 0x00007f7c79b3247d in js::CallFromStack(JSContext*, JS::CallArgs const&) (cx=0x7f7c61124000, args=...) at /home/ehsan/moz/src/js/src/vm/Interpreter.cpp:594
#35 0x00007f7c79b25e95 in Interpret(JSContext*, js::RunState&) (cx=0x7f7c61124000, state=...) at /home/ehsan/moz/src/js/src/vm/Interpreter.cpp:3080
#36 0x00007f7c79b1ad55 in js::RunScript(JSContext*, js::RunState&) (cx=0x7f7c61124000, state=...) at /home/ehsan/moz/src/js/src/vm/Interpreter.cpp:423
#37 0x00007f7c79b32178 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=0x7f7c61124000, args=..., construct=js::NO_CONSTRUCT) at /home/ehsan/moz/src/js/src/vm/Interpreter.cpp:563
#38 0x00007f7c79b32695 in InternalCall(JSContext*, js::AnyInvokeArgs const&) (cx=0x7f7c61124000, args=...) at /home/ehsan/moz/src/js/src/vm/Interpreter.cpp:590
---Type <return> to continue, or q <return> to quit---
#39 0x00007f7c79b32740 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (cx=0x7f7c61124000, fval=$JS::Value((JSObject *) 0x3f30f67a5540 [object Fun
ction "start/observer<"]), thisv=$JS::Value((JSObject *) 0x10b1b384e190 [object IntersectionObserver]), args=..., rval=$JS::UndefinedValue()) at /home/ehsan/moz/src/js/src/vm/Interpreter.cpp:606
#40 0x00007f7c7a35f877 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (cx=0x7f7c61124000, thisv=$JS::Value((JSObject *) 0x10b1b384e190 [object
IntersectionObserver]), fval=$JS::Value((JSObject *) 0x3f30f67a5540 [object Function "start/observer<"]), args=..., rval=$JS::UndefinedValue()) at /home/ehsan/moz/src/js/src/jsapi.cpp:2636
#41 0x00007f7c7536b9d6 in mozilla::dom::IntersectionCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Sequence<mozilla::OwningNonNull<mozilla::dom::DOMIntersectionObserverEntry> > const&, mozilla::dom::DOMInter
sectionObserver&, mozilla::ErrorResult&) (this=0x7f7c59efc980, cx=0x7f7c61124000, aThisVal=$JS::Value((JSObject *) 0x10b1b384e190 [object IntersectionObserver]), entries=..., observer=..., aRv=...)
at IntersectionObserverBinding.cpp:836
#42 0x00007f7c73c9753b in mozilla::dom::IntersectionCallback::Call<mozilla::dom::DOMIntersectionObserver*>(mozilla::dom::DOMIntersectionObserver* const&, mozilla::dom::Sequence<mozilla::OwningNonNull<mozilla::dom::DOMInterse
ctionObserverEntry> > const&, mozilla::dom::DOMIntersectionObserver&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) (this=0x7f7c59efc980, thisVal=@0x7fffcda74f58: 0x7f7c5f29
8060, entries=..., observer=..., aRv=..., aExecutionReason=0x7f7c6dc52a66 "IntersectionCallback", aExceptionHandling=mozilla::dom::CallbackObject::eReportExceptions, aRealm=0x0)
at /home/ehsan/moz/src/obj-ff-dbg/dist/include/mozilla/dom/IntersectionObserverBinding.h:486
#43 0x00007f7c73c9403d in mozilla::dom::IntersectionCallback::Call<mozilla::dom::DOMIntersectionObserver*>(mozilla::dom::DOMIntersectionObserver* const&, mozilla::dom::Sequence<mozilla::OwningNonNull<mozilla::dom::DOMInterse
ctionObserverEntry> > const&, mozilla::dom::DOMIntersectionObserver&, char const*) (this=0x7f7c59efc980, thisVal=@0x7fffcda74f58: 0x7f7c5f298060, entries=..., observer=..., aExecutionReason=0x0)
at /home/ehsan/moz/src/obj-ff-dbg/dist/include/mozilla/dom/IntersectionObserverBinding.h:508
#44 0x00007f7c73c919e0 in mozilla::dom::DOMIntersectionObserver::Notify() (this=0x7f7c5f298060) at /home/ehsan/moz/src/dom/base/DOMIntersectionObserver.cpp:465
#45 0x00007f7c73e7dc6b in mozilla::dom::Document::NotifyIntersectionObservers() (this=0x7f7c4c5ba000) at /home/ehsan/moz/src/dom/base/Document.cpp:11816
#46 0x00007f7c73f005ee in mozilla::detail::RunnableMethodArguments<>::applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()>(mozilla::dom::Document*, void (mozilla::dom::Document::*)(), mozilla::Tuple<>&, std:
:integer_sequence<unsigned long>) (o=0x7f7c4c5ba000, m=(void (mozilla::dom::Document::*)(mozilla::dom::Document * const)) 0x7f7c73e7db40 <mozilla::dom::Document::NotifyIntersectionObservers()>, args=...)
at /home/ehsan/moz/src/obj-ff-dbg/dist/include/nsThreadUtils.h:1122
#47 0x00007f7c73f0055d in _ZN7mozilla6detail23RunnableMethodArgumentsIJEE5applyINS_3dom8DocumentEMS5_FvvEEEDTcl9applyImplfp_fp0_dtdefpT10mArgumentstlSt16integer_sequenceImJEEEEEPT_T0_ (this=0x7f7c4b8d6460, o=0x7f7c4c5ba000,
m=(void (mozilla::dom::Document::*)(mozilla::dom::Document * const)) 0x7f7c73e7db40 <mozilla::dom::Document::NotifyIntersectionObservers()>) at /home/ehsan/moz/src/obj-ff-dbg/dist/include/nsThreadUtils.h:1128
#48 0x00007f7c73f003be in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() (this=0x7f7c4b8d6420)
at /home/ehsan/moz/src/obj-ff-dbg/dist/include/nsThreadUtils.h:1174
#49 0x00007f7c719ff582 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7f7c87951fc0, aMayWait=false, aResult=0x7fffcda75857) at /home/ehsan/moz/src/xpcom/threads/nsThread.cpp:1180
#50 0x00007f7c71a02b93 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=0x7f7c87951fc0, aMayWait=false) at /home/ehsan/moz/src/xpcom/threads/nsThreadUtils.cpp:486
#51 0x00007f7c72571096 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7f7c67982c00, aDelegate=0x7f7c679ad020) at /home/ehsan/moz/src/ipc/glue/MessagePump.cpp:88
#52 0x00007f7c7248d51f in MessageLoop::RunInternal() (this=0x7f7c679ad020) at /home/ehsan/moz/src/ipc/chromium/src/base/message_loop.cc:315
#53 0x00007f7c7248d495 in MessageLoop::RunHandler() (this=0x7f7c679ad020) at /home/ehsan/moz/src/ipc/chromium/src/base/message_loop.cc:308
#54 0x00007f7c7248d44a in MessageLoop::Run() (this=0x7f7c679ad020) at /home/ehsan/moz/src/ipc/chromium/src/base/message_loop.cc:290
#55 0x00007f7c76e71183 in nsBaseAppShell::Run() (this=0x7f7c679dddd0) at /home/ehsan/moz/src/widget/nsBaseAppShell.cpp:137
#56 0x00007f7c79798872 in nsAppStartup::Run() (this=0x7f7c679c3d30) at /home/ehsan/moz/src/toolkit/components/startup/nsAppStartup.cpp:270
#57 0x00007f7c7995f221 in XREMain::XRE_mainRun() (this=0x7fffcda762c8) at /home/ehsan/moz/src/toolkit/xre/nsAppRunner.cpp:4584
#58 0x00007f7c79960094 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (this=0x7fffcda762c8, argc=5, argv=0x7fffcda775e8, aConfig=...) at /home/ehsan/moz/src/toolkit/xre/nsAppRunner.cpp:4722
#59 0x00007f7c79960972 in XRE_main(int, char**, mozilla::BootstrapConfig const&) (argc=5, argv=0x7fffcda775e8, aConfig=...) at /home/ehsan/moz/src/toolkit/xre/nsAppRunner.cpp:4803
#60 0x00007f7c79972dc7 in mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) (this=0x7f7c8794d6b0, argc=5, argv=0x7fffcda775e8, aConfig=...) at /home/ehsan/moz/src/toolkit/xre/Bootstrap.cpp:45
#61 0x000055d35c97582c in do_main(int, char**, char**) (argc=5, argv=0x7fffcda775e8, envp=0x7fffcda77618) at /home/ehsan/moz/src/browser/app/nsBrowserApp.cpp:212
#62 0x000055d35c97533f in main(int, char**, char**) (argc=5, argv=0x7fffcda775e8, envp=0x7fffcda77618) at /home/ehsan/moz/src/browser/app/nsBrowserApp.cpp:291
Then we get to here: https://searchfox.org/mozilla-central/rev/444ee13e14fe30451651c0f62b3979c76766ada4/dom/canvas/WebGLContextValidate.cpp#481. GetOwnerGlobal() returns mParentObject which is null here. So we crash.
Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/b7c7366733c4 Increase the allowed test timeout for browser_noopener.js
|
|
Assignee | |
Comment 6•5 years ago
|
||
(In reply to Pulsebot from comment #5)
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b7c7366733c4
Increase the allowed test timeout for browser_noopener.js
This was pushed with the wrong bug number.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 7•5 years ago
|
||
Setting the gfx.offscreencanvas.enabled and dom.allow_scripts_to_close_windows prefs to true is enough to get the test case to work. I did my best to get the testcase to reproduce the crash inside one of our automated test frameworks, however that did not work for reasons that I didn't understand and don't think it's worth spending more time pursuing. So I'm planning to just submit a fix without tests here. :-(
|
|
Assignee | |
Comment 8•5 years ago
|
||
Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/749bc2ac9242 Handle the case where the offscreen canvas has been disconnected from its owner global properly; r=baku
|
||
Comment 10•5 years ago
|
||
| bugherder | ||
| Comment hidden (obsolete) |
| Comment hidden (obsolete) |
| Comment hidden (obsolete) |
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 14•5 years ago
|
||
Comment on attachment 9061120 [details]
Bug 1547073 - Handle the case where the offscreen canvas has been disconnected from its owner global properly;
Beta/Release Uplift Approval Request
- User impact if declined: Users may experience crashes
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch effectively adds a nullptr check.
- String changes made/needed: None
|
||
Comment 15•5 years ago
|
||
Comment on attachment 9061120 [details]
Bug 1547073 - Handle the case where the offscreen canvas has been disconnected from its owner global properly;
Low-risk crash fix, uplift accepted for 67 beta 16, thanks.
|
||
Updated•5 years ago
|
|
||
Comment 16•5 years ago
|
||
| bugherder uplift | ||
|
|
||
Updated•5 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•2 years ago
|
Description
•