Closed Bug 1548326 Opened 5 years ago Closed 3 years ago

AddressSanitizer: stack-overflow [@ js::SavedStacks::insertFrames] near [@ mozilla::dom::ContentChild::ProvideWindowCommon]

Categories

(Core :: DOM: Content Processes, defect, P3)

Product:
Core
Component:
DOM: Content Processes
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox68 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.html
779 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev eb1856c0dc21.

==11211==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd3a312b20 (pc 0x7fdde36075a7 bp 0x7ffd3a313ed0 sp 0x7ffd3a312b20 T0)
    #0 0x7fdde36075a6 in js::SavedStacks::insertFrames(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) /builds/worker/workspace/build/src/js/src/vm/SavedStacks.cpp:1318
    #1 0x7fdde3607150 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) /builds/worker/workspace/build/src/js/src/vm/SavedStacks.cpp:1242:10
    #2 0x7fdde3b74d92 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) /builds/worker/workspace/build/src/js/src/jsapi.cpp:5926:29
    #3 0x7fdde3bb5838 in CaptureStack /builds/worker/workspace/build/src/js/src/jsexn.cpp:320:10
    #4 0x7fdde3bb5838 in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) /builds/worker/workspace/build/src/js/src/jsexn.cpp:664
    #5 0x7fdde343458a in ReportError /builds/worker/workspace/build/src/js/src/vm/JSContext.cpp:242:3
    #6 0x7fdde343458a in js::ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) /builds/worker/workspace/build/src/js/src/vm/JSContext.cpp:825
    #7 0x7fdde3b35668 in JS_ReportErrorNumberASCIIVA /builds/worker/workspace/build/src/js/src/jsapi.cpp:4810:3
    #8 0x7fdde3b35668 in JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4800
    #9 0x7fdde34310ed in js::ReportOverRecursed(JSContext*, unsigned int) /builds/worker/workspace/build/src/js/src/vm/JSContext.cpp:330:7
    #10 0x7fdde2ea80c4 in CheckRecursionLimit /builds/worker/workspace/build/src/js/src/jsfriendapi.h:1052:5
    #11 0x7fdde2ea80c4 in CheckRecursionLimit /builds/worker/workspace/build/src/js/src/jsfriendapi.h:1078
    #12 0x7fdde2ea80c4 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:386
    #13 0x7fdde2ede2c3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:563:13
    #14 0x7fdde2edff42 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:606:8
    #15 0x7fdde3b51587 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2573:10
    #16 0x7fddd621916f in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:965:17
    #17 0x7fddd3ccc80a in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:127:37
    #18 0x7fddd3ccb6ea in SharedStub (/home/forb1dden/builds/mc-asan/libxul.so+0x4d6b6ea)
    #19 0x7fdddda04438 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:883:28
    #20 0x7fdddda5f4cc in mozilla::dom::BrowserChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/BrowserChild.cpp:944:14
    #21 0x7fdde2b2fd60 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:764:24
    #22 0x7fdde2b33d89 in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:369:10
    #23 0x7fdde2b33d89 in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #24 0x7fddd7fa91a0 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:7214:21
    #25 0x7fddd7faab53 in OpenNoNavigate /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5748:10
    #26 0x7fddd7faab53 in non-virtual thunk to nsGlobalWindowOuter::OpenNoNavigate(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp
    #27 0x7fdde1d257a1 in nsDocShell::PerformRetargeting(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8785:15
    #28 0x7fdde1cb5e14 in nsDocShell::InternalLoad(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9179:12
    #29 0x7fdde1d4a06f in nsDocShell::OnLinkClickSync(nsIContent*, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIInputStream*, nsIInputStream*, bool, nsIDocShell**, nsIRequest**, bool, nsIPrincipal*, nsIContentSecurityPolicy*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:12725:17
    #30 0x7fdde1d77009 in OnLinkClickEvent::Run() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:12435:17
    #31 0x7fddd3c51095 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #32 0x7fddd3c91051 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
    #33 0x7fddd3c98c74 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #34 0x7fdddda06b97 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1171:24)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #35 0x7fdddda06b97 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1171
    #36 0x7fdddda5f4cc in mozilla::dom::BrowserChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/BrowserChild.cpp:944:14
    #37 0x7fdde2b2fd60 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:764:24
    #38 0x7fdde2b33d89 in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:369:10
    #39 0x7fdde2b33d89 in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #40 0x7fddd7fa91a0 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:7214:21
    #41 0x7fddd7faab53 in OpenNoNavigate /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5748:10
    #42 0x7fddd7faab53 in non-virtual thunk to nsGlobalWindowOuter::OpenNoNavigate(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp
    #43 0x7fdde1d257a1 in nsDocShell::PerformRetargeting(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8785:15
    #44 0x7fdde1cb5e14 in nsDocShell::InternalLoad(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9179:12
    #45 0x7fdde1d4a06f in nsDocShell::OnLinkClickSync(nsIContent*, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIInputStream*, nsIInputStream*, bool, nsIDocShell**, nsIRequest**, bool, nsIPrincipal*, nsIContentSecurityPolicy*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:12725:17
    #46 0x7fdde1d77009 in OnLinkClickEvent::Run() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:12435:17
    #47 0x7fddd3c51095 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #48 0x7fddd3c91051 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
    #49 0x7fddd3c98c74 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #50 0x7fdddda06b97 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1171:24)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:348:25
...truncated...
Flags: in-testsuite?

The priority flag is not set for this bug.
:jimm, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jmathies)
Flags: needinfo?(jmathies)
Priority: -- → P3

Hey Jason,
Please update the resolution or the affected flags for this issue when you have the time. Thank you!

Flags: needinfo?(jkratzer)

I am unable to reproduce this issue on either mozilla-central rev fc74eb2c7b84 (tip) or mozilla-central rev 5df075b6a6bb (oldest available build). I think we can safely close this issue.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jkratzer)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: