Closed Bug 1560328 Opened 4 years ago Closed 4 years ago

Crash [@ get] near [@ nsDocumentViewer::LoadComplete]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- fixed

People

(Reporter: jkratzer, Assigned: sefeng)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase)

Attachments

(3 files)

testcase.html
349 bytes, text/html
Details
Bug 1560328 - Fix a bug where mDocument could be null to cause crashes r=smaug,emilio
47 bytes, text/x-phabricator-request
Details | Review
Bug 1560328 - Add a crashtest for Bug 1560328 r=smaug
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 19cf79b6f07d.

==24766==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000578 (pc 0x7f08c7154001 bp 0x7ffcc1fd3d10 sp 0x7ffcc1fd3860 T0)
==24766==The signal is caused by a READ memory access.
==24766==Hint: address points to the zero page.
    #0 0x7f08c7154000 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h
    #1 0x7f08c7154000 in operator mozilla::dom::DocGroup * /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:281
    #2 0x7f08c7154000 in GetDocGroup /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Document.h:3770
    #3 0x7f08c7154000 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1105
    #4 0x7f08c9ff0af3 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6682:20
    #5 0x7f08c9fefc0c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6482:7
    #6 0x7f08c9ff5617 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #7 0x7f08beaaecd5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1337:3
    #8 0x7f08beaad8ca in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:896:14
    #9 0x7f08beaa7f10 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
    #10 0x7f08beaab785 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:618:5
    #11 0x7f08beaad414 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #12 0x7f08bc1f1721 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
    #13 0x7f08c0386ac8 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:10536:18
    #14 0x7f08c0386ac8 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10468
    #15 0x7f08c03bbfd5 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:6983:3
    #16 0x7f08c04d43ab in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #17 0x7f08c04d43ab in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130
    #18 0x7f08c04d43ab in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176
    #19 0x7f08bbe69e75 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #20 0x7f08bbeaab33 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1215:14
    #21 0x7f08bbeb28f4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #22 0x7f08bd2bbb7f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #23 0x7f08bd192ace in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #24 0x7f08bd192ace in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #25 0x7f08bd192ace in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #26 0x7f08c68a4563 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #27 0x7f08caeea81e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #28 0x7f08bd192ace in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #29 0x7f08bd192ace in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #30 0x7f08bd192ace in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #31 0x7f08caee9361 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #32 0x55bda0f50eb3 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #33 0x55bda0f50eb3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
    #34 0x7f08e0bbbb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h in get
Flags: in-testsuite?

Seems this code was introduced in bug 1512388.

Component: Layout → DOM: Core & HTML
Flags: needinfo?(sefeng)
Regressed by: 1512388
Assignee: nobody → sefeng
Status: NEW → ASSIGNED
Flags: needinfo?(sefeng)
Pushed by sefeng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e9ad50469332
Fix a bug where mDocument could be null to cause crashes r=smaug,emilio

https://hg.mozilla.org/mozilla-central/rev/e9ad50469332

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox69: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69

Can we land a crashtest for this?

status-firefox67: --- → unaffected
status-firefox68: --- → unaffected
status-firefox-esr60: --- → unaffected
Flags: needinfo?(sefeng)
Attachment #9075405 - Attachment description: Add a crashtest for Bug 1560328 r=smaug → Bug 1560328 - Add a crashtest for Bug 1560328 r=smaug

Crashtest landed, clearing my needinfo.

Flags: needinfo?(sefeng)

Thanks!

Flags: in-testsuite? → in-testsuite+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.