Closed
Bug 1594147
Opened 5 years ago
Closed 5 years ago
AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestWorker.cpp:1532:34 in mozilla::dom::XMLHttpRequestWorker::MaybeDispatchPrematureAbortEvents(mozilla::ErrorResult&)
Categories
(Core :: DOM: Networking, defect, P2)
Core
DOM: Networking
Tracking
()
VERIFIED
FIXED
mozilla72
People
(Reporter: jkratzer, Assigned: CuveeHsu)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, regression, testcase, Whiteboard: [necko-triaged])
Crash Data
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev 4d585c7edc76.
==15029==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000094 (pc 0x7fc1629f761f bp 0x7fc0c7caf3d0 sp 0x7fc0c7caf280 T32)
==15029==The signal is caused by a WRITE memory access.
==15029==Hint: address points to the zero page.
#0 0x7fc1629f761e in mozilla::dom::XMLHttpRequestWorker::MaybeDispatchPrematureAbortEvents(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestWorker.cpp:1532:34
#1 0x7fc1629f8f5e in mozilla::dom::XMLHttpRequestWorker::Open(nsTSubstring<char> const&, nsTSubstring<char16_t> const&, bool, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestWorker.cpp:1703:5
#2 0x7fc162a038bf in mozilla::dom::XMLHttpRequestWorker::Open(nsTSubstring<char> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestWorker.h:99:5
#3 0x7fc15fa67763 in mozilla::dom::XMLHttpRequest_Binding::open(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:907:28
#4 0x7fc16044848c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3218:13
#5 0x7fc0d13e9baf (<unknown module>)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestWorker.cpp:1532:34 in mozilla::dom::XMLHttpRequestWorker::MaybeDispatchPrematureAbortEvents(mozilla::ErrorResult&)
Thread T32 (DOM Worker) created by T0 (file:// Content) here:
#0 0x55d9c3f1989a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
#1 0x7fc17e238129 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7fc17e221e5e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7fc159ce9426 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:672:8
#4 0x7fc16267b3f8 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/workspace/build/src/dom/workers/WorkerThread.cpp:92:7
#5 0x7fc1625eb4cf in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1439:14
#6 0x7fc1625e9b5c in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1304:19
#7 0x7fc162649f1e in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2362:24
#8 0x7fc1625fa2c5 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/workers/Worker.cpp:31:41
#9 0x7fc15fa27b89 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WorkerBinding.cpp:1078:52
#10 0x7fc16715a11c in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:456:13
#11 0x7fc16715a11c in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:8
#12 0x7fc16715a11c in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:680:10
#13 0x7fc16713eba7 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3101:16
#14 0x7fc1671210c4 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
#15 0x7fc167156d5e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:589:13
#16 0x7fc167159069 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:634:8
#17 0x7fc16737309c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2718:10
#18 0x7fc15fcfa772 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#19 0x7fc160be46e5 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#20 0x7fc160be46e5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1033:43
#21 0x7fc160be614a in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1231:17
#22 0x7fc160bcd5b8 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
#23 0x7fc160bcd5b8 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349:17
#24 0x7fc160bcbdf1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
#25 0x7fc160bd16f3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1049:11
#26 0x7fc1635078ad in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1164:7
#27 0x7fc1662b5179 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6354:20
#28 0x7fc1662b4407 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6132:7
#29 0x7fc1662b92cf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#30 0x7fc15c7a8623 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1352:3
#31 0x7fc15c7a729a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:911:14
#32 0x7fc15c7a2f46 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:731:9
#33 0x7fc15c7a5d3a in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:619:5
#34 0x7fc15c7a6e8c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#35 0x7fc159f8242b in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:595:22
#36 0x7fc159f84cf4 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:502:10
#37 0x7fc15de67ab8 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:10691:18
#38 0x7fc15de67ab8 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10623:9
#39 0x7fc15de949fc in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7179:3
#40 0x7fc15df78664 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
#41 0x7fc15df78664 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130:12
#42 0x7fc15df78664 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176:13
#43 0x7fc159cc0851 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#44 0x7fc159ced5a3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
#45 0x7fc159cf4101 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#46 0x7fc15af6442f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#47 0x7fc15ae5ed82 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#48 0x7fc15ae5ed82 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#49 0x7fc15ae5ed82 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#50 0x7fc162e2db48 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#51 0x7fc166eaa806 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
#52 0x7fc15ae5ed82 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#53 0x7fc15ae5ed82 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#54 0x7fc15ae5ed82 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#55 0x7fc166eaa0c5 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
#56 0x55d9c3f61cf0 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#57 0x55d9c3f61cf0 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272:18
#58 0x7fc17cd69b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
==15029==ABORTING
Flags: in-testsuite?
|
Assignee | |
Comment 1•5 years ago
|
||
Hello smaug,
Is this similar to bug 1533482 but we have a concrete test case.
I can reproduce the crash by navigating to testcase in description and then navigating to other site.
Flags: needinfo?(bugs)
|
||
Comment 2•5 years ago
|
||
Ah, could be.
Perhaps we need to null check mProxy in two more places https://searchfox.org/mozilla-central/rev/d061ba55ac76f41129618d638f4ef674303ec103/dom/xhr/XMLHttpRequestWorker.cpp#1532,1535
Flags: needinfo?(bugs)
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → juhsu
Priority: -- → P2
Whiteboard: [necko-triaged]
Pushed by juhsu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d822ee62d62a prevent possible null dereference in MaybeDispatchPrematureAbortEvents, r=smaug
|
||
Comment 5•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
|
||
Comment 6•5 years ago
|
||
Is this testcase something we could land as a crashtest or mochitest?
Crash Signature: [@ mozilla::dom::XMLHttpRequestWorker::MaybeDispatchPrematureAbortEvents]
status-firefox70:
--- → wontfix
status-firefox71:
--- → affected
status-firefox-esr68:
--- → affected
Flags: needinfo?(juhsu)
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 7•5 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #6) > Is this testcase something we could land as a crashtest or mochitest? I manage to write one. It crashes the previous firefox but doesn't crash the crashtest.
|
|
Assignee | |
Updated•5 years ago
|
Flags: needinfo?(juhsu)
|
||
Comment 8•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
||
Comment 9•4 years ago
|
||
Hi Junior, is qa needed here? If so, could you please provide us some steps? Thanks!
Flags: needinfo?(juhsu)
|
|
Assignee | |
Comment 10•4 years ago
|
||
(In reply to Catalin Sasca, QA [:csasca] from comment #9)
Hi Junior, is qa needed here? If so, could you please provide us some steps? Thanks!
Comment 1 helps to reproduce.
Flags: needinfo?(juhsu)
|
|
||
Updated•4 years ago
|
Flags: qe-verify+
|
||
Updated•4 years ago
|
Blocks: asan-maintenance
|
||
Comment 11•4 years ago
|
||
I've reproduced the asan error using an old nightly build from 2019-11-07:
==15362==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000094 (pc 0x7f92e4f0a4df bp 0x7f92c58f7590 sp 0x7f92c58f7440 T43)
==15362==The signal is caused by a WRITE memory access.
==15362==Hint: address points to the zero page.
#0 0x7f92e4f0a4de in mozilla::dom::XMLHttpRequestWorker::MaybeDispatchPrematureAbortEvents(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestWorker.cpp:1532:34
#1 0x7f92e4f0be1e in mozilla::dom::XMLHttpRequestWorker::Open(nsTSubstring<char> const&, nsTSubstring<char16_t> const&, bool, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestWorker.cpp:1703:5
#2 0x7f92e4f16906 in mozilla::dom::XMLHttpRequestWorker::Open(nsTSubstring<char> const&, nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestWorker.h:110:5
#3 0x7f92e22267bc in mozilla::dom::XMLHttpRequest_Binding::open(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:966:28
#4 0x7f92e2bb339c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3218:13
#5 0x20dacbaccf7f (<unknown module>)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestWorker.cpp:1532:34 in mozilla::dom::XMLHttpRequestWorker::MaybeDispatchPrematureAbortEvents(mozilla::ErrorResult&)
Thread T43 (DOM Worker) created by T0 (Web Content) here:
#0 0x555eaec6e46a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
#1 0x7f92fe73e109 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f92fe727e3e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f92dcfff956 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:672:8
#4 0x7f92e4b92ac8 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/workspace/build/src/dom/workers/WorkerThread.cpp:92:7
#5 0x7f92e4b0392f in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1439:14
#6 0x7f92e4b01fbc in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1304:19
#7 0x7f92e4b61fa6 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2362:24
#8 0x7f92e4b12605 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/workers/Worker.cpp:31:41
#9 0x7f92e21ea619 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WorkerBinding.cpp:1078:52
#10 0x7f92e946170c in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:456:13
#11 0x7f92e946170c in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:8
#12 0x7f92e946170c in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:680:10
#13 0x7f92e9446197 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3101:16
#14 0x7f92e94286b4 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
#15 0x7f92e945e34e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:589:13
#16 0x7f92e9460659 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:634:8
#17 0x7f92e964638c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2718:10
#18 0x7f92e24aa222 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#19 0x7f92e3328f35 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#20 0x7f92e3328f35 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1033:43
#21 0x7f92e332a99a in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1231:17
#22 0x7f92e3311f78 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
#23 0x7f92e3311f78 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349:17
#24 0x7f92e33107b1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
#25 0x7f92e33160b3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1049:11
#26 0x7f92e5a0eebd in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1164:7
#27 0x7f92e85cf429 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6293:20
#28 0x7f92e85ce6b7 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6071:7
#29 0x7f92e85d357f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#30 0x7f92df2b4a93 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1352:3
#31 0x7f92df2b370a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:911:14
#32 0x7f92df2af3b6 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:731:9
#33 0x7f92df2b21aa in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:619:5
#34 0x7f92df2b32fc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#35 0x7f92dd2811ab in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:595:22
#36 0x7f92dd283a74 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:502:10
#37 0x7f92e06d0098 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:10558:18
#38 0x7f92e06d0098 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10490:9
#39 0x7f92e06fd19c in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7115:3
#40 0x7f92e07de3b4 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
#41 0x7f92e07de3b4 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130:12
#42 0x7f92e07de3b4 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176:13
#43 0x7f92dcfd7a81 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#44 0x7f92dd003ad3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
#45 0x7f92dd00ac21 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#46 0x7f92de12dcfc in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#47 0x7f92de051f12 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#48 0x7f92de051f12 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#49 0x7f92de051f12 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#50 0x7f92e5339f38 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#51 0x7f92e91eb8d6 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
#52 0x7f92de051f12 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#53 0x7f92de051f12 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#54 0x7f92de051f12 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#55 0x7f92e91eb18a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
#56 0x555eaecb6882 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#57 0x555eaecb6882 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272:18
#58 0x7f92fd259b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
==15362==ABORTING
Verified that using asan build 72.0.1 and 75.0b11 I did not reproduce this crash anymore.
You need to log in
before you can comment on or make changes to this bug.
Description
•