AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h in mozilla::dom::PBrowserChild::SendRequestNativeKeyBindings(unsigned int const&, mozilla::WidgetKeyboardEvent const&, nsTArray<unsigned char>*)
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase)
Attachments
(3 files)
Testcase found while fuzzing mozilla-central 4d585c7edc76. Testcase requires a build with --enable-fuzzing and may require a few reloads in order to trigger.
Both files, testcase.html and harness.html need to be located in the same directory and served via HTTP. Pointing firefox at harness.html should reproduce the issue.
==8483==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x7fce8a63c0b5 bp 0x7ffec59d72d0 sp 0x7ffec59d7100 T0)
==8483==The signal is caused by a READ memory access.
==8483==Hint: address points to the zero page.
#0 0x7fce8a63c0b4 in mozilla::dom::PBrowserChild::SendRequestNativeKeyBindings(unsigned int const&, mozilla::WidgetKeyboardEvent const&, nsTArray<unsigned char>*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h
#1 0x7fce90c7399d in mozilla::dom::BrowserChild::RequestEditCommands(nsIWidget::NativeKeyBindingsType, mozilla::WidgetKeyboardEvent const&, nsTArray<unsigned char>&) /builds/worker/workspace/build/src/dom/ipc/BrowserChild.cpp:1959:3
#2 0x7fce91601e93 in mozilla::WidgetKeyboardEvent::InitEditCommandsFor(nsIWidget::NativeKeyBindingsType) /builds/worker/workspace/build/src/widget/WidgetEventImpl.cpp:769:12
#3 0x7fce8c83e754 in mozilla::TextInputProcessor::PrepareKeyboardEventToDispatch(mozilla::WidgetKeyboardEvent&, unsigned int) /builds/worker/workspace/build/src/dom/base/TextInputProcessor.cpp:1002:22
#4 0x7fce8c83a79c in mozilla::TextInputProcessor::KeyupInternal(mozilla::WidgetKeyboardEvent const&, unsigned int, bool&) /builds/worker/workspace/build/src/dom/base/TextInputProcessor.cpp:1144:17
#5 0x7fce8c8411d3 in mozilla::TextInputProcessor::Keyup(mozilla::WidgetKeyboardEvent const&, unsigned int, bool*) /builds/worker/workspace/build/src/dom/base/TextInputProcessor.cpp:1133:10
#6 0x7fce8c72f540 in mozilla::dom::FuzzingFunctions::SynthesizeKeyboardEvents(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::KeyboardEventInit const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/FuzzingFunctions.cpp:327:29
#7 0x7fce8e77a5a6 in mozilla::dom::FuzzingFunctions_Binding::synthesizeKeyboardEvents(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:130:3
#8 0x7fce95938259 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:456:13
#9 0x7fce95938259 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:548:12
#10 0x7fce95920da4 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:621:10
#11 0x7fce95920da4 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3110:16
#12 0x7fce959030c4 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
#13 0x7fce95938d5e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:589:13
#14 0x7fce9593b069 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:634:8
#15 0x7fce95b5509c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2718:10
#16 0x7fce8e4dc772 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#17 0x7fce8f3c66e5 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#18 0x7fce8f3c66e5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1033:43
#19 0x7fce8f3c814a in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1231:17
#20 0x7fce8f3af5b8 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
#21 0x7fce8f3af5b8 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349:17
#22 0x7fce8f3addf1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
#23 0x7fce8f3b36f3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1049:11
#24 0x7fce8f3ba0b0 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
#25 0x7fce8c980f7a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1063:17
#26 0x7fce8c337527 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4020:28
#27 0x7fce8c337303 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3990:10
#28 0x7fce8c675a6c in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7071:3
#29 0x7fce8c75a664 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
#30 0x7fce8c75a664 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130:12
#31 0x7fce8c75a664 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176:13
#32 0x7fce884a2851 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#33 0x7fce884cf5a3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
#34 0x7fce884d6101 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#35 0x7fce8974642f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#36 0x7fce89640d82 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#37 0x7fce89640d82 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#38 0x7fce89640d82 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#39 0x7fce9160fb48 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#40 0x7fce9568c806 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
#41 0x7fce89640d82 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#42 0x7fce89640d82 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#43 0x7fce89640d82 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#44 0x7fce9568c0c5 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
#45 0x55615247dcf0 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#46 0x55615247dcf0 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272:18
#47 0x7fceab54bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#48 0x5561523d31bc in _start (/home/forb1dden/builds/mc-asan/firefox+0x4b1bc)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h in mozilla::dom::PBrowserChild::SendRequestNativeKeyBindings(unsigned int const&, mozilla::WidgetKeyboardEvent const&, nsTArray<unsigned char>*)
Reporter | ||
Comment 1•5 years ago
|
||
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
Hmm, looks like that PuppetWidget::mBrowserChild
has already been set to nullptr
in this case. TextInputProcessor
should detect the state and throw exception in the case, though.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
The reason of the crash is, the window may have already been destroyed and
PuppetWidget::mBrowserChild
was set to nullptr
when synthesizing key event.
This patch makes PuppetWidget::GetEditCommands()
check whether it's nullptr
and returns whether it's succeeded or not. Therefore, TextInputProcessor
can throw exception in such case.
Comment 5•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Updated•5 years ago
|
Description
•