Closed Bug 1594215 Opened 1 year ago Closed 1 year ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h in mozilla::dom::PBrowserChild::SendRequestNativeKeyBindings(unsigned int const&, mozilla::WidgetKeyboardEvent const&, nsTArray<unsigned char>*)

Categories

(Core :: DOM: Core & HTML, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla72
Tracking Status
firefox-esr68 --- wontfix
firefox70 --- wontfix
firefox71 --- wontfix
firefox72 --- fixed

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Attachments

(3 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central 4d585c7edc76. Testcase requires a build with --enable-fuzzing and may require a few reloads in order to trigger.

Both files, testcase.html and harness.html need to be located in the same directory and served via HTTP. Pointing firefox at harness.html should reproduce the issue.

==8483==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x7fce8a63c0b5 bp 0x7ffec59d72d0 sp 0x7ffec59d7100 T0)
==8483==The signal is caused by a READ memory access.
==8483==Hint: address points to the zero page.
    #0 0x7fce8a63c0b4 in mozilla::dom::PBrowserChild::SendRequestNativeKeyBindings(unsigned int const&, mozilla::WidgetKeyboardEvent const&, nsTArray<unsigned char>*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h
    #1 0x7fce90c7399d in mozilla::dom::BrowserChild::RequestEditCommands(nsIWidget::NativeKeyBindingsType, mozilla::WidgetKeyboardEvent const&, nsTArray<unsigned char>&) /builds/worker/workspace/build/src/dom/ipc/BrowserChild.cpp:1959:3
    #2 0x7fce91601e93 in mozilla::WidgetKeyboardEvent::InitEditCommandsFor(nsIWidget::NativeKeyBindingsType) /builds/worker/workspace/build/src/widget/WidgetEventImpl.cpp:769:12
    #3 0x7fce8c83e754 in mozilla::TextInputProcessor::PrepareKeyboardEventToDispatch(mozilla::WidgetKeyboardEvent&, unsigned int) /builds/worker/workspace/build/src/dom/base/TextInputProcessor.cpp:1002:22
    #4 0x7fce8c83a79c in mozilla::TextInputProcessor::KeyupInternal(mozilla::WidgetKeyboardEvent const&, unsigned int, bool&) /builds/worker/workspace/build/src/dom/base/TextInputProcessor.cpp:1144:17
    #5 0x7fce8c8411d3 in mozilla::TextInputProcessor::Keyup(mozilla::WidgetKeyboardEvent const&, unsigned int, bool*) /builds/worker/workspace/build/src/dom/base/TextInputProcessor.cpp:1133:10
    #6 0x7fce8c72f540 in mozilla::dom::FuzzingFunctions::SynthesizeKeyboardEvents(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::KeyboardEventInit const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/FuzzingFunctions.cpp:327:29
    #7 0x7fce8e77a5a6 in mozilla::dom::FuzzingFunctions_Binding::synthesizeKeyboardEvents(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:130:3
    #8 0x7fce95938259 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:456:13
    #9 0x7fce95938259 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:548:12
    #10 0x7fce95920da4 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:621:10
    #11 0x7fce95920da4 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3110:16
    #12 0x7fce959030c4 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
    #13 0x7fce95938d5e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:589:13
    #14 0x7fce9593b069 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:634:8
    #15 0x7fce95b5509c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2718:10
    #16 0x7fce8e4dc772 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #17 0x7fce8f3c66e5 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #18 0x7fce8f3c66e5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1033:43
    #19 0x7fce8f3c814a in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1231:17
    #20 0x7fce8f3af5b8 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #21 0x7fce8f3af5b8 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349:17
    #22 0x7fce8f3addf1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #23 0x7fce8f3b36f3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1049:11
    #24 0x7fce8f3ba0b0 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #25 0x7fce8c980f7a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1063:17
    #26 0x7fce8c337527 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4020:28
    #27 0x7fce8c337303 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3990:10
    #28 0x7fce8c675a6c in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7071:3
    #29 0x7fce8c75a664 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #30 0x7fce8c75a664 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130:12
    #31 0x7fce8c75a664 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176:13
    #32 0x7fce884a2851 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #33 0x7fce884cf5a3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #34 0x7fce884d6101 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #35 0x7fce8974642f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #36 0x7fce89640d82 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #37 0x7fce89640d82 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #38 0x7fce89640d82 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #39 0x7fce9160fb48 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #40 0x7fce9568c806 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #41 0x7fce89640d82 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #42 0x7fce89640d82 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #43 0x7fce89640d82 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #44 0x7fce9568c0c5 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #45 0x55615247dcf0 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #46 0x55615247dcf0 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272:18
    #47 0x7fceab54bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #48 0x5561523d31bc in _start (/home/forb1dden/builds/mc-asan/firefox+0x4b1bc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h in mozilla::dom::PBrowserChild::SendRequestNativeKeyBindings(unsigned int const&, mozilla::WidgetKeyboardEvent const&, nsTArray<unsigned char>*)
Flags: in-testsuite?
Attached file harness.html
Flags: needinfo?(masayuki)

Hmm, looks like that PuppetWidget::mBrowserChild has already been set to nullptr in this case. TextInputProcessor should detect the state and throw exception in the case, though.

Flags: needinfo?(masayuki)
Priority: -- → P3
Assignee: nobody → masayuki
Status: NEW → ASSIGNED

The reason of the crash is, the window may have already been destroyed and
PuppetWidget::mBrowserChild was set to nullptr when synthesizing key event.

This patch makes PuppetWidget::GetEditCommands() check whether it's nullptr
and returns whether it's succeeded or not. Therefore, TextInputProcessor
can throw exception in such case.

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/fce96cf09270
Make `PuppetWidget::GetEditCommands()` check `mBrowserChild` before using it r=smaug
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.