Closed Bug 1599569 Opened 11 months ago Closed 11 months ago

member call on null pointer of type 'nsScriptSecurityManager' in js/xpconnect/src/XPCJSRuntime.cpp:1124

Categories

(Core :: Security: CAPS, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla72
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- unaffected
firefox72 --- fixed

People

(Reporter: tsmith, Assigned: mccr8)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, csectype-undefined, regression)

Attachments

(1 file)

This is triggered when closing a tab with fission.autostart=true
To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="null"
ac_add_options --disable-jemalloc
js/xpconnect/src/XPCJSRuntime.cpp:1124:56: runtime error: member call on null pointer of type 'nsScriptSecurityManager'
    #0 0x7fdb7c2735b5 in XPCJSRuntime::Shutdown(JSContext*) js/xpconnect/src/XPCJSRuntime.cpp:1124:56
    #1 0x7fdb797d93bf in mozilla::CycleCollectedJSContext::~CycleCollectedJSContext() xpcom/base/CycleCollectedJSContext.cpp:83:13
    #2 0x7fdb7c26752b in XPCJSContext::~XPCJSContext() js/xpconnect/src/XPCJSContext.cpp:1035:1
    #3 0x7fdb7c268062 in XPCJSContext::~XPCJSContext() js/xpconnect/src/XPCJSContext.cpp:997:31
    #4 0x7fdb7c30cd4f in nsXPConnect::~nsXPConnect() js/xpconnect/src/nsXPConnect.cpp:131:3
    #5 0x7fdb7c30ce32 in nsXPConnect::~nsXPConnect() js/xpconnect/src/nsXPConnect.cpp:101:29
    #6 0x7fdb7c30d05a in nsXPConnect::Release() js/xpconnect/src/nsXPConnect.cpp:48:1
    #7 0x7fdb7c30d05a in nsXPConnect::ReleaseXPConnectSingleton() js/xpconnect/src/nsXPConnect.cpp:165:5
    #8 0x7fdb799c3def in nsComponentManagerImpl::Shutdown() xpcom/components/nsComponentManager.cpp:941:3
    #9 0x7fdb79a87c99 in mozilla::ShutdownXPCOM(nsIServiceManager*) xpcom/build/XPCOMInit.cpp:729:55
    #10 0x7fdb86c03fc4 in XRE_TermEmbedding() toolkit/xre/nsEmbedFunctions.cpp:223:3
    #11 0x7fdb7af9c82b in mozilla::ipc::ScopedXREEmbed::Stop() ipc/glue/ScopedXREEmbed.cpp:90:5
    #12 0x7fdb86c04f6c in XRE_InitChildProcess(int, char**, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:773:16
    #13 0x5589bed2b1bd in content_process_main(mozilla::Bootstrap*, int, char**) browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #14 0x5589bed2b462 in main browser/app/nsBrowserApp.cpp:272:18

A Pernosco session is available here: https://pernos.co/debug/bidP7U2IHsU3zO0b3DxPhw/index.html
It will expire in 7 days.

This is strange. Why doesn't it result in a null deref crash normally?

It does make sense that it happens, just looking at the code, because we call mozilla::KillClearOnShutdown(ShutdownPhase::ShutdownFinal); in ShutdownXPCOM before we shut down the JS engine, and the script security manager calls ClearOnShutdown(&gScriptSecMan);, which defaults to ShutdownFinal...

Ah, I see... nsScriptSecurityManager::ClearJSCallbacks() just never touches |this|. Funny.

Assignee: nobody → continuation
Component: XPConnect → Security: CAPS

I guess we can just make these methods static...

PConnect calls this method during shutdown after the pointer to the
singleton nsScriptSecurityManager has been cleared, so it is actually
calling it with a null |this|. Nobody noticed this because it isn't
actually using |this|. This patch turns it into a static method to
make the sanitizers happy.

Pushed by amccreight@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a6ca76735f68
Make nsScriptSecurityManager::ClearJSCallbacks into a static method. r=kmag
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in before you can comment on or make changes to this bug.