member call on null pointer of type 'nsScriptSecurityManager' in js/xpconnect/src/XPCJSRuntime.cpp:1124
Categories
(Core :: Security: CAPS, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox71 | --- | unaffected |
| firefox72 | --- | fixed |
People
(Reporter: tsmith, Assigned: mccr8)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, csectype-undefined, regression)
Attachments
(1 file)
This is triggered when closing a tab with fission.autostart=true
To enable this check add the following to your mozconfig:
ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="null"
ac_add_options --disable-jemalloc
js/xpconnect/src/XPCJSRuntime.cpp:1124:56: runtime error: member call on null pointer of type 'nsScriptSecurityManager'
#0 0x7fdb7c2735b5 in XPCJSRuntime::Shutdown(JSContext*) js/xpconnect/src/XPCJSRuntime.cpp:1124:56
#1 0x7fdb797d93bf in mozilla::CycleCollectedJSContext::~CycleCollectedJSContext() xpcom/base/CycleCollectedJSContext.cpp:83:13
#2 0x7fdb7c26752b in XPCJSContext::~XPCJSContext() js/xpconnect/src/XPCJSContext.cpp:1035:1
#3 0x7fdb7c268062 in XPCJSContext::~XPCJSContext() js/xpconnect/src/XPCJSContext.cpp:997:31
#4 0x7fdb7c30cd4f in nsXPConnect::~nsXPConnect() js/xpconnect/src/nsXPConnect.cpp:131:3
#5 0x7fdb7c30ce32 in nsXPConnect::~nsXPConnect() js/xpconnect/src/nsXPConnect.cpp:101:29
#6 0x7fdb7c30d05a in nsXPConnect::Release() js/xpconnect/src/nsXPConnect.cpp:48:1
#7 0x7fdb7c30d05a in nsXPConnect::ReleaseXPConnectSingleton() js/xpconnect/src/nsXPConnect.cpp:165:5
#8 0x7fdb799c3def in nsComponentManagerImpl::Shutdown() xpcom/components/nsComponentManager.cpp:941:3
#9 0x7fdb79a87c99 in mozilla::ShutdownXPCOM(nsIServiceManager*) xpcom/build/XPCOMInit.cpp:729:55
#10 0x7fdb86c03fc4 in XRE_TermEmbedding() toolkit/xre/nsEmbedFunctions.cpp:223:3
#11 0x7fdb7af9c82b in mozilla::ipc::ScopedXREEmbed::Stop() ipc/glue/ScopedXREEmbed.cpp:90:5
#12 0x7fdb86c04f6c in XRE_InitChildProcess(int, char**, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:773:16
#13 0x5589bed2b1bd in content_process_main(mozilla::Bootstrap*, int, char**) browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#14 0x5589bed2b462 in main browser/app/nsBrowserApp.cpp:272:18
|
Reporter | |
Comment 1•6 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/bidP7U2IHsU3zO0b3DxPhw/index.html
It will expire in 7 days.
|
Assignee | |
Comment 2•6 years ago
|
||
This is strange. Why doesn't it result in a null deref crash normally?
It does make sense that it happens, just looking at the code, because we call mozilla::KillClearOnShutdown(ShutdownPhase::ShutdownFinal); in ShutdownXPCOM before we shut down the JS engine, and the script security manager calls ClearOnShutdown(&gScriptSecMan);, which defaults to ShutdownFinal...
Ah, I see... nsScriptSecurityManager::ClearJSCallbacks() just never touches |this|. Funny.
|
||
Comment 3•6 years ago
|
||
I guess we can just make these methods static...
|
|
Assignee | |
Comment 4•6 years ago
|
||
PConnect calls this method during shutdown after the pointer to the
singleton nsScriptSecurityManager has been cleared, so it is actually
calling it with a null |this|. Nobody noticed this because it isn't
actually using |this|. This patch turns it into a static method to
make the sanitizers happy.
|
||
Comment 6•6 years ago
|
||
| bugherder | ||
|
||
Updated•6 years ago
|
|
||
Updated•4 years ago
|
Description
•