1605530 - member call on null pointer of type 'mozilla::dom::BrowsingContext' in uriloader/exthandler/ExternalHelperAppParent.cpp:83

Status: RESOLVED DUPLICATE of bug 1611588

(Firefox :: File Handling, defect, P1)

Description

[Tyson Smith [:tsmith]]

Info

Reproduced with: 20191219-8e1b11b00157
Fuzz Target: ContentParentIPC
Reliably Reproduces: Yes
Pernosco session: https://pernos.co/debug/aAWYN_-53357LI1R2T1bZw/index.html

If this issue is benign it can be added to the suppression list upon request and the particular message will be ignored in future fuzzing runs.

Callstack

uriloader/exthandler/ExternalHelperAppParent.cpp:83:42: runtime error: member call on null pointer of type 'mozilla::dom::BrowsingContext'
    #0 0x7f95a22edfc6 in mozilla::dom::ExternalHelperAppParent::Init(mozilla::Maybe<mozilla::net::LoadInfoArgs> const&, nsTString<char> const&, bool const&, mozilla::Maybe<mozilla::ipc::URIParams> const&, mozilla::dom::BrowsingContext*, bool const&) uriloader/exthandler/ExternalHelperAppParent.cpp:83:42
    #1 0x7f95a73255c3 in mozilla::dom::ContentParent::RecvPExternalHelperAppConstructor(mozilla::dom::PExternalHelperAppParent*, mozilla::Maybe<mozilla::ipc::URIParams> const&, mozilla::Maybe<mozilla::net::LoadInfoArgs> const&, nsTString<char> const&, nsTString<char> const&, unsigned int const&, nsTString<char16_t> const&, bool const&, long const&, bool const&, mozilla::Maybe<mozilla::ipc::URIParams> const&, mozilla::dom::BrowsingContext*, bool const&) dom/ipc/ContentParent.cpp:3802:49
    #2 0x7f95a0ecd775 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) objdir-ff-ubsan/ipc/ipdl/PContentParent.cpp:8388:57
    #3 0x7f959eec840b in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) objdir-ff-ubsan/dist/include/ProtocolFuzzer.h:96:18
    #4 0x7f959eec7c10 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:27:3
    #5 0x5637c6493385 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:529:15
    #6 0x5637c647fe7e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:286:6
    #7 0x5637c6481ee9 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:715:9
    #8 0x7f95abc833f4 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:54:10
    #9 0x7f95abba798d in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3752:35
    #10 0x7f95abbb0cab in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4722:12
    #11 0x7f95abbb191b in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4818:21
    #12 0x5637c630edf2 in do_main(int, char**, char**) browser/app/nsBrowserApp.cpp:217:22
    #13 0x5637c630e500 in main browser/app/nsBrowserApp.cpp:339:16

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:Gijs, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 2

[:Gijs (out for now; he/him)]

Matt, looks like the parent is supposed to be able to cope with a null browsing context? The previous code checked if aBrowser for being null, and now we use aContext without checks - we only check once we've looked for a parent on it.