1612926 - AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/Navigator.cpp:1502:11 in mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4::operator()(mozilla::ipc::ResponseRejectReason) const

Status: NEW

(Core :: WebVR, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev f4e3917a0fa1.

==19489==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f153bf6bc4a bp 0x7ffe29613530 sp 0x7ffe29613530 T0)
==19489==The signal is caused by a WRITE memory access.
==19489==Hint: address points to the zero page.
    #0 0x7f153bf6bc49 in mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4::operator()(mozilla::ipc::ResponseRejectReason) const /builds/worker/workspace/build/src/dom/base/Navigator.cpp:1502:11
    #1 0x7f153bf6bc9f in mozilla::EnableIf<TakesArgument<void (mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4::*)(mozilla::ipc::ResponseRejectReason) const>::value, mozilla::detail::MethodTrait<void (mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4::*)(mozilla::ipc::ResponseRejectReason) const>::ReturnType>::Type mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::InvokeMethod<mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4, void (mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4::*)(mozilla::ipc::ResponseRejectReason) const, mozilla::ipc::ResponseRejectReason>(mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4*, void (mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4::*)(mozilla::ipc::ResponseRejectReason) const, mozilla::ipc::ResponseRejectReason&&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:513:12
    #2 0x7f153bf6bb8a in mozilla::EnableIf<!(false), void>::Type mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::InvokeCallbackMethod<false, mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4, void (mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4::*)(mozilla::ipc::ResponseRejectReason) const, mozilla::ipc::ResponseRejectReason, RefPtr<mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::Private> >(mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4*, void (mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4::*)(mozilla::ipc::ResponseRejectReason) const, mozilla::ipc::ResponseRejectReason&&, RefPtr<mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::Private>&&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:545:5
    #3 0x7f153bf6b89a in mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::ThenValue<mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_3, mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4>::DoResolveOrRejectInternal(mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:731:9
    #4 0x7f153894d082 in mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:403:21
    #5 0x7f1537f1c038 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #6 0x7f1537f26e4c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #7 0x7f1539174cbf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
    #8 0x7f153906f047 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #9 0x7f153906f047 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #10 0x7f153906f047 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #11 0x7f15401221a8 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #12 0x7f1543c32e06 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:943:20
    #13 0x7f153906f047 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #14 0x7f153906f047 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #15 0x7f153906f047 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #16 0x7f1543c324af in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:778:34
    #17 0x55c55b8fb401 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #18 0x55c55b8fb401 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
    #19 0x7f155a949b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/Navigator.cpp:1502:11 in mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_4::operator()(mozilla::ipc::ResponseRejectReason) const

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:kip, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 2

[:kip (Kearwood Gilbert)]

I'm investigating this now.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The bug assignee didn't login in Bugzilla in the last 7 months.
:jimm, could you have a look please?
For more information, please visit auto_nag documentation.

Comment 4

[Marco Castelluccio [:marco]]

This was set as S2 by default as it was a crash.