Closed
Bug 1646609
Opened 4 years ago
Closed 4 years ago
AddressSanitizer: SEGV /builds/worker/checkouts/gecko/docshell/base/BrowsingContext.cpp:1567:5 in mozilla::dom::BrowsingContext::LoadURI(nsDocShellLoadState*, bool)
Categories
(Core :: DOM: Navigation, defect, P3)
Core
DOM: Navigation
Tracking
()
People
(Reporter: jkratzer, Assigned: kmag)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files, 1 obsolete file)
Testcase found while fuzzing mozilla-central rev 567a8768593e. Testcase must be served over HTTP in order to reproduce.
==2285==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fd0d03d34f6 bp 0x7ffd4bc6d2b0 sp 0x7ffd4bc6d0c0 T0)
==2285==The signal is caused by a WRITE memory access.
==2285==Hint: address points to the zero page.
#0 0x7fd0d03d34f5 in mozilla::dom::BrowsingContext::LoadURI(nsDocShellLoadState*, bool) /builds/worker/checkouts/gecko/docshell/base/BrowsingContext.cpp:1567:5
#1 0x7fd0c8db4c47 in mozilla::dom::LocationBase::SetURI(nsIURI*, nsIPrincipal&, mozilla::ErrorResult&, bool) /builds/worker/checkouts/gecko/dom/base/LocationBase.cpp:144:21
#2 0x7fd0c8dbcbd8 in mozilla::dom::LocationBase::SetHrefWithBase(nsTSubstring<char16_t> const&, nsIURI*, nsIPrincipal&, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/LocationBase.cpp:205:5
#3 0x7fd0c8dbaa54 in mozilla::dom::LocationBase::DoSetHref(nsTSubstring<char16_t> const&, nsIPrincipal&, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/LocationBase.cpp:160:3
#4 0x7fd0c940f3e7 in mozilla::dom::Location_Binding::replace(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/LocationBinding.cpp:1085:24
#5 0x7fd0caa440b9 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::CrossOriginThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3219:13
#6 0x7fd0d111532b in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#7 0x7fd0d111532b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:578:12
#8 0x7fd0d11175c8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:641:10
#9 0x7fd0d10fe0b2 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#10 0x7fd0d10fe0b2 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3300:16
#11 0x7fd0d10e1681 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:10
#12 0x7fd0d111540d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:613:13
#13 0x7fd0d11175c8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:641:10
#14 0x7fd0d11178a6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:658:8
#15 0x7fd0d12b9bc0 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2842:10
#16 0x7fd0ca63873e in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
#17 0x7fd0cb13d80d in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#18 0x7fd0cb13d234 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1082:43
#19 0x7fd0cb13e937 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1280:17
#20 0x7fd0cb12cb9f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:355:17
#21 0x7fd0cb12b33d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:557:16
#22 0x7fd0cb12f896 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1054:11
#23 0x7fd0cd8bb772 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1148:7
#24 0x7fd0d043f207 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5710:20
#25 0x7fd0d043e385 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5452:7
#26 0x7fd0d0444b5f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#27 0x7fd0c76fbc40 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1377:3
#28 0x7fd0c76fab0c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:937:14
#29 0x7fd0c76f708b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:757:9
#30 0x7fd0c76f95fd in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:640:5
#31 0x7fd0c76fa69c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
#32 0x7fd0c4fa2117 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:615:22
#33 0x7fd0c4fa5327 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:522:10
#34 0x7fd0c8ccd03f in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10727:18
#35 0x7fd0c8c83a86 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10659:9
#36 0x7fd0c8ca7d6a in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7293:3
#37 0x7fd0c8d74e54 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1185:12
#38 0x7fd0c8d74e54 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1191:12
#39 0x7fd0c8d74e54 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1237:13
#40 0x7fd0c4cb72dd in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
#41 0x7fd0c4cf244e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
#42 0x7fd0c4cfd43c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:501:10
#43 0x7fd0c608bc0f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#44 0x7fd0c5f69127 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#45 0x7fd0c5f69127 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#46 0x7fd0c5f69127 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#47 0x7fd0cd2e5718 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#48 0x7fd0d0ea7da6 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#49 0x7fd0c5f69127 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#50 0x7fd0c5f69127 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#51 0x7fd0c5f69127 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#52 0x7fd0d0ea738f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#53 0x560438021af3 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#54 0x560438021af3 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#55 0x7fd0e8c96b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/docshell/base/BrowsingContext.cpp:1567:5 in mozilla::dom::BrowsingContext::LoadURI(nsDocShellLoadState*, bool)
Flags: in-testsuite?
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Unable to reproduce bug using the following builds:
> mozilla-central 20200618094105-f291dd9e075c
> mozilla-central 20200618044329-7f0b0cbecd94
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Comment 2•4 years ago
|
||
Are you saying this is now fixed?
Flags: needinfo?(jkratzer)
Priority: -- → P3
|
|
Reporter | |
Comment 3•4 years ago
|
||
Yes. It appears to have been fixed in the following build range.
[2020-06-22 10:41:15] > Start: 82becb1f6eae3ab6f222735a5cf77b700eeaf453 (20200615234637)
[2020-06-22 10:41:15] > End: d85bd37494ec2e6c9ae3ad6d93ec998fbc165def (20200615235117)
[2020-06-22 10:41:15] > https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=82becb1f6eae3ab6f222735a5cf77b700eeaf453&tochange=d85bd37494ec2e6c9ae3ad6d93ec998fbc165def
Looks like there's a bug in bugmon that prevented it from detecting the original revision this bug was found on. Please need info me on any issues like this where you think the bugmon output is wrong.
Flags: needinfo?(jkratzer)
|
|
Reporter | |
Comment 4•4 years ago
|
||
Looks like I spoke too soon. The original testcase no longer reproduces, however this testcase does.
Attachment #9157534 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 5•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200625094452-db74cdf9afe7.
Failed to bisect testcase (Unable to launch the start build!):
> Start: 70e7c3ef6cae2266147c38ad250692ffe84aec26 (20190627093448)
> End: 567a8768593eb06a86deb263f94d9de2d3d3e8fa (20200615214838)
> BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False)|
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:confirmed]
|
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirmed]
|
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 6•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200625161839-324d5257f6f7.
The bug appears to have been introduced in the following build range:
> Start: 61bdbb94ab7abd434c60e2a40fa9f07b11237ebb (20200611034550)
> End: 9b3cf2944aa064c840285247fa62cdf26e203935 (20200611045214)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=61bdbb94ab7abd434c60e2a40fa9f07b11237ebb&tochange=9b3cf2944aa064c840285247fa62cdf26e203935
|
||
Comment 7•4 years ago
|
||
Tracking for Fission M6a Nightly because this is a reproducible assertion failure.
Assigning to kmag
(In reply to Jason Kratzer [:jkratzer] from comment #6)
Bug 1550571 (Paul's change to pref on Browsing Context preservation) in the pushlog probably just revealed an existing bug.
|
Assignee | |
Comment 8•4 years ago
|
||
Pushed by maglione.k@gmail.com: https://hg.mozilla.org/integration/autoland/rev/6debf3390ba2 Don't assert when an inactive/OOP inner window tries to navigate an OOP BrowsingContext. r=nika
|
||
Comment 10•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox80:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
|
||
Comment 11•4 years ago
|
||
Backed out changeset 6debf3390ba2 (bug 1646609) for mochitest failures on docshell/base/BrowsingContext.cpp
Backout: https://hg.mozilla.org/integration/autoland/rev/e950bdd669d44eeb8e6af84a987c2a8ba5d9d1a2
Failure push: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=6debf3390ba2274e7eddb5830b45fd31088de6b8
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=308147632&repo=autoland&lineNumber=2055
Status: RESOLVED → REOPENED
status-firefox80:
fixed → ---
Flags: needinfo?(kmaglione+bmo)
Resolution: FIXED → ---
Target Milestone: mozilla80 → ---
|
||
Comment 12•4 years ago
|
||
Pushed by maglione.k@gmail.com: https://hg.mozilla.org/integration/autoland/rev/90c70ce610bf Don't assert when an inactive/OOP inner window tries to navigate an OOP BrowsingContext. r=nika
|
||
Comment 13•4 years ago
|
||
| bugherder | ||
Status: REOPENED → RESOLVED
Closed: 4 years ago → 4 years ago
status-firefox80:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
|
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 14•4 years ago
|
||
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200707094747-2aa3b889d603. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•4 years ago
|
status-firefox77:
--- → disabled
status-firefox78:
--- → disabled
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → disabled
Flags: needinfo?(kmaglione+bmo)
Flags: in-testsuite?
Flags: in-testsuite+
|
|
||
Updated•4 years ago
|
Blocks: fuzzing-fission
|
||
Comment 15•3 years ago
|
||
:kmag, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(kmaglione+bmo)
|
|
Assignee | |
Comment 16•3 years ago
|
||
There's no obvious regressing bug. The patch in question essentially just turned this code on outside of Fission mode.
Flags: needinfo?(kmaglione+bmo)
You need to log in
before you can comment on or make changes to this bug.
Description
•