1648570 - Hit MOZ_CRASH(This is unsafe! Fix the caller!) at /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:810

Status: RESOLVED WONTFIX

(Core :: WebVR, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev db74cdf9afe7 (built with --enable-debug).

Hit MOZ_CRASH(This is unsafe! Fix the caller!) at /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:810

rax = 0x00007fb2b5c9b1f6   rdx = 0x0000000000000000
rcx = 0x0000558201232a58   rbx = 0x00007ffe9ab83db0
rsi = 0x00007fb2c6ffd8b0   rdi = 0x00007fb2c6ffc680
rbp = 0x00007ffe9ab83f50   rsp = 0x00007ffe9ab83c40
r8 = 0x00007fb2c6ffd8b0    r9 = 0x00007fb2c8163780
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x000055820320c420   r13 = 0x0000000000000000
r14 = 0x00007ffe9ab83cf8   r15 = 0x0000000000000000
rip = 0x00007fb2af7c3173
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|0|0x29
0|1|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|0|0x8
0|2|libxul.so|mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/events/DOMEventTargetHelper.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|145|0xc
0|3|libxul.so|mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventTarget.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|178|0x33
0|4|libxul.so|mozilla::dom::XRSession::ExitPresentInternal()|hg:hg.mozilla.org/mozilla-central:dom/vr/XRSession.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|456|0x13
0|5|libxul.so|mozilla::dom::XRSession::Shutdown()|hg:hg.mozilla.org/mozilla-central:dom/vr/XRSession.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|408|0x5
0|6|libxul.so|mozilla::dom::XRSession::DisconnectFromOwner()|hg:hg.mozilla.org/mozilla-central:dom/vr/XRSession.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|462|0x8
0|7|libxul.so|std::_Function_handler<void (mozilla::DOMEventTargetHelper*, bool*), nsIGlobalObject::DisconnectEventTargetObjects()::$_17>::_M_invoke(std::_Any_data const&, mozilla::DOMEventTargetHelper*&&, bool*&&)|/builds/worker/fetches/clang/include/c++/7.4.0/bits/std_function.h|316|0xc
0|8|libxul.so|nsIGlobalObject::ForEachEventTargetObject(std::function<void (mozilla::DOMEventTargetHelper*, bool*)> const&) const|/builds/worker/fetches/clang/include/c++/7.4.0/bits/std_function.h|706|0x15
0|9|libxul.so|nsIGlobalObject::DisconnectEventTargetObjects()|hg:hg.mozilla.org/mozilla-central:dom/base/nsIGlobalObject.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|195|0x21
0|10|libxul.so|nsGlobalWindowInner::FreeInnerObjects()|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowInner.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|1172|0x8
0|11|libxul.so|nsGlobalWindowOuter::SetNewDocument(mozilla::dom::Document*, nsISupports*, bool, mozilla::dom::WindowGlobalChild*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|2423|0xd
0|12|libxul.so|nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::dom::WindowGlobalChild*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|961|0x1c
0|13|libxul.so|nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::dom::WindowGlobalChild*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|750|0xf
0|14|libxul.so|nsDocShell::SetupNewViewer(nsIContentViewer*, mozilla::dom::WindowGlobalChild*)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|7716|0x1f
0|15|libxul.so|nsDocShell::Embed(nsIContentViewer*, mozilla::dom::WindowGlobalChild*)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|5306|0xe
0|16|libxul.so|nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|7526|0xe
0|17|libxul.so|nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDSURIContentListener.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|182|0x18
0|18|libxul.so|nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsURILoader.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|595|0x21
0|19|libxul.so|nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsURILoader.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|276|0x10
0|20|libxul.so|nsDocumentOpenInfo::OnStartRequest(nsIRequest*)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsURILoader.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|154|0xb
0|21|libxul.so|nsBaseChannel::OnStartRequest(nsIRequest*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsBaseChannel.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|828|0x15
0|22|libxul.so|nsInputStreamPump::OnStateStart()|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|481|0x15
0|23|libxul.so|nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|390|0x8
0|24|libxul.so|non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|0|0xd
0|25|libxul.so|nsInputStreamReadyEvent::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/io/nsStreamUtils.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|94|0x15
0|26|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|1234|0xe
0|27|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|501|0xc
0|28|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|87|0x7
0|29|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|315|0x17
0|30|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|290|0x8
0|31|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|137|0xd
0|32|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|913|0xe
0|33|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|237|0x5
0|34|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|315|0x17
0|35|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|290|0x8
0|36|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|744|0x5
0|37|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|56|0x11
0|38|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|303|0x20
0|39|libc.so.6||||0x21b97
0|40|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|253|0x17

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: prefs.js

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200625161839-324d5257f6f7.
The bug appears to have been introduced in the following build range:
> Start: a13c047193c3ee0701ec9c2aaac5735ba173978c (20200406193301)
> End: a3426e213b24c1da02ec131ae2fff6f29d04b2a4 (20200406194107)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a13c047193c3ee0701ec9c2aaac5735ba173978c&tochange=a3426e213b24c1da02ec131ae2fff6f29d04b2a4

Comment 3

[Jason Kratzer [:jkratzer]]

The fuzzers are frequently tripping over this issue and has been marked as a fuzzblocker[1]. Please prioritize this issue accordingly.

[1] https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html#fuzz-blockers

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jimm, could you increase the severity?

For more information, please visit auto_nag documentation.

Comment 5

[Bugmon [:jkratzer for issues]]

No valid actions for resolution (WONTFIX).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.