Open Bug 1695526 Opened 3 years ago Updated 2 years ago

Crash in [@ mozilla::dom::XULElement_Binding::Wrap]

Categories

(Core :: DOM: Bindings (WebIDL), defect)

Firefox 86
Unspecified
Windows 10
defect

Tracking

()

People

(Reporter: wsmwk, Unassigned, NeedInfo)

Details

(Keywords: crash)

Crash Data

(not my crash - just wandering crash-stats)
Crash report: https://crash-stats.mozilla.org/report/index/2cada655-57df-444f-8ac2-71fcf0210228

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll mozilla::dom::XULElement_Binding::Wrap dom/bindings/XULElementBinding.cpp:9936
1 xul.dll nsXULElement::WrapNode dom/xul/nsXULElement.cpp:1187
2 xul.dll nsINode::WrapObject dom/base/nsINode.cpp:2990
3 xul.dll mozilla::dom::MouseEvent_Binding::get_relatedTarget dom/bindings/MouseEventBinding.cpp:828
4 xul.dll mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3113
5 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:594
6 xul.dll JS::Call js/src/jsapi.cpp:2861
7 xul.dll xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::get const js/xpconnect/wrappers/XrayWrapper.cpp:2076
8 xul.dll static js::Proxy::get js/src/proxy/Proxy.cpp:480
9 xul.dll static js::Proxy::get js/src/proxy/Proxy.cpp:480
Component: DOM: Core & HTML → XUL

The more complete stack trace at https://crash-stats.mozilla.org/report/index/155ad936-b86f-4470-a1e8-001180220126
suggests this is an attempt to get the relatedTarget from a mouse event in a child process.

Moving to events at least.

Component: XUL → DOM: Events
0 	libxul.so	dom::XULElement_Binding::Wrap(JSContext*, nsXULElement*, nsWrapperCache*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)	
1 	libxul.so	nsXULElement::WrapNode(JSContext*, JS::Handle<JSObject*>)	dom/xul/dom/xul/nsXULElement.cpp:1193
2 	libxul.so	nsINode::WrapObject(JSContext*, JS::Handle<JSObject*>)	
3 	libxul.so	dom::MouseEvent_Binding::get_relatedTarget(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs)	
4 	libxul.so	bool dom::binding_detail::GenericGetter<dom::binding_detail::NormalThisPolicy, dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)	dom/bindings/dom/bindings/BindingUtils.cpp:3179
5 	libxul.so	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)	
6 	libxul.so	js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)	js/src/js/src/vm/Interpreter.cpp:588
7 	libxul.so	JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)	
8 	libxul.so	xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const	js/xpconnect/wrappers/js/xpconnect/wrappers/XrayWrapper.cpp:2069
9 	libxul.so	js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>)	
10 	libxul.so	js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>)	
11 	libxul.so	js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>)	
12 	libxul.so	js::jit::DoGetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>)	js/src/jit/js/src/jit/BaselineIC.cpp:1233
Ø 13 	None	@0x00000da393076603	
Ø 14 	None	@0x00000da39307056e	
15 	libxul.so	EnterJit(JSContext*, js::RunState&, unsigned char*)	
16 	libxul.so	Interpret(JSContext*, js::RunState&)	
17 	libxul.so	js::RunScript(JSContext*, js::RunState&)	
18 	libxul.so	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)	
19 	libxul.so	js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)	js/src/js/src/vm/Interpreter.cpp:588
20 	libxul.so	JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)	
21 	libxul.so	dom::EventListener::HandleEvent(dom::BindingCallContext&, JS::Handle<JS::Value>, dom::Event&, ErrorResult&)	
22 	libxul.so	EventListenerManager::HandleEventSubType(EventListenerManager::Listener*, dom::Event*, dom::EventTarget*)	dom/events/dom/events/EventListenerManager.cpp:1109
23 	libxul.so	EventListenerManager::HandleEventInternal(nsPresContext*, WidgetEvent*, dom::Event**, dom::EventTarget*, nsEventStatus*, bool)	
24 	libxul.so	EventTargetChainItem::HandleEvent(EventChainPostVisitor&, ELMCreationDetector&)	dom/events/dom/events/EventDispatcher.cpp:318
25 	libxul.so	EventTargetChainItem::HandleEventTargetChain(nsTArray<EventTargetChainItem>&, EventChainPostVisitor&, EventDispatchingCallback*, ELMCreationDetector&)	
26 	libxul.so	EventDispatcher::Dispatch(nsISupports*, nsPresContext*, WidgetEvent*, dom::Event*, nsEventStatus*, EventDispatchingCallback*, nsTArray<dom::EventTarget*>*)	
27 	libxul.so	EventStateManager::DispatchMouseOrPointerEvent(WidgetMouseEvent*, EventMessage, nsIContent*, nsIContent*)	dom/events/dom/events/EventStateManager.cpp:4412
28 	libxul.so	EventStateManager::NotifyMouseOut(WidgetMouseEvent*, nsIContent*)	
29 	libxul.so	EventStateManager::NotifyMouseOver(WidgetMouseEvent*, nsIContent*)	
30 	libxul.so	EventStateManager::GenerateMouseEnterExit(WidgetMouseEvent*)	dom/events/dom/events/EventStateManager.cpp:4767
31 	libxul.so	EventStateManager::PreHandleEvent(nsPresContext*, WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*)	dom/events/dom/events/EventStateManager.cpp:761
32 	libxul.so	PresShell::EventHandler::DispatchEvent(EventStateManager*, WidgetEvent*, bool, nsEventStatus*, nsIContent*)	layout/base/layout/base/PresShell.cpp:8208
33 	libxul.so	PresShell::EventHandler::HandleEventWithCurrentEventInfo(WidgetEvent*, nsEventStatus*, bool, nsIContent*)	layout/base/layout/base/PresShell.cpp:8177
34 	libxul.so	PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, WidgetGUIEvent*, nsEventStatus*, bool)	layout/base/layout/base/PresShell.cpp:7095
35 	libxul.so	PresShell::HandleEvent(nsIFrame*, WidgetGUIEvent*, bool, nsEventStatus*)	layout/base/layout/base/PresShell.cpp:6841
36 	libxul.so	nsViewManager::DispatchEvent(WidgetGUIEvent*, nsView*, nsEventStatus*)	
37 	libxul.so	nsView::HandleEvent(WidgetGUIEvent*, bool)	view/view/nsView.cpp:1136
38 	libxul.so	widget::PuppetWidget::DispatchEvent(WidgetGUIEvent*, nsEventStatus&)	widget/widget/PuppetWidget.cpp:377
39 	libxul.so	layers::APZCCallbackHelper::DispatchWidgetEvent(WidgetGUIEvent&)	gfx/layers/gfx/layers/apz/util/APZCCallbackHelper.cpp:508
40 	libxul.so	dom::BrowserChild::HandleRealMouseButtonEvent(WidgetMouseEvent const&, layers::ScrollableLayerGuid const&, unsigned long const&)	dom/ipc/dom/ipc/BrowserChild.cpp:1757
41 	libxul.so	dom::BrowserChild::ProcessPendingCoalescedMouseDataAndDispatchEvents() [clone .part.0]	dom/ipc/dom/ipc/BrowserChild.cpp:1585
42 	libxul.so	dom::BrowserChild::RecvRealMouseButtonEvent(WidgetMouseEvent const&, layers::ScrollableLayerGuid const&, unsigned long const&)	dom/ipc/dom/ipc/BrowserChild.cpp:1701
43 	libxul.so	dom::PBrowserChild::OnMessageReceived(IPC::Message const&)	ipc/ipdl/PBrowserChild.cpp:5326
44 	libxul.so	dom::PContentChild::OnMessageReceived(IPC::Message const&)	ipc/ipdl/PContentChild.cpp:8340
45 	libxul.so	ipc::MessageChannel::DispatchAsyncMessage(ipc::ActorLifecycleProxy*, IPC::Message const&)	
46 	libxul.so	ipc::MessageChannel::DispatchMessage(IPC::Message&&)	
47 	libxul.so	ipc::MessageChannel::MessageTask::Run()	
48 	libxul.so	TaskController::DoExecuteNextTaskOnlyMainThreadInternal(detail::BaseAutoLock<Mutex&> const&)	xpcom/threads/xpcom/threads/TaskController.cpp:805
49 	libxul.so	TaskController::ExecuteNextTaskOnlyMainThreadInternal(detail::BaseAutoLock<Mutex&> const&)	xpcom/threads/xpcom/threads/TaskController.cpp:641
50 	libxul.so	TaskController::ProcessPendingMTTask(bool)	
51 	libxul.so	detail::RunnableFunction<TaskController::InitializeInternal()::{lambda()#1}>::Run()	xpcom/threads/build-browser/dist/include/nsThreadUtils.h:529
52 	libxul.so	nsThread::ProcessNextEvent(bool, bool*)	xpcom/threads/xpcom/threads/nsThread.cpp:1152
53 	libxul.so	NS_ProcessNextEvent(nsIThread*, bool)	xpcom/threads/xpcom/threads/nsThreadUtils.cpp:466
54 	libxul.so	ipc::MessagePump::Run(base::MessagePump::Delegate*)	
55 	libxul.so	MessageLoop::Run()	ipc/chromium/ipc/chromium/src/base/message_loop.cc:306
56 	libxul.so	nsBaseAppShell::Run()	widget/widget/nsBaseAppShell.cpp:137
57 	libxul.so	XRE_RunAppShell()	toolkit/xre/toolkit/xre/nsEmbedFunctions.cpp:923
58 	libxul.so	MessageLoop::Run()	ipc/chromium/ipc/chromium/src/base/message_loop.cc:306
59 	libxul.so	XRE_InitChildProcess(int, char**, XREChildData const*)	
60 	firefox-esr	content_process_main(Bootstrap*, int, char**)	browser/app/ipc/contentproc/plugin-container.cpp:57
61 	firefox-esr	main	
62 	libc.so.6	__libc_start_main	csu/libc-start.c:332
63 	firefox-esr	_start	

As far as I checked quickly about the storage of related target, it and its original assigners grab it multiple times. And it can be nullptr but this crashes around nullptr. So it seems that this is a bug of bindings??

Flags: needinfo?(bugs)
Severity: -- → S3

webidl side lets the relatedTarget be null.

edgar, does any of the binding side code hint to you what the issue might be?
This isn't very clear to me.

Component: DOM: Events → DOM: Bindings (WebIDL)
Flags: needinfo?(bugs) → needinfo?(echen)
You need to log in before you can comment on or make changes to this bug.