1704660 - crash near null in [@ mozilla::dom::Blob::ToFile]

Status: VERIFIED FIXED

(Core :: DOM: Forms, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

First found while fuzzing m-c 20210325-2da6d806f457 (--enable-address-sanitizer --enable-fuzzing)

==31900==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7fd05144a51b bp 0x7ffddfef9690 sp 0x7ffddfef94a0 T0)
==31900==The signal is caused by a READ memory access.
==31900==Hint: address points to the zero page.
    #0 0x7fd05144a51b in RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h
    #1 0x7fd05144a51b in mozilla::dom::Blob::ToFile(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) const /gecko/dom/file/Blob.cpp:144:46
    #2 0x7fd0515bf63f in mozilla::dom::HTMLInputElement::SubmitNamesValues(mozilla::dom::HTMLFormSubmission*) /gecko/dom/html/HTMLInputElement.cpp:5674:33
    #3 0x7fd05156cbe9 in mozilla::dom::HTMLFormElement::ConstructEntryList(mozilla::dom::FormData*) /gecko/dom/html/HTMLFormElement.cpp:1015:24
    #4 0x7fd05156b125 in mozilla::dom::HTMLFormElement::BuildSubmission(mozilla::dom::HTMLFormSubmission**, mozilla::dom::Event*) /gecko/dom/html/HTMLFormElement.cpp:721:8
    #5 0x7fd051568813 in mozilla::dom::HTMLFormElement::DoSubmit(mozilla::dom::Event*) /gecko/dom/html/HTMLFormElement.cpp:648:17
    #6 0x7fd0515684fe in mozilla::dom::HTMLFormElement::Submit(mozilla::ErrorResult&) /gecko/dom/html/HTMLFormElement.cpp:280:9
    #7 0x7fd050a3c02f in mozilla::dom::HTMLFormElement_Binding::submit(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HTMLFormElementBinding.cpp:882:24
    #8 0x7fd050bf268e in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3242:13
    #9 0x7fd0572c5430 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:435:13
    #10 0x7fd0572c5430 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:520:12
    #11 0x7fd0572c7269 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:580:10
    #12 0x7fd0572b0c1b in CallFromStack /gecko/js/src/vm/Interpreter.cpp:584:10
    #13 0x7fd0572b0c1b in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3244:16
    #14 0x7fd0572950a3 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:405:13
    #15 0x7fd0572c556a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:552:13
    #16 0x7fd0572c7269 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:580:10
    #17 0x7fd0572c74eb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:597:8
    #18 0x7fd057b2ead2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2856:10
    #19 0x7fd050736b8c in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:279:37
    #20 0x7fd0513aafa1 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
    #21 0x7fd0513a932c in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /gecko/dom/events/JSEventHandler.cpp:201:12
    #22 0x7fd051372236 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1101:22
    #23 0x7fd051373910 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1292:17
    #24 0x7fd051360f4e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:354:17
    #25 0x7fd05135f7c0 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:556:16
    #26 0x7fd051363a41 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1099:11
    #27 0x7fd04dee3ef7 in nsHtml5SVGLoadDispatcher::Run() /gecko/parser/html/nsHtml5SVGLoadDispatcher.cpp:30:3
    #28 0x7fd04bb9253c in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:143:20
    #29 0x7fd04bb9ddd6 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:470:16
    #30 0x7fd04bb9a9e3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:754:26
    #31 0x7fd04bb988b7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:609:15
    #32 0x7fd04bb98d0d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:393:36
    #33 0x7fd04bba5101 in operator() /gecko/xpcom/threads/TaskController.cpp:133:37
    #34 0x7fd04bba5101 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #35 0x7fd04bbc0424 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1155:16
    #36 0x7fd04bbcab7c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #37 0x7fd04ce016ff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #38 0x7fd04cd0a381 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #39 0x7fd04cd0a381 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #40 0x7fd04cd0a381 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #41 0x7fd053579e97 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #42 0x7fd057071d3f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #43 0x7fd04cd0a381 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #44 0x7fd04cd0a381 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #45 0x7fd04cd0a381 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #46 0x7fd0570714d4 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:734:34
    #47 0x561fe8a1bc8d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #48 0x561fe8a1c0b1 in main /gecko/browser/app/nsBrowserApp.cpp:309:18
    #49 0x7fd06c1720b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #50 0x561fe896f629 in _start (/home/worker/builds/m-c-20210325161138-fuzzing-asan-opt/firefox+0x5a629)

Comment 1

[Tyson Smith [:tsmith]]

Attachment: prefs.js

Comment 2

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/uI03ZnG354AEVSv6Y2-0OQ/index.html

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210412213434-b0d9f96ea571.
The bug appears to have been introduced in the following build range:

Start: 52b26c06e1f676ac5431ad726623644cbd218a4a (20210324165430)
End: ce2f687e98cbc1f0cf50082aeedf8b70d1ce812a (20210324185943)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=52b26c06e1f676ac5431ad726623644cbd218a4a&tochange=ce2f687e98cbc1f0cf50082aeedf8b70d1ce812a

Comment 4

[Olli Pettay [:smaug][bugs@pettay.fi]]

Andreu, could you take a look?

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1459859

Comment 6

[Jens Stutte [:jstutte]]

Apparently GetOwnerGlobal() can be nullptr, which is not expected by Blob::CreateStringBlob.

Comment 7

[Andreu Botella]

This is my first time debugging a crash, so I'm probably doing something wrong, but I can't reproduce it with the testcase. I also don't seem to have access to the Pernosco session. But it seems suspicious that the stack trace sets the crash inside the form submission code when the testcase has nothing to do with forms, and other obvious testcases that do don't have the bug, which seems to lend credence to comment 6.

Comment 8

[Olli Pettay [:smaug][bugs@pettay.fi]]

https://searchfox.org/mozilla-central/rev/3de2db87f3c9001ae478318d47a2ca3427574382/dom/html/HTMLInputElement.cpp#5686-5687
blob is null

Comment 9

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: Bug 1704660, add a null check for a CreateStringBlob caller, r=edgar

The patch is based on the stack trace on pernosco.
I tried and failed to write a reasonable crashtest for this.

Comment 10

[Pulsebot]

Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/81bcf827046a
add a null check for a CreateStringBlob caller, r=edgar

Comment 11

[Alexandru Michis [:malexandru]]

https://hg.mozilla.org/mozilla-central/rev/81bcf827046a

Comment 12

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210414033918-44e7fa45c33e.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.