1708051 - Assertion failure: cv, at /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5333

Status: NEW

(Core :: Print Preview, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20210406-b85e871f6a8d (--enable-address-sanitizer --enable-fuzzing)

This test case requires GNOME_ACCESSIBILITY=1.

Assertion failure: cv, at /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5333

#0 0x7fdf3c943ced in nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /gecko/dom/base/nsGlobalWindowOuter.cpp:5333:5
#1 0x7fdf3c8f03eb in nsGlobalWindowInner::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, mozilla::ErrorResult&) /gecko/dom/base/nsGlobalWindowInner.cpp:3759:3
#2 0x7fdf3def29eb in mozilla::dom::Window_Binding::printPreview(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3223:59
#3 0x7fdf3e69caec in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3232:13
#4 0x7fdf44d0fb84 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:437:13
#5 0x7fdf44d0fb84 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:522:12
#6 0x7fdf44d119a9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:582:10
#7 0x7fdf44cfb290 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:586:10
#8 0x7fdf44cfb290 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3248:16
#9 0x7fdf44cdf65e in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:406:13
#10 0x7fdf44d0fcc3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:554:13
#11 0x7fdf44d119a9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:582:10
#12 0x7fdf44d11c2b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:599:8
#13 0x7fdf45589ce2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2830:10
#14 0x7fdf3e1d03f9 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:58:8
#15 0x7fdf3ee32ba8 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#16 0x7fdf3ee3260f in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1108:43
#17 0x7fdf3ee33d27 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1305:17
#18 0x7fdf3ee2107e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:354:17
#19 0x7fdf3ee1fb4a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:592:14
#20 0x7fdf3ee23b78 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1099:11
#21 0x7fdf3ee293e9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
#22 0x7fdf3cd6f4fa in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/base/nsINode.cpp:1331:17
#23 0x7fdf3ee40663 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /gecko/dom/events/EventTarget.cpp:177:13
#24 0x7fdf3edb2e9c in mozilla::AsyncEventDispatcher::Run() /gecko/dom/events/AsyncEventDispatcher.cpp:69:12
#25 0x7fdf3c84c668 in nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) /gecko/dom/base/nsContentUtils.cpp:5627:13
#26 0x7fdf3edb3813 in mozilla::AsyncEventDispatcher::RunDOMEventWhenSafe() /gecko/dom/events/AsyncEventDispatcher.cpp:99:3
#27 0x7fdf3cae4110 in mozilla::dom::Document::MutationEventDispatched(nsINode*) /gecko/dom/base/Document.cpp:11617:13
#28 0x7fdf3c849613 in mozilla::dom::mozAutoSubtreeModified::UpdateTarget(mozilla::dom::Document*, nsINode*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Document.h:5296:22
#29 0x7fdf3c844821 in mozilla::dom::mozAutoSubtreeModified::~mozAutoSubtreeModified() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Document.h:5292:31
#30 0x7fdf3c843edd in nsContentUtils::MaybeFireNodeRemoved(nsINode*, nsINode*) /gecko/dom/base/nsContentUtils.cpp:4631:3
#31 0x7fdf3cd6bf3c in nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) /gecko/dom/base/nsINode.cpp:795:5
#32 0x7fdf3d454731 in mozilla::dom::Node_Binding::removeChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/NodeBinding.cpp:1135:60
#33 0x7fdf3e698f3e in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3232:13
#34 0x25117330b3d1  (<unknown module>)

Comment 1

[James Teh [:Jamie]]

I wonder if having accessibility enabled causes a timing change which triggers this? I don't see anything related to a11y in the stack, nor can I think of any reason a11y should impact these code paths.

Comment 2

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/eP1MMHdX56Rul5E3BBwbKw/index.html

Comment 3

[Jason Kratzer [:jkratzer]]

This bug can also be triggered without ACCESSIBILITY using the following testcase.

Testcase found while fuzzing mozilla-central rev 29d6504debf5 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 29d6504debf5 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: cv, at /dom/base/nsGlobalWindowOuter.cpp:5360

    ==2025466==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe1adb439bc bp 0x7fffaaef7720 sp 0x7fffaaef7520 T2025466)
    ==2025466==The signal is caused by a WRITE memory access.
    ==2025466==Hint: address points to the zero page.
        #0 0x7fe1adb439bc in nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5360:5
        #1 0x7fe1adb12fab in nsGlobalWindowInner::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, mozilla::ErrorResult&) /dom/base/nsGlobalWindowInner.cpp:3749:3
        #2 0x7fe1aeb17f51 in mozilla::dom::Window_Binding::printPreview(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3239:59
        #3 0x7fe1af0cf0c4 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3300:13
        #4 0x3af717e5c4ee  (<unknown module>)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/base/nsGlobalWindowOuter.cpp:5360:5 in nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)
    ==2025466==ABORTING

Comment 4

[Jason Kratzer [:jkratzer]]

Attachment: Detailed Crash Information

Comment 5

[Jason Kratzer [:jkratzer]]

Attachment: Testcase for comment 2

Comment 6

[Jason Kratzer [:jkratzer]]

Comment on attachment 9218808 [details]
testcase.html

><script>
>window.onload = () => {
>  window.requestIdleCallback(window.close)
>  a.addEventListener('DOMSubtreeModified', () => {
>    try { window.printPreview()?.close() } catch (e) {}
>  })
>  b.addEventListener('DOMSubtreeModified', () => {
>    c.parentNode.removeChild(c)
>  }, true)
>  b.attributes[0].value = -1
>}
></script>
><video id='a'>
><map id='b'>
><input id='c'/>

Comment 7

[Daniel Holbert [:dholbert]]

I'm retriaging some old bugs that have severity unset, and ran across this one.

Would you mind testing if this is this still reproducible? I tried loading the "testcase for comment 2" (loading the HTML file inside that zip, in a debug build, with the included preferences file as my "prefs.js" in my profile), and I wasn't able to trigger this assertion after several minutes of letting the testcase do its continuous cycling.

Also: severity-wise, from the pernosco trace: this diagnostic assertion is followed by some code that seems to gracefully handle the failure condition (throwing a JS error). So hopefully this isn't an actual crasher for users in release builds where diagnostic assertions are no-ops.

Nullable<WindowProxyHolder> nsGlobalWindowOuter::Print(
    nsIPrintSettings* aPrintSettings, nsIWebProgressListener* aListener,
    nsIDocShell* aDocShellToCloneInto, IsPreview aIsPreview,
    IsForWindowDotPrint aForWindowDotPrint,
    PrintPreviewResolver&& aPrintPreviewCallback, ErrorResult& aError) {
[...]
    cloneDocShell->GetContentViewer(getter_AddRefs(cv));
    MOZ_DIAGNOSTIC_ASSERT(cv);
    if (!cv) {
      aError.ThrowNotSupportedError("Didn't end up with a content viewer");
      return nullptr;
    }

Comment 8

[Daniel Holbert [:dholbert]]

(not sure if Tyson [reporter] or Jason [latest testcase author] would be in the best position to retest; I'll tag Tyson for now since he filed this. :))

Comment 9

[Tyson Smith [:tsmith]]

I am able to reproduce the issue with m-c 20220315-571fba417e22 on Ubuntu 20.04.

No special tricks needed, takes about 9 seconds to crash.

Comment 10

[Daniel Holbert [:dholbert]]

I suspect it needs an enable-fuzzing build at least, since the original uses window.printPreview; that's probably what I was missing / why I couldn't repro.

In any case: thanks for checking; it's good to know it still repro's; that means the pernosco trace is still likely useful for debugging purposes. Thanks!