1713940 - crash near null in [@ nsGlobalWindowInner::GetPrincipal]

Status: VERIFIED FIXED

(Core :: Audio/Video, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20210520-746a4efcd8b7 (--enable-address-sanitizer --enable-fuzzing)

#0 0x7faca7535bc8 in operator bool /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:310:45
#1 0x7faca7535bc8 in nsGlobalWindowInner::GetPrincipal() src/dom/base/nsGlobalWindowInner.cpp:2227:7
#2 0x7faca901bf8f in mozilla::DOMMediaStream::GetPrincipal() src/dom/media/DOMMediaStream.cpp:404:46
#3 0x7faca91070bc in mozilla::dom::MediaRecorder::Start(mozilla::dom::Optional<unsigned int> const&, mozilla::ErrorResult&) src/dom/media/MediaRecorder.cpp:1234:53
#4 0x7faca7b41cd9 in mozilla::dom::MediaRecorder_Binding::start(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/MediaRecorderBinding.cpp:920:24
#5 0x7faca89df487 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3297:13
#6 0x7facabb5c8e0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:427:13
#7 0x7facabb5c042 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:512:12
#8 0x7facabb5d869 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:572:10
#9 0x7facac5ca56c in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/BaselineIC.cpp:1585:10
#10 0x1a97e26685f2  (<unknown module>)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/bsNOmCHcLZeREiqXjvnzWg/index.html

Comment 2

[Mayank Bansal]

Got a crash from the testcase : https://crash-stats.mozilla.org/report/index/53ae77ca-2da4-44f6-99ac-ebad00210602

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210601213358-83f4bfe5ea71.
The bug appears to have been introduced in the following build range:

Start: 4994186240ab42d448b1434986399eee86947b1e (20210518155847)
End: c0e7224e6b5b8e0d9cf1404d0a80482a58e3c830 (20210518165418)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=4994186240ab42d448b1434986399eee86947b1e&tochange=c0e7224e6b5b8e0d9cf1404d0a80482a58e3c830

Comment 4

[Jeff Muizelaar [:jrmuizel]]

This was probably regressed by bug 1705080. smaug, can you take a look?

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1705080

Comment 6

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: Bug 1713940, null check owner before using it, r=padenot

Callers seem to be find with this.

Comment 7

[Pulsebot]

Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3f2015f34fc2
null check owner before using it, r=padenot

Comment 8

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/35881 for changes under testing/web-platform/tests

Comment 9

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/3f2015f34fc2

Comment 10

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220914040922-f3347d35ab5e.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 11

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot