Closed Bug 1716655 Opened 3 years ago Closed 3 years ago

crash near null in [@ mozilla::dom::Document::GetRootElement] (print preview)

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
94 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- wontfix
firefox91 --- wontfix
firefox92 --- wontfix
firefox93 --- wontfix
firefox94 --- fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

testcase.html
166 bytes, text/html
Details
Bug 1716655 - Prevent creating print presentation for a destroyed content viewer. r=nika
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20210613-f531f12e5c35 (--enable-address-sanitizer --enable-fuzzing)

==11910==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000001e0 (pc 0x7f7f4cbe25db bp 0x7fff398888b0 sp 0x7fff398888b0 T0)
==11910==The signal is caused by a READ memory access.
==11910==Hint: address points to the zero page.
    #0 0x7f7f4cbe25db in mozilla::dom::Document::GetRootElement() const /gecko/dom/base/Document.cpp:6928:11
    #1 0x7f7f517abfac in nsPresContext::Init(nsDeviceContext*) /gecko/layout/base/nsPresContext.cpp:646:30
    #2 0x7f7f5173a121 in nsDocumentViewer::SetPrintSettingsForSubdocument(nsIPrintSettings*) /gecko/layout/base/nsDocumentViewer.cpp:3526:24
    #3 0x7f7f5088434f in mozilla::dom::BrowserChild::RecvCloneDocumentTreeIntoSelf(mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, mozilla::embedding::PrintData const&) /gecko/dom/ipc/BrowserChild.cpp:1096:12
    #4 0x7f7f4b55dbee in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:4135:56
    #5 0x7f7f4abd23cb in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8322:32
    #6 0x7f7f4a94541a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2155:25
    #7 0x7f7f4a941b48 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2079:9
    #8 0x7f7f4a9434a5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1924:3
    #9 0x7f7f4a94400b in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1955:13
    #10 0x7f7f49769592 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:479:16
    #11 0x7f7f49736200 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:782:26
    #12 0x7f7f49733a48 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:618:15
    #13 0x7f7f4973415d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:402:36
    #14 0x7f7f49773604 in operator() /gecko/xpcom/threads/TaskController.cpp:138:37
    #15 0x7f7f49773604 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #16 0x7f7f49750978 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1159:16
    #17 0x7f7f4975b6bc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #18 0x7f7f4a94cb94 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:107:5
    #19 0x7f7f4a854031 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #20 0x7f7f4a854031 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #21 0x7f7f4a854031 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #22 0x7f7f51111037 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #23 0x7f7f5537e6af in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:910:20
    #24 0x7f7f4a854031 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #25 0x7f7f4a854031 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #26 0x7f7f4a854031 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #27 0x7f7f5537e088 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
    #28 0x5557196cf74d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #29 0x5557196cfb7d in main /gecko/browser/app/nsBrowserApp.cpp:313:18
    #30 0x7f7f6b16f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #31 0x555719620a49 in _start (/home/worker/builds/m-c-20210613214113-fuzzing-asan-opt/firefox+0x5ba49)
Severity: -- → S2
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/vBAj1QMOyaoDIb3C7G77VA/index.html

Bugmon Analysis
Unable to reproduce bug using build mozilla-central 20210613214113-f531f12e5c35. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Hi Emilio, the test is about print preview, so I bring it to your radar.

Flags: needinfo?(emilio)

nsDocumentViewer::mDocument ends up null because Destroy() is called
as a result of nsGlobalWindowOuter::SetNewDocument failing because of
the AncestorsAreCurrent check:

https://searchfox.org/mozilla-central/rev/d6188c9ce02efeea309e7177fc14c9eb2f09db37/dom/base/Document.cpp#13026-13030
https://searchfox.org/mozilla-central/rev/d6188c9ce02efeea309e7177fc14c9eb2f09db37/layout/base/nsDocumentViewer.cpp#1888
https://searchfox.org/mozilla-central/rev/d6188c9ce02efeea309e7177fc14c9eb2f09db37/dom/base/nsGlobalWindowOuter.cpp#2089-2091

Just bail out if we don't have a document when creating the print
presentation, as that presentation won't be shown either way.

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d6edefc4bd97
Prevent creating print presentation for a destroyed content viewer. r=nika

https://hg.mozilla.org/mozilla-central/rev/d6edefc4bd97

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox94: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 94 Branch

:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)
Flags: needinfo?(emilio)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: