Closed
Bug 1740971
Opened 3 years ago
Closed 3 years ago
heap-use-after-free in [@ mozilla::dom::HTMLDialogElement::FocusDialog]
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
96 Branch
People
(Reporter: tsmith, Assigned: smaug)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [Nightly only][sec-survey])
Attachments
(1 file)
Found while fuzzing m-c 20211112-b16763f1da6b (--enable-address-sanitizer --enable-fuzzing)
A test case will be attached once reduction is complete.
==354821==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110002aa720 at pc 0x7f8d597d4fca bp 0x7ffea45d4790 sp 0x7ffea45d4788
READ of size 8 at 0x6110002aa720 thread T0 (Web Content)
#0 0x7f8d597d4fc9 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
#1 0x7f8d597d4fc9 in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
#2 0x7f8d597d4fc9 in OwnerDoc /builds/worker/checkouts/gecko/dom/base/nsINode.h:647:12
#3 0x7f8d597d4fc9 in mozilla::dom::HTMLDialogElement::FocusDialog() /builds/worker/checkouts/gecko/dom/html/HTMLDialogElement.cpp:201:34
#4 0x7f8d597d5474 in mozilla::dom::HTMLDialogElement::ShowModal(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/html/HTMLDialogElement.cpp:143:3
#5 0x7f8d58bc69f6 in mozilla::dom::HTMLDialogElement_Binding::showModal(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HTMLDialogElementBinding.cpp:252:24
#6 0x7f8d58dc1cad in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3300:13
#7 0x7f8d60623131 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:387:13
#8 0x7f8d60623131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:474:12
#9 0x7f8d6060f77d in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:538:10
#10 0x7f8d6060f77d in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3242:16
#11 0x7f8d605f47e1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:356:13
#12 0x7f8d6062326c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:506:13
#13 0x7f8d606253bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:551:8
#14 0x7f8d6089854d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#15 0x7f8d589d889f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#16 0x7f8d5960c3d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#17 0x7f8d5960a904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#18 0x7f8d595d1b48 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1123:22
#19 0x7f8d595d315c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:17
#20 0x7f8d595c12ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#21 0x7f8d595bfadd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#22 0x7f8d595c3d55 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1085:11
#23 0x7f8d595c9269 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#24 0x7f8d5730c45a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1344:17
#25 0x7f8d56d8ce0f in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4289:28
#26 0x7f8d56d8cb53 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4259:10
#27 0x7f8d5bdf2c1f in mozilla::PendingFullscreenEvent::Dispatch() /builds/worker/workspace/obj-build/dist/include/mozilla/PendingFullscreenEvent.h:55:15
#28 0x7f8d5bdf28b2 in nsRefreshDriver::RunFullscreenSteps() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1956:12
#29 0x7f8d5bdef753 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2347:7
#30 0x7f8d5bdfc897 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:13
#31 0x7f8d5bdfc897 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:331:7
#32 0x7f8d5bdfc5fd in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:347:5
#33 0x7f8d5bdfc385 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:782:5
#34 0x7f8d5bdfb9a5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:705:16
#35 0x7f8d5bdfaf69 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:622:7
#36 0x7f8d5bdfa711 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:543:9
#37 0x7f8d5afb7817 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
#38 0x7f8d5588e0a4 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:200:54
#39 0x7f8d5547ab7b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6082:32
#40 0x7f8d54e91559 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2043:25
#41 0x7f8d54e8e458 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1968:9
#42 0x7f8d54e8fc72 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1827:3
#43 0x7f8d54e90687 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1855:14
#44 0x7f8d539ca1b2 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:468:16
#45 0x7f8d5398fb7d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:771:26
#46 0x7f8d5398d0d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:607:15
#47 0x7f8d5398d7e9 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:391:36
#48 0x7f8d539d37f1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
#49 0x7f8d539d37f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531:5
#50 0x7f8d539afed7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1175:16
#51 0x7f8d539baffc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#52 0x7f8d54e99eef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#53 0x7f8d54d19891 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#54 0x7f8d54d19891 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#55 0x7f8d54d19891 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#56 0x7f8d5b8aced7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#57 0x7f8d60340fbf in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
#58 0x7f8d54d19891 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#59 0x7f8d54d19891 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#60 0x7f8d54d19891 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#61 0x7f8d603401f2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
#62 0x55877742c92d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#63 0x55877742cd58 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#64 0x7f8d722650b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#65 0x55877737b9f9 in _start (/home/user/workspace/browsers/m-c-20211112092317-fuzzing-asan-opt/firefox+0x5c9f9)
0x6110002aa720 is located 32 bytes inside of 232-byte region [0x6110002aa700,0x6110002aa7e8)
freed by thread T0 (Web Content) here:
#0 0x5587773f7d62 in __interceptor_free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:111:3
#1 0x7f8d570b647e in Free /builds/worker/workspace/obj-build/dist/include/nsNodeInfoManager.h:121:27
#2 0x7f8d570b647e in nsIContent::Destroy() /builds/worker/checkouts/gecko/dom/base/FragmentOrElement.cpp:150:1
#3 0x7f8d537d2cd2 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2408:7
#4 0x7f8d537d2138 in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2598:3
#5 0x7f8d537da28d in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3581:3
#6 0x7f8d537d98c0 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3404:9
#7 0x7f8d537dd0f3 in nsCycleCollector_collect(mozilla::CCReason, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3909:28
#8 0x7f8d5732754f in nsJSContext::CycleCollectNow(mozilla::CCReason, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1372:3
#9 0x7f8d58af9522 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FuzzingFunctionsBinding.cpp:132:3
#10 0x7f8d60623131 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:387:13
#11 0x7f8d60623131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:474:12
#12 0x7f8d6060f77d in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:538:10
#13 0x7f8d6060f77d in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3242:16
#14 0x7f8d605f47e1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:356:13
#15 0x7f8d6062326c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:506:13
#16 0x7f8d606253bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:551:8
#17 0x7f8d6089854d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#18 0x7f8d589d889f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#19 0x7f8d5960c3d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#20 0x7f8d5960a904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#21 0x7f8d595d1b48 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1123:22
#22 0x7f8d595d315c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:17
#23 0x7f8d595c12ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#24 0x7f8d595bfadd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#25 0x7f8d595c3d55 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1085:11
#26 0x7f8d572edf73 in FocusBlurEvent::Run() /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2723:12
#27 0x7f8d56d98ef8 in nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5734:13
#28 0x7f8d572a27c3 in nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, nsISupports*, bool, bool, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2862:3
#29 0x7f8d572a1a7b in nsFocusManager::SendFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::Document*, nsISupports*, bool, bool, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2836:3
#30 0x7f8d572a752b in nsFocusManager::BlurImpl(mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContext*, bool, bool, mozilla::dom::Element*, unsigned long) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2445:7
#31 0x7f8d57298faf in nsFocusManager::Blur(mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContext*, bool, bool, unsigned long, mozilla::dom::Element*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2212:12
#32 0x7f8d57292bb2 in nsFocusManager::SetFocusInner(mozilla::dom::Element*, int, bool, bool, unsigned long) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:1744:12
#33 0x7f8d57294995 in nsFocusManager::SetFocus(mozilla::dom::Element*, unsigned int) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:493:3
#34 0x7f8d5708339a in mozilla::dom::Element::Focus(mozilla::dom::FocusOptions const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:469:16
#35 0x7f8d597d4d12 in mozilla::dom::HTMLDialogElement::FocusDialog() /builds/worker/checkouts/gecko/dom/html/HTMLDialogElement.cpp:188:14
#36 0x7f8d597d5474 in mozilla::dom::HTMLDialogElement::ShowModal(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/html/HTMLDialogElement.cpp:143:3
#37 0x7f8d58bc69f6 in mozilla::dom::HTMLDialogElement_Binding::showModal(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HTMLDialogElementBinding.cpp:252:24
#38 0x7f8d58dc1cad in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3300:13
#39 0x7f8d60623131 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:387:13
#40 0x7f8d60623131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:474:12
#41 0x7f8d6060f77d in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:538:10
#42 0x7f8d6060f77d in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3242:16
#43 0x7f8d605f47e1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:356:13
#44 0x7f8d6062326c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:506:13
#45 0x7f8d606253bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:551:8
#46 0x7f8d6089854d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#47 0x7f8d589d889f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#48 0x7f8d5960c3d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#49 0x7f8d5960a904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#50 0x7f8d595d1b48 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1123:22
#51 0x7f8d595d315c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:17
#52 0x7f8d595c12ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#53 0x7f8d595bfadd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#54 0x7f8d595c3d55 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1085:11
#55 0x7f8d595c9269 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#56 0x7f8d5730c45a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1344:17
#57 0x7f8d56d8ce0f in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4289:28
#58 0x7f8d56d8cb53 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4259:10
#59 0x7f8d5bdf2c1f in mozilla::PendingFullscreenEvent::Dispatch() /builds/worker/workspace/obj-build/dist/include/mozilla/PendingFullscreenEvent.h:55:15
#60 0x7f8d5bdf28b2 in nsRefreshDriver::RunFullscreenSteps() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1956:12
#61 0x7f8d5bdef753 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2347:7
#62 0x7f8d5bdfc897 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:13
#63 0x7f8d5bdfc897 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:331:7
#64 0x7f8d5bdfc5fd in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:347:5
#65 0x7f8d5bdfc385 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:782:5
#66 0x7f8d5bdfb9a5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:705:16
#67 0x7f8d5bdfaf69 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:622:7
#68 0x7f8d5bdfa711 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:543:9
#69 0x7f8d5afb7817 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
#70 0x7f8d5588e0a4 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:200:54
#71 0x7f8d5547ab7b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6082:32
#72 0x7f8d54e91559 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2043:25
#73 0x7f8d54e8e458 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1968:9
#74 0x7f8d54e8fc72 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1827:3
#75 0x7f8d54e90687 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1855:14
previously allocated by thread T0 (Web Content) here:
#0 0x5587773f7fcd in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x7f8d57304bf0 in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/dom/DOMArena.h:43:17
#2 0x7f8d57304bf0 in nsNodeInfoManager::Allocate(unsigned long) /builds/worker/checkouts/gecko/dom/base/nsNodeInfoManager.cpp:300:20
#3 0x7f8d59805074 in NS_NewHTMLIFrameElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/checkouts/gecko/dom/html/HTMLIFrameElement.cpp:23:1
#4 0x7f8d599838b5 in CreateHTMLElement(unsigned int, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/checkouts/gecko/dom/html/nsHTMLContentSink.cpp:235:41
#5 0x7f8d56db8ccc in nsContentUtils::NewXULOrHTMLElement(mozilla::dom::Element**, mozilla::dom::NodeInfo*, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:9463:18
#6 0x7f8d5998383d in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) /builds/worker/checkouts/gecko/dom/html/nsHTMLContentSink.cpp:219:10
#7 0x7f8d573396b5 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*) /builds/worker/checkouts/gecko/dom/base/nsNameSpaceManager.cpp:183:12
#8 0x7f8d5702911e in mozilla::dom::Document::CreateElem(nsTSubstring<char16_t> const&, nsAtom*, int, nsTSubstring<char16_t> const*) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11001:17
#9 0x7f8d57028c2f in mozilla::dom::Document::CreateElement(nsTSubstring<char16_t> const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:8354:26
#10 0x7f8d58903f8e in mozilla::dom::Document_Binding::createElement(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:1506:74
#11 0x7f8d58dc1cad in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3300:13
#12 0x7f8d60623131 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:387:13
#13 0x7f8d60623131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:474:12
#14 0x7f8d6060f77d in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:538:10
#15 0x7f8d6060f77d in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3242:16
#16 0x7f8d605f47e1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:356:13
#17 0x7f8d6062326c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:506:13
#18 0x7f8d606253bb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:551:8
#19 0x7f8d6089854d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#20 0x7f8d589d889f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#21 0x7f8d5960c3d3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#22 0x7f8d5960a904 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#23 0x7f8d595d1b48 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1123:22
#24 0x7f8d595d315c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1314:17
#25 0x7f8d595c12ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#26 0x7f8d595bfadd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#27 0x7f8d595c3d55 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1085:11
#28 0x7f8d5bf2664f in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1087:7
#29 0x7f8d5f6eb813 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6333:20
#30 0x7f8d5f6eab0b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5722:7
#31 0x7f8d5f6ecadf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#32 0x7f8d55f3e060 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1376:3
#33 0x7f8d55f3cc74 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:974:14
#34 0x7f8d55f394a2 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:793:9
#35 0x7f8d55f3b665 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:676:5
#36 0x7f8d5f724d1b in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13586:23
#37 0x7f8d53d07f6e in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:614:22
#38 0x7f8d53d0a9b3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:518:10
#39 0x7f8d57047570 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11555:18
#40 0x7f8d57001c96 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11485:9
#41 0x7f8d57025a1c in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7987:3
#42 0x7f8d570eb63f in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#43 0x7f8d570eb63f in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#44 0x7f8d570eb63f in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#45 0x7f8d5397dabf in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:144:20
#46 0x7f8d539ca1b2 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:468:16
#47 0x7f8d5398fb7d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:771:26
#48 0x7f8d5398d0d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:607:15
#49 0x7f8d5398d7e9 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:391:36
#50 0x7f8d539d37f1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
#51 0x7f8d539d37f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531:5
#52 0x7f8d539afed7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1175:16
#53 0x7f8d539baffc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#54 0x7f8d54e99eef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#55 0x7f8d54d19891 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#56 0x7f8d54d19891 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#57 0x7f8d54d19891 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#58 0x7f8d5b8aced7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#59 0x7f8d60340fbf in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
#60 0x7f8d54d19891 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#61 0x7f8d54d19891 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#62 0x7f8d54d19891 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#63 0x7f8d603401f2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
#64 0x55877742c92d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#65 0x55877742cd58 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#66 0x7f8d722650b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
|
Assignee | |
Comment 1•3 years ago
|
||
(dialog element is enabled on Nightly only. )
|
|
Assignee | |
Comment 2•3 years ago
|
||
https://searchfox.org/mozilla-central/rev/e99e0a1bbc126a0715b6eb75c41567e37c715cdb/dom/html/HTMLDialogElement.cpp#156 should be probably copied to some RefPtr<Element> variable before using it.
It would be nice to have full stacks. Currently the "freed by thread T0 (Web Content) here:" is missing the interesting bits.
Tyson, I assume these kinds of bug reports are partially generated by some script. Would it be possible to have full stacks?
sefeng, could you take a look at this?
Flags: needinfo?(twsmith)
Flags: needinfo?(sefeng)
|
|
Assignee | |
Comment 3•3 years ago
|
||
|
||
Updated•3 years ago
|
Assignee: nobody → bugs
Status: NEW → ASSIGNED
|
Reporter | |
Comment 4•3 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #2)
It would be nice to have full stacks. Currently the "freed by thread T0 (Web Content) here:" is missing the interesting bits.
Tyson, I assume these kinds of bug reports are partially generated by some script. Would it be possible to have full stacks?
Sorry I don't understand what else I could add. What ASan outputs is what is attached.
I can attach a Pernosco session but that will likely be tomorrow at the earliest.
Flags: needinfo?(twsmith)
|
|
Assignee | |
Comment 5•3 years ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #4)
Sorry I don't understand what else I could add. What ASan outputs is what is attached.
Ah, so it is the Asan output which doesn't for some reason have full stacks.
Only one of those tree stacks has the whole stack (the one showing where the crash is happening).
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(sefeng)
|
|
Reporter | |
Comment 6•3 years ago
|
||
Stacks updated. Thanks for pointing that out. I found that one of our tools was limiting the size of some of the stacks. That has now been fixed :)
|
||
Updated•3 years ago
|
status-firefox94:
--- → disabled
status-firefox95:
--- → disabled
status-firefox-esr91:
--- → disabled
Keywords: sec-high
Whiteboard: [Nightly only]
|
||
Comment 7•3 years ago
|
||
use a raw pointer for fast iteration, r=sefeng
https://hg.mozilla.org/integration/autoland/rev/6082ba4b794ece0242d538f510df611a4e316c5a
https://hg.mozilla.org/mozilla-central/rev/6082ba4b794e
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch
|
|
Reporter | |
Comment 8•3 years ago
|
||
Verified with m-c 20211115-75c615b53e7b
Status: RESOLVED → VERIFIED
|
||
Comment 9•2 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Flags: needinfo?(bugs)
Whiteboard: [Nightly only] → [Nightly only][sec-survey]
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(bugs)
|
||
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•