1810619 - crash at null in [@ nsDocShell::ValidateOrigin]

Status: VERIFIED FIXED

(Core :: DOM: Navigation, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230112-e5ed23660819 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==7536==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdff3045e1d bp 0x7ffec37d1be0 sp 0x7ffec37d1aa0 T0)
==7536==The signal is caused by a READ memory access.
==7536==Hint: address points to the zero page.
    #0 0x7fdff3045e1d in nsDocShell::ValidateOrigin(mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContext*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:1455:46
    #1 0x7fdff304571b in mozilla::dom::BrowsingContext::CanAccess(mozilla::dom::BrowsingContext*, bool) /builds/worker/checkouts/gecko/docshell/base/BrowsingContext.cpp:1371:26
    #2 0x7fdff3045337 in mozilla::dom::BrowsingContext::FindWithNameInSubtree(nsTSubstring<char16_t> const&, mozilla::dom::BrowsingContext&) /builds/worker/checkouts/gecko/docshell/base/BrowsingContext.cpp:1330:47
    #3 0x7fdff30448f4 in mozilla::dom::BrowsingContext::FindWithName(nsTSubstring<char16_t> const&, bool) /builds/worker/checkouts/gecko/docshell/base/BrowsingContext.cpp:1237:18
    #4 0x7fdfe96fea1d in nsGlobalWindowOuter::WindowExists(nsTSubstring<char16_t> const&, bool, bool) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:4039:30
    #5 0x7fdfe970e3a6 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsGlobalWindowOuter::PrintKind, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:6891:23
    #6 0x7fdfe9715286 in nsGlobalWindowOuter::OpenJS(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5661:10
    #7 0x7fdfe9714cdf in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5625:17
    #8 0x7fdfe96a8b5d in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:4188:3
    #9 0x7fdfeb10ee39 in mozilla::dom::Window_Binding::open(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3250:59
    #10 0x7fdfeb9562cc in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13
    #11 0x7fdff443b054 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #12 0x7fdff443b054 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
    #13 0x7fdff443ce2f in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #14 0x7fdff443ce2f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
    #15 0x7fdff4bf9337 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/checkouts/gecko/js/src/proxy/Wrapper.cpp:168:10
    #16 0x7fdff4bc9111 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/checkouts/gecko/js/src/proxy/CrossCompartmentWrapper.cpp:229:19
    #17 0x7fdff4be19bd in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:676:19
    #18 0x7fdff443b484 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:527:14
    #19 0x7fdff442a03a in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #20 0x7fdff442a03a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
    #21 0x7fdff442a03a in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3362:16
    #22 0x7fdff440e15c in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
    #23 0x7fdff443b170 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
    #24 0x7fdff443ce2f in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #25 0x7fdff443ce2f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
    #26 0x7fdff454624d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #27 0x7fdfeb520f12 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
    #28 0x7fdfec3d5575 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #29 0x7fdfec3d5033 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1308:43
    #30 0x7fdfec3d692b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1504:17
    #31 0x7fdfec3c4872 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
    #32 0x7fdfec3c3124 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
    #33 0x7fdfec3c729a in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1122:11
    #34 0x7fdfec3ccf55 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #35 0x7fdfe9c8c163 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1373:17
    #36 0x7fdfe95bb3e7 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4577:28
    #37 0x7fdfe95bb135 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4547:10
    #38 0x7fdfe98f9b9f in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7909:3
    #39 0x7fdfe99eb31a in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
    #40 0x7fdfe99eb31a in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
    #41 0x7fdfe99eb31a in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
    #42 0x7fdfe66f8b8f in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20
    #43 0x7fdfe670c319 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
    #44 0x7fdfe6703137 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
    #45 0x7fdfe67003b8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
    #46 0x7fdfe6700ae0 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
    #47 0x7fdfe6712421 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
    #48 0x7fdfe6712421 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #49 0x7fdfe6735584 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
    #50 0x7fdfe673f974 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:473:10
    #51 0x7fdfe7eb067e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #52 0x7fdfe7d2fbb7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #53 0x7fdfe7d2fbb7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #54 0x7fdfe7d2fbb7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #55 0x7fdfef09d5b9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #56 0x7fdff4023628 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
    #57 0x7fdfe7d2fbb7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #58 0x7fdfe7d2fbb7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #59 0x7fdfe7d2fbb7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #60 0x7fdff4022dbf in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
    #61 0x55aab46e1454 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #62 0x55aab46e1917 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
    #63 0x7fe008c14d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #64 0x7fe008c14e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #65 0x55aab461fed8 in _start (/home/user/workspace/browsers/m-c-20230116140954-fuzzing-asan-opt/firefox+0x111ed8) (BuildId: d188b3ae4156481d4558d1159c316c95b3a54c6f)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230116211903-23c1be504632.
The bug appears to have been introduced in the following build range:

Start: 5d3793ddd16ed337c5b26d0072bde43dedfd29b9 (20230109225210)
End: 23d84f02c22bd0c6783b847073526fa536407daa (20230110035510)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5d3793ddd16ed337c5b26d0072bde43dedfd29b9&tochange=23d84f02c22bd0c6783b847073526fa536407daa

Comment 2

[Peter Van der Beken [:peterv]]

Nika, it seems this was caused by part 3 in bug 1808630 (https://phabricator.services.mozilla.com/D166120). Any ideas?

I haven't looked in detail what's going on yet, but in the nested event loop for the first Window.open call we process the PBrowser::Destroy message, which nulls out the docshell.

Comment 3

[Donal Meehan [:dmeehan]]

Now that 110 has been released, we are seeing these crashes in 110.0.1

Comment 4

[Jared Hirsch [:jhirsch] (he/him) (Needinfo please)]

:sefeng hey, are we planning to investigate this bug, now that we're seeing it in the wild?

Comment 5

[Nika Layzell [:nika] (ni? for response)]

I've started looking into this a bit - when running this against a local debug build the crash reason reported is mDocShell (CanAccess() may only be called in the process of the accessing window).

I'll need to look into this a bit more to figure out how https://bugzilla.mozilla.org/show_bug.cgi?id=1808630 could be causing this, but there's always a chance it's something else. Based on :peterv's comments, it seems possible that during one open call's nested event loop, we ended up closing the original window, and are now in a partially broken state.

Comment 6

[Nika Layzell [:nika] (ni? for response)]

Attachment: Bug 1810619 - Part 1: Be more precise in named lookup code, r=smaug!

This makes various changes to the named lookup/navigation code to make
them more precise, and avoid issues which could happen if a window is
closed while script is still executing.

This also should improve handling for inactive windows in some cases, by
more frequently working off of the WindowContext tree rather than the
BrowsingContext tree.

As part of these changes, some behaviour was changed around e.g. the
file URI exception to avoid the deprecated nsIPrincipal::GetURI method.
I don't believe the behaviour should have changed in a meaningful way.

Comment 7

[Nika Layzell [:nika] (ni? for response)]

Attachment: Bug 1810619 - Part 2: Get the content window from client.openWindow on geckoview, r=#geckoview-reviewers!

While writing part 1 of this patch, I noticed that the geckoview code
for client.openWindow was returning the outer chrome window's
BrowsingContext rather than the BrowsingContext of the primary content
frame when opening a pop-up window. This meant that the native code
would fail to start navigating the pop-up window (as it would try to
navigate the chrome window which is not allowed).

It turns out the tests were still passing because the geckoview code was
actually starting the load itself, though with the wrong options and
properties. In this patch I remove that call to load a URI from the Java
code, and fix the code in ClientOpenWindowUtils to return the content
BrowsingContext instead of the chrome one.

Depends on D171755

Comment 8

[Pulsebot]

Pushed by nlayzell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/637be53c4d27
Part 1: Be more precise in named lookup code, r=smaug,geckoview-reviewers,m_kato
https://hg.mozilla.org/integration/autoland/rev/81d6ef111d4f
Part 2: Get the content window from client.openWindow on geckoview, r=geckoview-reviewers,m_kato

Comment 9

[Cristian Tuns]

Backed out for causing wd failures in dom_content_loaded.py

• Backout link
• Push with failures
• Failure Log
• Failure line: TEST-UNEXPECTED-TIMEOUT | /webdriver/tests/bidi/browsing_context/dom_content_loaded/dom_content_loaded.py | expected OK

Comment 10

[Pulsebot]

Pushed by nlayzell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8a57ec94842e
Part 1: Be more precise in named lookup code, r=smaug,geckoview-reviewers,m_kato
https://hg.mozilla.org/integration/autoland/rev/e832a10b8525
Part 2: Get the content window from client.openWindow on geckoview, r=geckoview-reviewers,m_kato

Comment 11

[Serban Stanca [:SerbanS]]

https://hg.mozilla.org/mozilla-central/rev/8a57ec94842e
https://hg.mozilla.org/mozilla-central/rev/e832a10b8525

Comment 12

[Bugmon [:jkratzer for issues]]

Bug marked as FIXED but still reproduces on mozilla-central 20230316092607-7954e1671be3. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.

Comment 13

[Nika Layzell [:nika] (ni? for response)]

:jkratzer, could we get a new stack for the new reproduction? I'm somewhat surprised it's still reproducing, as I thought I had fixed the issue, so looking at a new stack would be useful.

Comment 14

[Tyson Smith [:tsmith]]

Attachment: post-patch-log.txt

Comment 15

[Tyson Smith [:tsmith]]

Looks a bit different, should this be a new bug?

Comment 16

[Nika Layzell [:nika] (ni? for response)]

It's different, but in the code which was added in this bug. It's probably OK to keep the same bug for now.

Leaving a ni? for myself to loop back around on this and figure out how we're ending up with a caller window without a WindowGlobalChild.

Comment 17

[Tyson Smith [:tsmith]]

Bugmon should be able to get a Pernosco session automatically. Let's try that first, if it fails I'll grab one manually.

Comment 18

[Bugmon [:jkratzer for issues]]

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 19

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 20

[Nika Layzell [:nika] (ni? for response)]

(In reply to Bugmon [:jkratzer for issues] from comment #19)

A pernosco session for this bug can be found here.

Unfortunately it appears this session is on an older version of the tree from before the patch landed, as it has nsDocShell::ValidateOrigin (which was removed) on the stack.

Comment 21

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/-ezZnX5WH_TSt_OoPXyNig/index.html

I used m-c 20230324-f476897a6e6a.

Comment 22

[Nika Layzell [:nika] (ni? for response)]

Attachment: Bug 1810619 - Hold a link from nsGlobalWindowInner to the WindowGlobalChild actor longer, r=smaug!

I pushed this to try, and it doesn't appear to cause any leaks. This
reference being held for longer (until the window is CC'd) helps avoid
the fundamental issue with the actor not being available from an active
global.

Comment 23

[Pulsebot]

Pushed by nlayzell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1d0e516f2c53
Hold a link from nsGlobalWindowInner to the WindowGlobalChild actor longer, r=smaug

Comment 24

[Atila Butkovits]

https://hg.mozilla.org/mozilla-central/rev/1d0e516f2c53

Comment 25

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230329030858-ff84e2935cc3.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 26

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:nika, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox112 to wontfix.

For more information, please visit auto_nag documentation.