Closed Bug 1814279 Opened 2 years ago Closed 2 years ago

crash at null in [@ nsContentUtils::ObjectPrincipal]

Categories

(Core :: DOM: Core & HTML, defect)

defect

Tracking

()

RESOLVED FIXED
111 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox109 --- wontfix
firefox110 --- wontfix
firefox111 --- fixed

People

(Reporter: tsmith, Assigned: tjr)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Attached file testcase.zip

Found while fuzzing m-c 20230126-4af274d4ee61 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
==170415==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f175e293333 bp 0x7ffca11512c0 sp 0x7ffca11512c0 T0)
==170415==The signal is caused by a READ memory access.
==170415==Hint: address points to the zero page.
    #0 0x7f175e293333 in IsProxy /builds/worker/workspace/obj-build/dist/include/js/Proxy.h:384:60
    #1 0x7f175e293333 in js::IsWrapper(JSObject const*) /builds/worker/workspace/obj-build/dist/include/js/Wrapper.h:393:10
    #2 0x7f175fc0d485 in js::IsCrossCompartmentWrapper(JSObject const*) /builds/worker/workspace/obj-build/dist/include/js/Wrapper.h:397:10
    #3 0x7f17610dff6f in nsContentUtils::ObjectPrincipal(JSObject*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:3393:3
    #4 0x7f17617ea57b in PrincipalOrNull /builds/worker/checkouts/gecko/dom/base/nsIGlobalObject.cpp:78:10
    #5 0x7f17617ea57b in nsIGlobalObject::GetRTPCallerType() const /builds/worker/checkouts/gecko/dom/base/nsIGlobalObject.cpp:396:7
    #6 0x7f17667b225d in mozilla::dom::Performance::Performance(nsIGlobalObject*) /builds/worker/checkouts/gecko/dom/performance/Performance.cpp:101:31
    #7 0x7f17667bfef9 in mozilla::dom::PerformanceMainThread::PerformanceMainThread(nsPIDOMWindowInner*, nsDOMNavigationTiming*, nsITimedChannel*) /builds/worker/checkouts/gecko/dom/performance/PerformanceMainThread.cpp:94:7
    #8 0x7f17667b1d49 in mozilla::dom::Performance::CreateForMainThread(nsPIDOMWindowInner*, nsIPrincipal*, nsDOMNavigationTiming*, nsITimedChannel*) /builds/worker/checkouts/gecko/dom/performance/Performance.cpp:61:11
    #9 0x7f17611c5853 in nsPIDOMWindowInner::CreatePerformanceObjectIfNeeded() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:2481:20
    #10 0x7f17611adf07 in nsPIDOMWindowInner::GetPerformance() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:2457:3
    #11 0x7f175e511369 in mozilla::net::LoadInfo::GetPerformanceStorage() /builds/worker/checkouts/gecko/netwerk/base/LoadInfo.cpp:2088:57
    #12 0x7f175f0d151e in mozilla::net::HttpBaseChannel::MaybeReportTimingData() /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpBaseChannel.cpp:5429:18
    #13 0x7f175f0e769e in mozilla::net::HttpChannelChild::DoPreOnStopRequest(nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:989:3
    #14 0x7f175f0e6e92 in mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:934:3
    #15 0x7f175f185f0b in operator() /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:812:15
    #16 0x7f175f185f0b in std::_Function_handler<void (), mozilla::net::HttpChannelChild::ProcessOnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&, nsTArray<mozilla::net::ConsoleReportCollected>&&, bool)::$_24>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:316:2
    #17 0x7f175f4bd4dc in mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:94:12
    #18 0x7f175f506c26 in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:152:17
    #19 0x7f175e20ef8f in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
    #20 0x7f175e222769 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
    #21 0x7f175e219537 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
    #22 0x7f175e2167b8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
    #23 0x7f175e216ee0 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
    #24 0x7f175e228871 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
    #25 0x7f175e228871 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #26 0x7f175e24b6f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
    #27 0x7f175e2559f4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #28 0x7f175f9d8ece in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #29 0x7f175f857e47 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #30 0x7f175f857e47 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #31 0x7f175f857e47 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #32 0x7f1766d013b9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #33 0x7f176bcbf7e8 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
    #34 0x7f175f857e47 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #35 0x7f175f857e47 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #36 0x7f175f857e47 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #37 0x7f176bcbef7f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
    #38 0x55ca34b02494 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #39 0x55ca34b02957 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
    #40 0x7f1780c19d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #41 0x7f1780c19e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #42 0x55ca34a40f18 in _start (/home/user/workspace/browsers/m-c-20230131093335-fuzzing-asan-opt/firefox+0x111f18) (BuildId: c490d9696470bd8106347ffe4f784916baaea5da)

Unable to reproduce bug 1814279 using build mozilla-central 20230126212606-4af274d4ee61. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A Pernosco session is available here: https://pernos.co/debug/ZF2gNWnZ-hU_SnuJU7Ngpg/index.html

A crash bug, default to S2.

It seems that PrincipalOrNull() returns nullptr according to the Pernosco session.
https://searchfox.org/mozilla-central/rev/9dfda5ccb0fc42d7666a54b1caf1af6525e49694/dom/base/nsIGlobalObject.cpp#396

The line was introduced by this changeset.

tjr: Could you take a look?

Severity: -- → S2
Flags: needinfo?(tom)
Regressed by: 1778510

Set release status flags based on info from the regressing bug 1778510

It looks like this is a dupe of Bug 1804522 or related. That one didn't have a working pernosco trace though.

My confusion is the same as I said here:

It did, although this seems like a much odder bug. PrincipalOrNull() is in the stack, and that function checks right here if the object is null. It's not, continues on down the stack in nsContentUtils::ObjectPrincipal() and then crashes because it is actually null after-all. I don't know what would cause that...

kmag commented:

I don't think we're crashing because the object is null. Presumably the shape or the base shape is null. A Pernosco trace should easily tell us which.

I don't know what would cause that either, but presumably we're accessing the window when it's in an inconsistent state. Pernosco might also be able to tell us why that's happening.

S2 for now, but I'm fairly worried about this, and it should perhaps be S1.

See Also: → 1804522

This is trying to use an inner window that doesn't have its binding object anymore (it was finalized by the GC). nsIGlobalObject::GetRTPCallerType() calls nsIGlobalObject::PrincipalOrNull(), but then doesn't deal with null, it just assumes that that always returns a non-null principal.

(In reply to Tom Ritter [:tjr] from comment #5)

It did, although this seems like a much odder bug. PrincipalOrNull() is in the stack, and that function checks right here if the object is null. It's not, …

That's not what happens, it is null (see nsGlobalWindowInner's mWrapper) and PrincipalOrNull() then returns null.

Depends on D167287

Assignee: nobody → tom
Status: NEW → ASSIGNED

I've been trying to turn this testcase into a crashtest but ran into a bunch of problems so I'm going to land this and try to come back to it.

Pushed by tritter@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/af5182a991bb Check for a null Principal before use r=peterv
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
Duplicate of this bug: 1804522

Copying crash signatures from duplicate bugs.

Crash Signature: [@ GetClass]
Flags: needinfo?(tom)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: