Closed
Bug 1858118
Opened 2 years ago
Closed 2 years ago
Crash [@ nsAutoOwningThread::IsCurrentThread] through [@ mozilla::dom::ContentParent::RecvHistoryGo]
Categories
(Core :: DOM: Content Processes, defect, P2)
Tracking
()
RESOLVED
FIXED
121 Branch
People
(Reporter: decoder, Assigned: decoder)
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
In experimental IPC fuzzing, we found the following crash on mozilla-central revision 20231004-c559095402a2 (fuzzing-asan-nyx-opt build):
=================================================================
==2088==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000380 (pc 0x7fffd74bc74f bp 0x7ffffffeed60 sp 0x7ffffffeed40 T0)
#0 0x7fffd74bc74f in nsAutoOwningThread::IsCurrentThread() const /xpcom/base/nsISupportsImpl.cpp:48:10
#1 0x7fffd74bc74f in nsAutoOwningThread::AssertCurrentThreadOwnsMe(char const*) const /xpcom/base/nsISupportsImpl.cpp:41:7
#2 0x7fffeb18660d in void nsAutoOwningThread::AssertOwnership<32>(char const (&) [32]) const /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:59:5
#3 0x7fffeb18660d in mozilla::dom::BrowsingContext::Release() /docshell/base/BrowsingContext.cpp:1830:1
#4 0x7fffeb18660d in mozilla::dom::CanonicalBrowsingContext::Release() /docshell/base/CanonicalBrowsingContext.cpp:3079:1
#5 0x7fffe3c18519 in mozilla::RefPtrTraits<mozilla::dom::CanonicalBrowsingContext>::Release(mozilla::dom::CanonicalBrowsingContext*) /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:54:40
#6 0x7fffe3c18519 in RefPtr<mozilla::dom::CanonicalBrowsingContext>::ConstRemovingRefPtrTraits<mozilla::dom::CanonicalBrowsingContext>::Release(mozilla::dom::CanonicalBrowsingContext*) /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:420:36
#7 0x7fffe3c18519 in RefPtr<mozilla::dom::CanonicalBrowsingContext>::~RefPtr() /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:85:7
#8 0x7fffe3c18519 in mozilla::dom::ContentParent::RecvHistoryGo(mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, int, unsigned long, bool, bool, std::function<void (mozilla::Maybe<int> const&)>&&) /dom/ipc/ContentParent.cpp:7854:3
#9 0x7fffe402dc03 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:14083:81
[...]
The attached testcase can be reproduced using a special build to inject IPC messages.
I looked into this and it appears to be a missing null check in ContentParent::RecvHistoryGo, patch coming up.
|
Assignee | |
Comment 1•2 years ago
|
||
|
|
Assignee | |
Comment 2•2 years ago
|
||
|
||
Comment 3•2 years ago
|
||
patch coming up.
Set assignee accordingly, thanks.
Assignee: nobody → choller
Severity: -- → S3
Priority: -- → P2
|
|
||
Updated•2 years ago
|
status-firefox118:
--- → wontfix
status-firefox119:
--- → wontfix
|
|
Assignee | |
Comment 4•2 years ago
|
||
Pushed by choller@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d9d7f3e0d92e
Add missing BrowserContext null checks in ContentParent. r=nika
|
||
Comment 6•2 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox121:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch
|
||
Updated•2 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•