Closed Bug 1897571 Opened 1 year ago Closed 1 year ago

heap-use-after-free in [@ IsCurrentThread] with READ of size 8

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1897322
Tracking Flags:
Tracking Status
firefox128 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: csectype-uaf, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
354 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20240515-fd46f1fdb469 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==96785==ERROR: AddressSanitizer: heap-use-after-free on address 0x52100213cd48 at pc 0x782a26daf5ae bp 0x7ffe40b77850 sp 0x7ffe40b77848
READ of size 8 at 0x52100213cd48 thread T0 (Isolated Web Co)
    #0 0x782a26daf5ad in IsCurrentThread /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:48:10
    #1 0x782a26daf5ad in nsAutoOwningThread::AssertCurrentThreadOwnsMe(char const*) const /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:41:7
    #2 0x782a3114c1b8 in AssertOwnership<26> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:59:5
    #3 0x782a3114c1b8 in mozilla::PresShell::AddRef() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:850:1
    #4 0x782a310f342f in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:48:39
    #5 0x782a310f342f in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:408:35
    #6 0x782a310f342f in RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:108:7
    #7 0x782a310f342f in nsRefreshDriver::FlushLayoutOnPendingDocsAndFixUpFocus() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2237:35
    #8 0x782a310f0ae1 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2732:3
    #9 0x782a31103bd7 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
    #10 0x782a31103bd7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
    #11 0x782a311038ea in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
    #12 0x782a31103561 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
    #13 0x782a311024f7 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
    #14 0x782a31101159 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:758:5
    #15 0x782a31102cbb in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:706:31
    #16 0x782a31102cbb in mozilla::detail::RunnableFunction<mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&)::'lambda'()>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
    #17 0x782a26f3e2da in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
    #18 0x782a26f2998d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
    #19 0x782a26f26f68 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
    #20 0x782a26f27586 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
    #21 0x782a26f45984 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:237:37
    #22 0x782a26f45984 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #23 0x782a26f68574 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
    #24 0x782a26f73ae8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #25 0x782a2f8f1efc in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::NotNull<mozilla::dom::BrowserChild*>, nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::UserActivation::Modifiers const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_4>(nsTSubstring<char> const&, mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::NotNull<mozilla::dom::BrowserChild*>, nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::UserActivation::Modifiers const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_4&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
    #26 0x782a2f8efc9e in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::NotNull<mozilla::dom::BrowserChild*>, nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::UserActivation::Modifiers const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:1267:5
    #27 0x782a2f951651 in mozilla::dom::BrowserChild::ProvideWindow(nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::UserActivation::Modifiers const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:672:14
    #28 0x782a34d979ac in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, mozilla::dom::UserActivation::Modifiers const&, bool, bool, bool, nsIArray*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:944:24
    #29 0x782a34d9b946 in OpenWindow2 /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:386:10
    #30 0x782a34d9b946 in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, mozilla::dom::UserActivation::Modifiers const&, bool, bool, bool, nsISupports*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #31 0x782a2a39effc in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsGlobalWindowOuter::PrintKind, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:6926:21
    #32 0x782a2a3a5001 in OpenJS /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5588:10
    #33 0x782a2a3a5001 in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5552:17
    #34 0x782a2a33413c in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:3991:3
    #35 0x782a2bcf4375 in mozilla::dom::Window_Binding::open(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WindowBinding.cpp:2805:59
    #36 0x782a2c599b7b in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3268:13
    #37 0x782a352b3c84 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:480:13
    #38 0x782a352b3c84 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:574:12
    #39 0x782a3634d2e1 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1663:10
    #40 0x3b27c4810923  ([anon:js-executable-memory]+0x2923)

0x52100213cd48 is located 72 bytes inside of 4576-byte region [0x52100213cd00,0x52100213dee0)
freed by thread T0 (Isolated Web Co) here:
    #0 0x5a2ee30f3126 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x782a3114c338 in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
    #2 0x782a3114c338 in mozilla::PresShell::Release() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:851:1
    #3 0x782a310f31fa in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
    #4 0x782a310f31fa in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:409:36
    #5 0x782a310f31fa in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:80:7
    #6 0x782a310f31fa in nsRefreshDriver::FlushLayoutOnPendingDocsAndFixUpFocus() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2267:3
    #7 0x782a310f0ae1 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2732:3
    #8 0x782a31103bd7 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
    #9 0x782a31103bd7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
    #10 0x782a311038ea in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
    #11 0x782a31103561 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
    #12 0x782a311024f7 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
    #13 0x782a31101159 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:758:5
    #14 0x782a31100798 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
    #15 0x782a311003d5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9
    #16 0x782a2f9387cb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
    #17 0x782a2fe40a04 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:222:78
    #18 0x782a2fc7029f in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8047:32
    #19 0x782a288615c5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1820:25
    #20 0x782a2885d3bf in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1739:9
    #21 0x782a2885e491 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530:3
    #22 0x782a2885f9e3 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1630:14
    #23 0x782a26f3e2da in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
    #24 0x782a26f2998d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
    #25 0x782a26f26f68 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
    #26 0x782a26f27586 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
    #27 0x782a26f45984 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:237:37
    #28 0x782a26f45984 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #29 0x782a26f68574 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
    #30 0x782a26f73ae8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #31 0x782a2f8f1efc in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::NotNull<mozilla::dom::BrowserChild*>, nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::UserActivation::Modifiers const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_4>(nsTSubstring<char> const&, mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::NotNull<mozilla::dom::BrowserChild*>, nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::UserActivation::Modifiers const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_4&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
    #32 0x782a2f8efc9e in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::NotNull<mozilla::dom::BrowserChild*>, nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::UserActivation::Modifiers const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:1267:5
    #33 0x782a2f951651 in mozilla::dom::BrowserChild::ProvideWindow(nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::UserActivation::Modifiers const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:672:14
    #34 0x782a34d979ac in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, mozilla::dom::UserActivation::Modifiers const&, bool, bool, bool, nsIArray*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:944:24
    #35 0x782a34d9b946 in OpenWindow2 /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:386:10
    #36 0x782a34d9b946 in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, mozilla::dom::UserActivation::Modifiers const&, bool, bool, bool, nsISupports*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp

previously allocated by thread T0 (Isolated Web Co) here:
    #0 0x5a2ee30f33bf in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x5a2ee3138185 in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x782a2a5e2d7c in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x782a2a5e2d7c in mozilla::dom::Document::CreatePresShell(nsPresContext*, nsViewManager*) /builds/worker/checkouts/gecko/dom/base/Document.cpp:6948:33
    #4 0x782a3124af6c in nsDocumentViewer::InitPresentationStuff(bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:703:21
    #5 0x782a3124a9fe in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::dom::WindowGlobalChild*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:911:10
    #6 0x782a3124a007 in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:676:10
    #7 0x782a33f568fc in nsDocShell::SetupNewViewer(nsIDocumentViewer*, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:7980:7
    #8 0x782a33f54db8 in nsDocShell::Embed(nsIDocumentViewer*, mozilla::dom::WindowGlobalChild*, bool, bool, nsIRequest*, nsIURI*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5500:17
    #9 0x782a33f0ab88 in nsDocShell::CreateDocumentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:7810:3
    #10 0x782a33f08902 in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/checkouts/gecko/docshell/base/nsDSURIContentListener.cpp:168:19
    #11 0x782a28d9126e in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:655:18
    #12 0x782a28d8ed63 in nsDocumentOpenInfo::DispatchContent(nsIRequest*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:351:9
    #13 0x782a28d8dc69 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:157:8
    #14 0x782a2725ca95 in nsBaseChannel::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/netwerk/base/nsBaseChannel.cpp:804:23
    #15 0x782a2729e7d5 in nsInputStreamPump::OnStateStart() /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:504:20
    #16 0x782a2729dc88 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:409:21
    #17 0x782a26e57e49 in RunAsyncWaitCallback /builds/worker/checkouts/gecko/xpcom/io/NonBlockingAsyncInputStream.cpp:385:13
    #18 0x782a26e57e49 in mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run() /builds/worker/checkouts/gecko/xpcom/io/NonBlockingAsyncInputStream.cpp:33:14
    #19 0x782a26f3e2da in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
    #20 0x782a26f2998d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
    #21 0x782a26f26f68 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
    #22 0x782a26f27586 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
    #23 0x782a26f45951 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
    #24 0x782a26f45951 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #25 0x782a26f68574 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
    #26 0x782a26f73ae8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #27 0x782a28869f4e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #28 0x782a286b6884 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #29 0x782a286b6884 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #30 0x782a286b6884 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #31 0x782a309b44f9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #32 0x782a30b6efca in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
    #33 0x782a34ee1a2d in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
    #34 0x782a286b6884 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #35 0x782a286b6884 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #36 0x782a286b6884 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
Flags: in-testsuite?

The presence of FlushLayoutOnPendingDocsAndFixUpFocus in the backtrace suggests that this may be a regression from bug 1896593, and possibly a dupe of bug 1897322 whose fix was just merged to mozilla-central a few hours ago.

Tyson, could you see if this is still reproducible in up-to-date mozilla-central?

Flags: needinfo?(twsmith)
See Also: → 1897322

Testcase crashes using the initial build (mozilla-central 20240515032356-fd46f1fdb469) but not with tip (mozilla-central 20240517215359-f35859c2fd56.)

The bug appears to have been fixed in the following build range:

Start: 9d46b5eb4920325231fcf45dae723c7546c168fc (20240517111109)
End: cb42dcf78f8dc942e4b5fcf690880d2d91486a30 (20240517122302)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9d46b5eb4920325231fcf45dae723c7546c168fc&tochange=cb42dcf78f8dc942e4b5fcf690880d2d91486a30

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:bisected,confirmed]

Bugmon agrees this is a dupe.

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1897322
Flags: needinfo?(twsmith)
Keywords: regression
Regressed by: 1896593
Resolution: --- → DUPLICATE
See Also: 1897322
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: