1934330 - crash near null [@ GetExtantDoc]

Status: RESOLVED FIXED

(Core :: Networking: Cookies, defect, P2)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing 20240929-5f9981053145 (--enable-address-sanitizer --enable-undefined-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==687485==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7c2c6791bb26 bp 0x7fffe0053590 sp 0x7fffe0052e40 T0)
==687485==The signal is caused by a READ memory access.
==687485==Hint: address points to the zero page.
    #0 0x7c2c6791bb26 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:314:27
    #1 0x7c2c6791bb26 in operator mozilla::dom::Document * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:327:12
    #2 0x7c2c6791bb26 in GetExtantDoc /builds/worker/checkouts/gecko/dom/base/nsPIDOMWindow.h:404:43
    #3 0x7c2c6791bb26 in operator() /builds/worker/checkouts/gecko/dom/cookiestore/CookieStore.cpp:643:51
    #4 0x7c2c6791bb26 in mozilla::detail::RunnableFunction<mozilla::dom::CookieStore::GetInternal(mozilla::dom::CookieStoreGetOptions const&, bool, mozilla::ErrorResult&)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
    #5 0x7c2c60ffdc7a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:688:16
    #6 0x7c2c60fe8e77 in mozilla::TaskController::RunTask(mozilla::Task*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:215:19
    #7 0x7c2c60ff088e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1015:20
    #8 0x7c2c60fee398 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:838:15
    #9 0x7c2c60fee9b6 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:624:36
    #10 0x7c2c6100fcc1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:336:37
    #11 0x7c2c6100fcc1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #12 0x7c2c61033c2f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #13 0x7c2c6103e8f8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #14 0x7c2c6260d0be in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #15 0x7c2c624f27a4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #16 0x7c2c624f27a4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #17 0x7c2c624f27a4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #18 0x7c2c6b61fa09 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #19 0x7c2c6b7c0e2a in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
    #20 0x7c2c6d45871d in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:646:20
    #21 0x7c2c624f27a4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #22 0x7c2c624f27a4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #23 0x7c2c624f27a4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #24 0x7c2c6d456bfc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:584:34
    #25 0x6034d0481cb9 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22

Comment 1

[Tyson Smith [:tsmith]]

A debug build reports:

Assertion failure: window, at /builds/worker/checkouts/gecko/dom/cookiestore/CookieStore.cpp:641

#0 0x72b7f78292ce in operator() /builds/worker/checkouts/gecko/dom/cookiestore/CookieStore.cpp:641:13
#1 0x72b7f78292ce in mozilla::detail::RunnableFunction<mozilla::dom::CookieStore::GetInternal(mozilla::dom::CookieStoreGetOptions const&, bool, mozilla::ErrorResult&)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
#2 0x72b7f3deefc7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:688:16
#3 0x72b7f3de6f0c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1015:20
#4 0x72b7f3de5b67 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:838:15
#5 0x72b7f3de5fe5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:624:36
#6 0x72b7f3df6766 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:336:37
#7 0x72b7f3df6766 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#8 0x72b7f3e0b57b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#9 0x72b7f3e1225f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#10 0x72b7f49a7515 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#11 0x72b7f48fa271 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#12 0x72b7f48fa271 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#13 0x72b7f96f64f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#14 0x72b7f97a8d58 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#15 0x72b7fa6927ab in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:646:20
#16 0x72b7f49a8366 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#17 0x72b7f48fa271 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#18 0x72b7f48fa271 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#19 0x72b7fa691bda in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:584:34
#20 0x654693612ffe in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22

Comment 2

[Mayank Bansal]

Got a crash from the testcase on latest Nightly: https://crash-stats.mozilla.org/report/index/b8dad5c7-985b-4258-adb6-bb4ba0241130#tab-details

Bisection:
Bug 1918643 - Enable cookieStore API in Nightly builds, r=smaug
Differential Revision: https://phabricator.services.mozilla.com/D222102

With dom.cookieStore.enabled = True

Bug 1475599 - part 11 - CookieStore API - Extra tests for document URLs with fragments, r=smaug

Differential Revision: https://phabricator.services.mozilla.com/D221412

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1475599

:baku, since you are the author of the regressor, bug 1475599, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 4

[Andrea Marchesini [:baku]]

Attachment: Bug 1934330 - CookieStore - check the existence of the window, r?smaug

Comment 5

[Pulsebot]

Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/16c36964a84b
CookieStore - check the existence of the window, r=smaug

Comment 6

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20241203091001-924fc2b70c08.
The bug appears to have been introduced in the following build range:

Start: b98486f0aad5d732a1733ceffad17b1dc5abc552 (20240916114729)
End: 7dba2056b41df6d25944dded2ef59b143aad3bd5 (20240916132925)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b98486f0aad5d732a1733ceffad17b1dc5abc552&tochange=7dba2056b41df6d25944dded2ef59b143aad3bd5

Comment 7

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/16c36964a84b

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:baku, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox134 to wontfix.

For more information, please visit BugBot documentation.

Comment 9

[Andrea Marchesini [:baku]]

CookieStore is still disabled by pref, so there is no need to uplift it.

Comment 10

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1934330 using build mozilla-central 20240929211941-5f9981053145. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.