Closed Bug 1964075 Opened 17 days ago Closed 11 days ago

Crash [@ nsIGlobalObject::GetAsInnerWindow]

Categories

(Core :: DOM: postMessage, defect)

Product:
Core
Component:
DOM: postMessage
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
140 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox138 --- unaffected
firefox139 --- unaffected
firefox140 --- verified

People

(Reporter: jkratzer, Assigned: smaug, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Testcase
4.49 KB, application/octet-stream
Details
Bug 1964075 - use the correct EventTarget when creating a MessageEvent, r=baku
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 89751afb4f7c (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 89751afb4f7c --asan --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

[@ nsIGlobalObject::GetAsInnerWindow]

    =================================================================
    ==717900==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000041 (pc 0x7fffd85059f3 bp 0x7fffafb00370 sp 0x7fffafb00360 T29)
    ==717900==The signal is caused by a READ memory access.
    ==717900==Hint: address points to the zero page.
        #0 0x7fffd85059f3 in nsIGlobalObject::GetAsInnerWindow() /dom/base/nsIGlobalObject.cpp:337:7
        #1 0x7fffdad3c41f in mozilla::dom::Event::PreventDefaultInternal(bool, nsIPrincipal*) /dom/events/Event.cpp:465:43
        #2 0x7fffd9b79e0a in mozilla::dom::Event_Binding::set_returnValue(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/./EventBinding.cpp:577:24
        #3 0x7fffd9ebfb13 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3250:8
        #4 0x7fffe0a4f297 in CallJSNative /js/src/vm/Interpreter.cpp:494:13
        #5 0x7fffe0a4f297 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:590:12
        #6 0x7fffe0a51111 in InternalCall /js/src/vm/Interpreter.cpp:657:10
        #7 0x7fffe0a51111 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:689:8
        #8 0x7fffe0a53141 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /js/src/vm/Interpreter.cpp:820:10
        #9 0x7fffe0d96a6d in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /js/src/vm/NativeObject.cpp:2649:8
        #10 0x7fffe0d94228 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /js/src/vm/NativeObject.cpp:2684:14
        #11 0x7fffe1b16938 in js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::Value*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /js/src/jit/BaselineIC.cpp:1519:10
        #12 0x32d7ff24818a  ([anon:js-executable-memory]+0x1318a)
    
    ==717900==Register values:
    rax = 0x0000000000000000  rbx = 0x0000000000000000  rcx = 0x0000000000000000  rdx = 0x0000000000000000  
    rdi = 0x0000000000000041  rsi = 0x000050e0000c75e8  rbp = 0x00007fffafb00370  rsp = 0x00007fffafb00360  
     r8 = 0x00007fffffffff01   r9 = 0x0000000000001f01  r10 = 0x000051e00003fc01  r11 = 0x00007fffaeed7770  
    r12 = 0x00000a1c00018eba  r13 = 0x00000ffff5db1f10  r14 = 0x00007fffaed8f880  r15 = 0x000050e0000c75d0  
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /dom/base/nsIGlobalObject.cpp:337:7 in nsIGlobalObject::GetAsInnerWindow()
    Thread T29 created by T0 (Isolated Servic) here:
        #0 0x5555556ad611 in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:250:3
        #1 0x7ffff73dc2b9 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:429:10
        #2 0x7ffff73ca4fe in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:496:10
        #3 0x7fffd42839f1 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:615:20
        #4 0x7fffdde93a93 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /dom/workers/WorkerThread.cpp:97:7
        #5 0x7fffdde00d67 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1376:37
        #6 0x7fffdddffa73 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1259:19
        #7 0x7fffdde595c4 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&, mozilla::ipc::Endpoint<mozilla::dom::PRemoteWorkerNonLifeCycleOpControllerChild>&&) /dom/workers/WorkerPrivate.cpp:3165:24
        #8 0x7fffddea828b in mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&, mozilla::ipc::Endpoint<mozilla::dom::PRemoteWorkerNonLifeCycleOpControllerChild>&&) /dom/workers/remoteworkers/RemoteWorkerChild.cpp:366:41
        #9 0x7fffddec7d7e in operator() /dom/workers/remoteworkers/RemoteWorkerChild.cpp:207:19
        #10 0x7fffddec7d7e in mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&, mozilla::ipc::Endpoint<mozilla::dom::PRemoteWorkerNonLifeCycleOpControllerChild>&&)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
        #11 0x7fffd4257a5a in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:703:16
        #12 0x7fffd4245b88 in mozilla::TaskController::RunTask(mozilla::Task*) /xpcom/threads/TaskController.cpp:196:19
        #13 0x7fffd424cc6d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1252:20
        #14 0x7fffd424a7a8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1075:15
        #15 0x7fffd424adc6 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:639:36
        #16 0x7fffd4268811 in operator() /xpcom/threads/TaskController.cpp:333:37
        #17 0x7fffd4268811 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #18 0x7fffd4287e0b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1159:16
        #19 0x7fffd4292788 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #20 0x7fffd58f8f9e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #21 0x7fffd57df7d4 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #22 0x7fffd57df7d4 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #23 0x7fffd57df7d4 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #24 0x7fffde859e16 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #25 0x7fffdea348eb in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:539:33
        #26 0x7fffe079650d in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:654:20
        #27 0x7fffd57df7d4 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #28 0x7fffd57df7d4 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #29 0x7fffd57df7d4 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #30 0x7fffe0794ade in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:592:34
        #31 0x55555570a731 in main /browser/app/nsBrowserApp.cpp:397:22
        #32 0x7ffff79fb1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #33 0x7ffff79fb28a in __libc_start_main csu/../csu/libc-start.c:360:3
        #34 0x55555562a4d8 in _start (/home/jkratzer/builds/m-c-20250502021650-fuzzing-asan-opt/firefox+0xd64d8) (BuildId: 4c23a974d83092640643d188db543165f7fffc55)
    
    ==717900==ABORTING
Attached file Testcase
Attachment #9485064 - Attachment filename: testcase.undefined → testcase.zip

Verified bug as reproducible on mozilla-central 20250502094430-5b5bd7e73009.
The bug appears to have been introduced in the following build range:

Start: ba56f7ee55792aaf974891449b64ace32bc9e1b8 (20250428211601)
End: 5eaadf8976dc85eef81277d3924998e9298a6aa0 (20250428153355)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ba56f7ee55792aaf974891449b64ace32bc9e1b8&tochange=5eaadf8976dc85eef81277d3924998e9298a6aa0

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox140: --- → affected

I'm unsure of the regression based on the pushlog in Comment 2. Though for sure it's in Fx140+
:mgaudet, you had a couple of patches mentioned in the pushlog, is it one of them?

status-firefox138: --- → unaffected
status-firefox139: --- → unaffected
status-firefox-esr115: --- → unaffected
status-firefox-esr128: --- → unaffected
Flags: needinfo?(mgaudet)

I do have things in that range, but nothing looks particularly relevant...

Flags: needinfo?(mgaudet)

Sorry, it's unclear which patch in the pushlog in Comment 2 is the regressor.
:jjaschke, there is also Bug 1959959? If not, then any idea which patch could be the regressor?

Flags: needinfo?(jjaschke)

Bug 1959959 should be pref‘d off. I doubt that it’s responsible, but I’ll take a look later.

Flags: needinfo?(jjaschke)

Tentatively S2 given it's a new crash regression. We can adjust if we know more.

Severity: -- → S2

The test case implies something around Service Workers. Definitely not Navigation API, so Bug 1959959 can't be it.
Bug 1962477 seems to deal with service workers. Matthew, could you take a look?

Flags: needinfo?(mgaudet)

This looks obvious.

Assignee: nobody → smaug
Component: DOM: Events → DOM: postMessage
Flags: needinfo?(mgaudet)

Regression range is bogus and so is crashdata signature, or it captures many unrelated issues.

Pushed by opettay@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a824a67bfa49 use the correct EventTarget when creating a MessageEvent, r=baku

https://hg.mozilla.org/mozilla-central/rev/a824a67bfa49

Status: NEW → RESOLVED
Closed: 11 days ago
status-firefox140: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 140 Branch

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:smaug, if possible, could you fill the Regressed by field?

For more information, please visit BugBot documentation.

Flags: needinfo?(smaug)

Bug appears to be fixed on mozilla-central 20250508092440-abe9dfdecc4f but BugMon was unable to find a usable build for 89751afb4f7c.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

status-firefox140: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: