Open Bug 1974342 Opened 9 months ago Updated 6 months ago

crash near null in [@ NavigationKey]

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox142 --- affected

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Depends on 1 open bug, Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.html
123 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing 20250625-26b6a41d08e7 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==63385==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000078 (pc 0x7b211745a045 bp 0x7ffed5f73f90 sp 0x7ffed5f73dc0 T0)
==63385==The signal is caused by a READ memory access.
==63385==Hint: address points to the zero page.
    #0 0x7b211745a045 in NavigationKey /builds/worker/workspace/obj-build/dist/include/mozilla/dom/SessionHistoryEntry.h:166:34
    #1 0x7b211745a045 in Key /gecko/dom/navigation/NavigationHistoryEntry.cpp:161:19
    #2 0x7b211745a045 in mozilla::dom::Navigation::UpdateEntriesForSameDocumentNavigation(mozilla::dom::SessionHistoryInfo*, mozilla::dom::NavigationType) /gecko/dom/navigation/Navigation.cpp:296:59
    #3 0x7b21186f2a71 in nsDocShell::UpdateURLAndHistory(mozilla::dom::Document*, nsIURI*, nsIStructuredCloneContainer*, mozilla::dom::NavigationHistoryBehavior, nsIURI*, bool) /gecko/docshell/base/nsDocShell.cpp:11963:17
    #4 0x7b21186f0146 in nsDocShell::AddState(JS::Handle<JS::Value>, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, JSContext*) /gecko/docshell/base/nsDocShell.cpp:11714:8
    #5 0x7b2111074286 in nsHistory::PushOrReplaceState(JSContext*, JS::Handle<JS::Value>, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::CallerType, mozilla::ErrorResult&, bool) /gecko/dom/base/nsHistory.cpp:202:19
    #6 0x7b21110744d2 in nsHistory::ReplaceState(JSContext*, JS::Handle<JS::Value>, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/base/nsHistory.cpp:164:3
    #7 0x7b211139327b in mozilla::dom::History_Binding::replaceState(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./HistoryBinding.cpp:424:24
    #8 0x7b2112a49b8f in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3306:13
    #9 0x7b211975a517 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:501:13
    #10 0x7b211975a517 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:597:12
    #11 0x7b2119778f88 in InternalCall /gecko/js/src/vm/Interpreter.cpp:664:10
    #12 0x7b2119778f88 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:669:10
    #13 0x7b2119778f88 in js::Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3287:16
    #14 0x7b21197592f9 in MaybeEnterInterpreterTrampoline /gecko/js/src/vm/Interpreter.cpp:395:10
    #15 0x7b21197592f9 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:471:13
    #16 0x7b211975a68d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:629:13
    #17 0x7b211975c391 in InternalCall /gecko/js/src/vm/Interpreter.cpp:664:10
    #18 0x7b211975c391 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:696:8
    #19 0x7b211989e96a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:119:10
    #20 0x7b2112599262 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
    #21 0x7b21138f37e7 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObjectBase::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
    #22 0x7b21138f218e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /gecko/dom/events/JSEventHandler.cpp:200:12
    #23 0x7b21138a9b00 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /gecko/dom/events/EventListenerManager.cpp:1368:22
    #24 0x7b21138abb00 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /gecko/dom/events/EventListenerManager.cpp:1674:12
    #25 0x7b21138aaa59 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1579:35
    #26 0x7b2113892b59 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:466:5
    #27 0x7b2113892b59 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:365:17
    #28 0x7b2113890668 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:606:16
    #29 0x7b2113897526 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1268:11
    #30 0x7b211389edf0 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
    #31 0x7b21110882c7 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/base/nsINode.cpp:1541:17
    #32 0x7b2110837b4d in nsContentUtils::DispatchEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch, mozilla::SystemGroupOnly) /gecko/dom/base/nsContentUtils.cpp:5304:29
    #33 0x7b2110837851 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*, mozilla::SystemGroupOnly) /gecko/dom/base/nsContentUtils.cpp:5269:10
    #34 0x7b2113dd7760 in mozilla::dom::HTMLMediaElement::FireEvent(nsTSubstring<char16_t> const&) /gecko/dom/html/HTMLMediaElement.cpp:6557:10
    #35 0x7b2114e2e087 in FireEvent /gecko/dom/media/utils/MediaElementEventRunners.cpp:38:33
    #36 0x7b2114e2e087 in mozilla::dom::nsAsyncEventRunner::Run() /gecko/dom/media/utils/MediaElementEventRunners.cpp:117:34
    #37 0x7b210cd5e6ca in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:703:16
    #38 0x7b210cd4c138 in mozilla::TaskController::RunTask(mozilla::Task*) /gecko/xpcom/threads/TaskController.cpp:196:19
    #39 0x7b210cd5321d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:1310:20
    #40 0x7b210cd50d58 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:1133:15
    #41 0x7b210cd51376 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:639:36
    #42 0x7b210cd6f481 in operator() /gecko/xpcom/threads/TaskController.cpp:333:37
    #43 0x7b210cd6f481 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:548:5
    #44 0x7b210cd8ea0b in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1159:16
    #45 0x7b210cd99388 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #46 0x7b210e42dfce in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #47 0x7b210e311e24 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #48 0x7b210e311e24 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #49 0x7b210e311e24 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #50 0x7b211755d656 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:148:27
    #51 0x7b211772fd9b in nsAppShell::Run() /gecko/widget/gtk/nsAppShell.cpp:471:33
    #52 0x7b211949c2cd in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:652:20
    #53 0x7b210e311e24 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #54 0x7b210e311e24 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #55 0x7b210e311e24 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #56 0x7b211949a89e in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:590:34
    #57 0x5a4c03a9bee1 in main /gecko/browser/app/nsBrowserApp.cpp:397:22
Flags: in-testsuite?

Unable to reproduce bug 1974342 using build mozilla-central 20250625153347-26b6a41d08e7. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

This looks like a Navigation API thingy

Severity: -- → S3
Flags: needinfo?(avandolder)
Flags: needinfo?(afarre)

Adam, can you check this out?

Flags: needinfo?(afarre)

The problem here (as in 1978184 and 1949062) is that the Navigation API spec requires that the current entry be set as long as entries and events aren't disabled, but the current check in Navigation::GetCurrentEntry is returning null instead, causing the later attempt to get the entry's key to crash.
Ultimately, we shouldn't be able to get to Navigation::UpdateEntriesForSameDocumentNavigation without a current entry, so I'll need to investigate that.

Flags: needinfo?(avandolder)
Flags: needinfo?(avandolder)

This seems to be the same as bug 1988713 now. With current main I get the same crash report, and I can only repro if dom.navigation.api.strict.enabled is set.

Depends on: 1988713
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: