2007139 - Crash [@ nsIGlobalObject::GetAsInnerWindow]

Status: VERIFIED FIXED

(Core :: Graphics: Canvas2D, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 5223c4218ee6 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework pipx --upgrade
$ python -m pipx ensurepath
$ fuzzfetch --build 5223c4218ee6 --debug --fuzzing  -n firefox
$ grizzly-replay-bugzilla ./firefox/firefox <bugid>

[@ nsIGlobalObject::GetAsInnerWindow]

    ==428225==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000041 (pc 0x7993e427504a bp 0x7ffe78c4fe70 sp 0x7ffe78c4fe70 T428225)
    ==428225==The signal is caused by a READ memory access.
    ==428225==Hint: address points to the zero page.
        #0 0x7993e427504a in nsIGlobalObject::GetAsInnerWindow() /dom/base/nsIGlobalObject.cpp:337:7
        #1 0x7993e574b74a in nsICanvasRenderingContextInternal::RecordCanvasUsage(mozilla::CanvasExtractionAPI, mozilla::gfx::IntSizeTyped<mozilla::CSSPixel>) const /dom/canvas/nsICanvasRenderingContextInternal.cpp:105:51
        #2 0x7993e559d61f in mozilla::dom::CanvasRenderingContext2D::GetImageData(JSContext*, int, int, int, int, nsIPrincipal&, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContext2D.cpp:6521:3
        #3 0x7993e47ee67c in mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::getImageData(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./OffscreenCanvasRenderingContext2DBinding.cpp:1932:76
        #4 0x7993e5469cdd in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3306:13
        #5 0x7993e8effbd4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:490:13
        #6 0x7993e8eff42f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:586:12
        #7 0x7993e9a86363 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1698:10
        #8 0x12cd3f32bc5e  ([anon:js-executable-memory]+0xbc5e)
    
    ==428225==Register values:
    rax = 0x00005f4915f19a00  rbx = 0x00005f4915f21af0  rcx = 0xaca45ea725d8e600  rdx = 0x00007993f3233eb0
    rdi = 0x0000000000000000  rsi = 0x0000000000000000  rbp = 0x00007ffe78c4fe70  rsp = 0x00007ffe78c4fe70
     r8 = 0x0000000031f768c8   r9 = 0x00005f4915f21af0  r10 = 0x00007993edd9f7d0  r11 = 0x0000000000000000
    r12 = 0x0000000000000200  r13 = 0x0000000000000000  r14 = 0x000002000000007f  r15 = 0x0000000000000002
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV (/home/jkratzer/builds/m-c-20251218095601-fuzzing-debug/libxul.so+0x680804a) (BuildId: 6806a0a14b9a7a0a7bcbaaf61ff27a9b925f48a2)
    ==428225==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20251219215852-0ea2a2b8832c.
The bug appears to have been introduced in the following build range:

Start: f68fffd32b20688a48df1ef5a7232f19284ca613 (20251214093341)
End: a820a22bd5f629f07e2b6cbf3cdcbed7c4bea2f7 (20251214165952)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f68fffd32b20688a48df1ef5a7232f19284ca613&tochange=a820a22bd5f629f07e2b6cbf3cdcbed7c4bea2f7

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Setting Regressed by field after analyzing regression range found by bugmon in comment #2.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 2005748

:baku, since you are the author of the regressor, bug 2005748, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 5

[Lee Salzman [:lsalzman]]

This is a null pointer ref because GetOwnerGlobal() returns null and then calls GetAsInnerWindow() on that null pointer.

Comment 6

[Andrea Marchesini [:baku]]

bug 2005748 is completely unrelated to this crash. Note that cookieStore API is not used in the testcase. The crash is probably related to bug 1873716

Comment 7

[Donal Meehan [:dmeehan]]

:timhuang could you take a look at Comment 6?
:tjr is out until April, you reviewed the patches under Bug 1873716

Comment 8

[Tim Huang[:timhuang]]

Attachment: Bug 2007139 - Check the existence of the owner global before accessing in nsICanvasRenderingContextInternal::RecordCanvasUsage() for the offscreen canvas case. r?#gfx-reviewers!

Comment 9

[Pulsebot]

Pushed by tihuang@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/d95936a3127e
https://hg.mozilla.org/integration/autoland/rev/c2daec01603b
Check the existence of the owner global before accessing in nsICanvasRenderingContextInternal::RecordCanvasUsage() for the offscreen canvas case. r=gfx-reviewers,lsalzman

Comment 10

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/c2daec01603b

Comment 11

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20251231225543-810549a5947f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.