Closed
Bug 2040190
Opened 11 days ago
Closed 8 days ago
Null deref crash [@ nsFocusManager::GetTheFocusableArea]
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
RESOLVED
FIXED
153 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr140 | --- | unaffected |
| firefox151 | --- | wontfix |
| firefox152 | --- | wontfix |
| firefox153 | --- | fixed |
People
(Reporter: private.rwat, Assigned: ltenenbaum)
References
(Regression)
Details
(Keywords: regression, reporter-external)
Attachments
(2 files)
Steps to reproduce:
Open the attached poc.html.
Actual results:
The content process crashes.
Expected results:
The navigation should complete without crashing the content process.
Environment:
Ubuntu 22.04 LTS
Nightly 152.0a1 20260516211756
AddressSanitizer:DEADLYSIGNAL
=================================================================
==13431==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000068 (pc 0x771c9d51e776 bp 0x7ffe11fb4b30 sp 0x7ffe11fb4aa0 T0)
==13431==The signal is caused by a READ memory access.
==13431==Hint: address points to the zero page.
#0 0x771c9d51e776 in GetPrimaryFrame /builds/worker/checkouts/gecko/dom/base/nsIContent.h:509:46
#1 0x771c9d51e776 in nsFocusManager::GetTheFocusableArea(mozilla::dom::Element*, unsigned int) /builds/worker/workspace/obj-build/dom/base/./../../../../checkouts/gecko/dom/base/nsFocusManager.cpp:5739:30
#2 0x771c9feca455 in mozilla::dom::NavigateEvent::PotentiallyResetFocus() /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/NavigateEvent.cpp:418:17
#3 0x771c9fec9eb0 in mozilla::dom::NavigateEvent::Finish(bool) /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/NavigateEvent.cpp:323:3
#4 0x771ca3c46af5 in mozilla::dom::NavigationWaitForAllScope::CommitNavigateEventSuccessSteps() /builds/worker/workspace/obj-build/dom/navigation/./../../../../checkouts/gecko/dom/navigation/Navigation.cpp:739:12
#5 0x771ca3c465f7 in operator() /builds/worker/workspace/obj-build/dom/navigation/./../../../../checkouts/gecko/dom/navigation/Navigation.cpp:826:22
#6 0x771ca3c465f7 in __invoke_impl<void, (lambda at ./../../../../checkouts/gecko/dom/navigation/Navigation.cpp:821:7) &, const mozilla::Span<JS::Heap<JS::Value>, 18446744073709551615UL> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
#7 0x771ca3c465f7 in __invoke_r<void, (lambda at ./../../../../checkouts/gecko/dom/navigation/Navigation.cpp:821:7) &, const mozilla::Span<JS::Heap<JS::Value>, 18446744073709551615UL> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:110:2
#8 0x771ca3c465f7 in std::_Function_handler<void (mozilla::Span<JS::Heap<JS::Value>, 18446744073709551615ul> const&), mozilla::dom::Navigation::RunNavigateEventHandlerSteps(mozilla::dom::NavigateEvent*, mozilla::dom::NavigationAPIMethodTracker*)::$_0>::_M_invoke(std::_Any_data const&, mozilla::Span<JS::Heap<JS::Value>, 18446744073709551615ul> const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:291:9
#9 0x771ca32d8169 in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:622:14
#10 0x771ca32d8169 in operator() /builds/worker/workspace/obj-build/dom/promise/./../../../../checkouts/gecko/dom/promise/Promise.cpp:318:9
#11 0x771ca32d8169 in CallCallback<(lambda at ./../../../../checkouts/gecko/dom/promise/Promise.cpp:306:9), 0UL, 1UL> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise-inl.h:203:12
#12 0x771ca32d8169 in CallCallback<(lambda at ./../../../../checkouts/gecko/dom/promise/Promise.cpp:306:9)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise-inl.h:211:12
#13 0x771ca32d8169 in mozilla::dom::(anonymous namespace)::NativeThenHandler<mozilla::dom::Promise::WaitForAll(nsIGlobalObject*, mozilla::Span<RefPtr<mozilla::dom::Promise>, 18446744073709551615ul> const&, std::function<void (mozilla::Span<JS::Heap<JS::Value>, 18446744073709551615ul> const&)> const&, std::function<void (JS::Handle<JS::Value>)> const&, nsISupports*)::$_0, mozilla::dom::Promise::WaitForAll(nsIGlobalObject*, mozilla::Span<RefPtr<mozilla::dom::Promise>, 18446744073709551615ul> const&, std::function<void (mozilla::Span<JS::Heap<JS::Value>, 18446744073709551615ul> const&)> const&, std::function<void (JS::Handle<JS::Value>)> const&, nsISupports*)::$_1, std::tuple<RefPtr<mozilla::dom::WaitForAllResults>, nsCOMPtr<nsISupports>>, std::tuple<>>::CallResolveCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise-inl.h:182:12
#14 0x771ca32ca872 in mozilla::dom::PromiseNativeThenHandlerBase::ResolvedCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/promise/./../../../../checkouts/gecko/dom/promise/Promise.cpp:366:29
#15 0x771ca32d5415 in mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::ResolvedCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/promise/./../../../../checkouts/gecko/dom/promise/Promise.cpp:543:12
#16 0x771ca32d5fd4 in mozilla::dom::NativeHandlerCallback(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dist/include/js/CallArgs.h
#17 0x771ca76e153d in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:488:13
#18 0x771ca76e153d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:584:12
#19 0x771ca76e31c4 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:651:10
#20 0x771ca76e31c4 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:683:8
#21 0x771ca6371073 in Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.h:118:10
#22 0x771ca6371073 in PromiseReactionJob /builds/worker/workspace/obj-build/js/src/builtin/./../../../../../checkouts/gecko/js/src/builtin/Promise.cpp:2577:10
#23 0x771ca6371073 in JS::RunJSMicroTask(JSContext*, JS::Handle<JSObject*>) /builds/worker/workspace/obj-build/js/src/builtin/./../../../../../checkouts/gecko/js/src/builtin/Promise.cpp:8173:12
#24 0x771c9a443970 in RunAndConsumeJSMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:247:14
#25 0x771c9a443970 in RunJSMicroTask /builds/worker/workspace/obj-build/xpcom/base/./../../../../checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:1008:33
#26 0x771c9a443970 in mozilla::RunMicroTask(JSContext*, mozilla::CycleCollectedJSContext*, JS::MutableHandle<mozilla::MustConsumeMicroTask>, bool) /builds/worker/workspace/obj-build/xpcom/base/./../../../../checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:745:3
#27 0x771c9a43f41e in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/workspace/obj-build/xpcom/base/./../../../../checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:1253:7
#28 0x771c9fe5caa5 in LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:462:7
#29 0x771c9fe5caa5 in ~nsAutoMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:645:13
#30 0x771c9fe5caa5 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/EventListenerManager.cpp:1285:3
#31 0x771c9fe5e8f8 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/EventListenerManager.cpp:1589:12
#32 0x771c9fe5d829 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/EventListenerManager.cpp:1494:35
#33 0x771c9fe4647a in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:463:5
#34 0x771c9fe4647a in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/EventDispatcher.cpp:362:17
#35 0x771c9fe43f0a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/EventDispatcher.cpp:603:16
#36 0x771c9fe4af56 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/EventDispatcher.cpp:1290:11
#37 0x771c9cfa5b94 in nsGlobalWindowInner::FireFrameLoadEvent() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:2386:5
#38 0x771c9cfa6a8a in nsGlobalWindowInner::PostHandleEvent(mozilla::EventChainPostVisitor&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:2474:5
#39 0x771c9fe44078 in PostHandleEvent /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/EventDispatcher.cpp:484:12
#40 0x771c9fe44078 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/EventDispatcher.cpp:607:16
#41 0x771c9fe45251 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/EventDispatcher.cpp:684:5
#42 0x771c9fe4af56 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/EventDispatcher.cpp:1290:11
#43 0x771ca4673860 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/obj-build/layout/base/./../../../../checkouts/gecko/layout/base/nsDocumentViewer.cpp:960:7
#44 0x771ca4f3f451 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/obj-build/docshell/base/./../../../../checkouts/gecko/docshell/base/nsDocShell.cpp:6230:13
#45 0x771ca4f3e84f in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/obj-build/docshell/base/./../../../../checkouts/gecko/docshell/base/nsDocShell.cpp:5557:7
#46 0x771ca4f400ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/obj-build/docshell/base/./../../../../checkouts/gecko/docshell/base/nsDocShell.cpp
#47 0x771c9ad2fd75 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/obj-build/uriloader/base/./../../../../checkouts/gecko/uriloader/base/nsDocLoader.cpp:1501:3
#48 0x771c9ad2ea75 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/obj-build/uriloader/base/./../../../../checkouts/gecko/uriloader/base/nsDocLoader.cpp:1033:14
#49 0x771c9ad2a839 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/workspace/obj-build/uriloader/base/./../../../../checkouts/gecko/uriloader/base/nsDocLoader.cpp:828:9
#50 0x771c9ad2d6b3 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/obj-build/uriloader/base/./../../../../checkouts/gecko/uriloader/base/nsDocLoader.cpp:703:5
#51 0x771ca4f625a5 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/obj-build/docshell/base/./../../../../checkouts/gecko/docshell/base/nsDocShell.cpp:13064:23
#52 0x771c99335821 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/workspace/obj-build/netwerk/base/./../../../../checkouts/gecko/netwerk/base/nsLoadGroup.cpp:580:22
#53 0x771c99337d83 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/obj-build/netwerk/base/./../../../../checkouts/gecko/netwerk/base/nsLoadGroup.cpp:465:10
#54 0x771c9d1d2300 in DoUnblockOnload /builds/worker/workspace/obj-build/dom/base/./../../../../checkouts/gecko/dom/base/Document.cpp:12487:18
#55 0x771c9d1d2300 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/obj-build/dom/base/./../../../../checkouts/gecko/dom/base/Document.cpp:12426:7
#56 0x771c9d1fc721 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/obj-build/dom/base/./../../../../checkouts/gecko/dom/base/Document.cpp:8688:3
#57 0x771c991f3fdf in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1070:18
#58 0x771c991f3fdf in __invoke_impl<nsresult, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1069:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
#59 0x771c991f3fdf in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1069:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:95:14
#60 0x771c991f3fdf in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1069:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/tuple:1740:14
#61 0x771c991f3fdf in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1069:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/tuple:1751:14
#62 0x771c991f3fdf in apply<mozilla::Preferences, nsresult (mozilla::Preferences::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1068:12
#63 0x771c991f3fdf in mozilla::detail::RunnableMethodImpl<nsUpdateProcessor*, void (nsUpdateProcessor::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1119:13
#64 0x771c9a637dca in mozilla::RunnableTask::Run() /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:719:16
#65 0x771c9a62cf79 in mozilla::TaskController::RunTask(mozilla::Task*) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:210:19
#66 0x771c9a63443d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:1358:20
#67 0x771c9a631f18 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:1181:15
#68 0x771c9a632536 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:655:36
#69 0x771c9a64afc1 in operator() /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:347:37
#70 0x771c9a64afc1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:536:5
#71 0x771c9a66fd1c in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/nsThread.cpp:1179:16
#72 0x771c9a6790e9 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:472:10
#73 0x771c9a880039 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessagePump.cpp:83:21
#74 0x771c9a782ca4 in RunInternal /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:371:10
#75 0x771c9a782ca4 in RunHandler /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:364:3
#76 0x771c9a782ca4 in MessageLoop::Run() /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:346:3
#77 0x771ca3d34be6 in nsBaseAppShell::Run() /builds/worker/workspace/obj-build/widget/./../../../checkouts/gecko/widget/nsBaseAppShell.cpp:151:27
#78 0x771ca3f2a7bb in nsAppShell::Run() /builds/worker/workspace/obj-build/widget/gtk/./../../../../checkouts/gecko/widget/gtk/nsAppShell.cpp:575:33
#79 0x771ca603b0bd in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:20
#80 0x771c9a782ca4 in RunInternal /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:371:10
#81 0x771c9a782ca4 in RunHandler /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:364:3
#82 0x771c9a782ca4 in MessageLoop::Run() /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:346:3
#83 0x771ca6039f4e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:590:34
#84 0x5d6979b1b01a in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:466:22
#85 0x7b1cb6c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#86 0x7b1cb6c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#87 0x5d6979a34f48 in _start (/home/test/Documents/ASan/firefox/firefox+0xc0f48) (BuildId: 9fcd4206956784dca80a0e14047440d1b303d5cf)
==13431==Register values:
rax = 0xf3f3f3f8f1f1f1f1 rbx = 0x00007ffe11fb4aa0 rcx = 0x0000000000000000 rdx = 0x0000771cb4b49ec0
rdi = 0xffffffffffffffff rsi = 0x0000000000000000 rbp = 0x00007ffe11fb4b30 rsp = 0x00007ffe11fb4aa0
r8 = 0x00000ee3969693d8 r9 = 0x00007fffffffff01 r10 = 0x00000fffc23f6901 r11 = 0x00001000423ee960
r12 = 0x000000000000000d r13 = 0x0000000000000068 r14 = 0x0000771cb4b49ec0 r15 = 0x0000000000040002
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/dom/base/nsIContent.h:509:46 in GetPrimaryFrame
==13431==ABORTING
[Parent 13319, IPC I/O Parent] WARNING: process 13431 exited with status 1: file checkouts/gecko/ipc/chromium/src/chrome/common/process_watcher_posix_sigchld.cc:155
|
||
Updated•11 days ago
|
Keywords: reporter-external
|
||
Comment 1•11 days ago
|
||
Thank you for the report. We don't consider a null deref to be a security issue. It looks like NavigateEvent::PotentiallyResetFocus() is passing null to nsFocusManager::GetTheFocusableArea or something.
Group: firefox-core-security
Component: Untriaged → DOM: UI Events & Focus Handling
Product: Firefox → Core
|
Assignee | |
Comment 2•9 days ago
|
||
Looks like we are just missing a check that the document element is not null. And the spec is missing this check too: https://github.com/whatwg/html/issues/12469
Assignee: nobody → ltenenbaum
Status: UNCONFIRMED → ASSIGNED
status-firefox151:
--- → affected
status-firefox152:
--- → affected
status-firefox153:
--- → affected
Ever confirmed: true
|
|
Assignee | |
Comment 3•9 days ago
|
||
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/60026 for changes under testing/web-platform/tests
|
||
Comment 5•8 days ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 8 days ago
Resolution: --- → FIXED
Target Milestone: --- → 153 Branch
Upstream PR merged by moz-wptsync-bot
|
||
Comment 7•7 days ago
|
||
The patch landed in nightly and beta is affected.
:ltenenbaum, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox152towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(ltenenbaum)
|
||
Updated•7 days ago
|
status-firefox-esr115:
--- → unaffected
status-firefox-esr140:
--- → unaffected
Keywords: regression
Regressed by: 1997917
|
|
Assignee | |
Comment 8•7 days ago
|
||
I don't think we need to uplift this to beta
Flags: needinfo?(ltenenbaum)
You need to log in
before you can comment on or make changes to this bug.
Description
•