Closed
Bug 1788368
Opened 3 years ago
Closed 3 years ago
src/dom/file/ipc/RemoteLazyInputStreamChild.cpp:32:41: runtime error: member call on null pointer of type 'mozilla::RemoteLazyInputStreamThread'
Categories
(Core :: DOM: File, defect, P3)
Core
DOM: File
Tracking
()
RESOLVED
FIXED
106 Branch
| Tracking | Status | |
|---|---|---|
| firefox106 | --- | fixed |
People
(Reporter: tsmith, Assigned: jstutte)
References
(Blocks 2 open bugs)
Details
(Keywords: csectype-undefined, testcase)
Attachments
(2 files)
This was found by enabling the null check in UBSan and fuzzing.
To enable this check add the following to your mozconfig:
ac_add_options --enable-undefined-sanitizer="null"
src/dom/file/ipc/RemoteLazyInputStreamChild.cpp:32:41: runtime error: member call on null pointer of type 'mozilla::RemoteLazyInputStreamThread'
#0 0x7f12da417c53 in mozilla::RemoteLazyInputStreamChild::StreamConsumed() src/dom/file/ipc/RemoteLazyInputStreamChild.cpp:32:41
#1 0x7f12da418712 in mozilla::RemoteLazyInputStream::Close() src/dom/file/ipc/RemoteLazyInputStream.cpp:475:12
#2 0x7f12da417d9c in mozilla::RemoteLazyInputStream::~RemoteLazyInputStream() src/dom/file/ipc/RemoteLazyInputStream.cpp:263:51
#3 0x7f12da413e5b in mozilla::RemoteLazyInputStream::Release() src/dom/file/ipc/RemoteLazyInputStream.cpp:119:1
#4 0x7f12d465248c in nsCOMPtr_base::~nsCOMPtr_base() src/objdir-ff-ubsan/dist/include/nsCOMPtr.h:328:7
#5 0x7f12d465248c in nsMIMEInputStream::~nsMIMEInputStream() src/netwerk/base/nsMIMEInputStream.cpp:41:40
#6 0x7f12d465251d in nsMIMEInputStream::~nsMIMEInputStream() src/netwerk/base/nsMIMEInputStream.cpp:41:40
#7 0x7f12d4612a05 in nsMIMEInputStream::Release() src/netwerk/base/nsMIMEInputStream.cpp:92:1
#8 0x7f12d55915a5 in nsCOMPtr_base::~nsCOMPtr_base() src/objdir-ff-ubsan/dist/include/nsCOMPtr.h:328:7
#9 0x7f12d55915a5 in mozilla::dom::SessionHistoryInfo::~SessionHistoryInfo() src/objdir-ff-ubsan/dist/include/mozilla/dom/SessionHistoryEntry.h:40:7
#10 0x7f12e14d77a1 in mozilla::DefaultDelete<mozilla::dom::SessionHistoryInfo>::operator()(mozilla::dom::SessionHistoryInfo*) const src/objdir-ff-ubsan/dist/include/mozilla/UniquePtr.h:459:5
#11 0x7f12e14d77a1 in mozilla::UniquePtr<mozilla::dom::SessionHistoryInfo, mozilla::DefaultDelete<mozilla::dom::SessionHistoryInfo> >::reset(mozilla::dom::SessionHistoryInfo*) src/objdir-ff-ubsan/dist/include/mozilla/UniquePtr.h:301:7
#12 0x7f12e13b12f3 in mozilla::UniquePtr<mozilla::dom::SessionHistoryInfo, mozilla::DefaultDelete<mozilla::dom::SessionHistoryInfo> >::~UniquePtr() src/objdir-ff-ubsan/dist/include/mozilla/UniquePtr.h:249:18
#13 0x7f12e13b12f3 in nsDocShell::~nsDocShell() src/docshell/base/nsDocShell.cpp:450:1
#14 0x7f12e13b283d in nsDocShell::~nsDocShell() src/docshell/base/nsDocShell.cpp:413:27
#15 0x7f12d607faad in nsDocLoader::DeleteCycleCollectable() src/uriloader/base/nsDocLoader.cpp:194:1
#16 0x7f12d6095594 in nsDocLoader::cycleCollection::DeleteCycleCollectable(void*) src/objdir-ff-ubsan/dist/include/nsDocLoader.h:76:3
#17 0x7f12d407161d in SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&) src/xpcom/base/nsCycleCollector.cpp:2419:29
#18 0x7f12d4065f82 in SnowWhiteKiller::~SnowWhiteKiller() src/xpcom/base/nsCycleCollector.cpp:2406:7
#19 0x7f12d404da2e in nsCycleCollector::FreeSnowWhite(bool) src/xpcom/base/nsCycleCollector.cpp:2596:3
#20 0x7f12d4053a82 in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:3585:3
#21 0x7f12d405326c in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3412:9
#22 0x7f12d4052d6b in nsCycleCollector::ShutdownCollect() src/xpcom/base/nsCycleCollector.cpp:3351:20
#23 0x7f12d4054656 in nsCycleCollector::Shutdown(bool) src/xpcom/base/nsCycleCollector.cpp:3647:5
#24 0x7f12d4056121 in nsCycleCollector_shutdown(bool) src/xpcom/base/nsCycleCollector.cpp:3971:18
#25 0x7f12d42e140e in mozilla::ShutdownXPCOM(nsIServiceManager*) src/xpcom/build/XPCOMInit.cpp:679:3
#26 0x7f12d42e0c40 in NS_ShutdownXPCOM src/xpcom/build/XPCOMInit.cpp:551:10
#27 0x7f12e236c365 in XRE_TermEmbedding() src/toolkit/xre/nsEmbedFunctions.cpp:224:3
#28 0x7f12d5b0e651 in mozilla::ipc::ScopedXREEmbed::Stop() src/ipc/glue/ScopedXREEmbed.cpp:90:5
#29 0x7f12dc3665b7 in mozilla::dom::ContentProcess::CleanUp() src/dom/ipc/ContentProcess.cpp:180:44
#30 0x7f12e236ce50 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:743:16
#31 0x7f12e2384330 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/Bootstrap.cpp:67:12
#32 0x5617be2565d2 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#33 0x5617be2569ca in main src/browser/app/nsBrowserApp.cpp:362:18
#34 0x7f1300c59c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#35 0x5617be1969a8 in _start (src/objdir-ff-ubsan/dist/bin/firefox+0x1139a8) (BuildId: 81837adcbd3853b2c018c872007b6ecb03b6a8f8)
|
Reporter | |
Comment 1•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/vZ0XCGN5WqbkegMPUE4_hQ/index.html
|
Assignee | |
Comment 2•3 years ago
|
||
|
||
Updated•3 years ago
|
Assignee: nobody → jstutte
Status: NEW → ASSIGNED
|
||
Updated•3 years ago
|
Severity: -- → S3
Priority: -- → P3
Pushed by jstutte@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2e167b814a90
Audit RemoteLazyInputStreamThread singleton uses. r=dom-storage-reviewers,asuth
|
||
Comment 4•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
|
|
Assignee | |
Updated•3 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•