Testcase found while fuzzing mozilla-central rev d734e6acf777. Testcase must be served by a local webserver in order to reproduce. ================================================================= ==20888==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f42119573be bp 0x7ffe8e682990 sp 0x7ffe8e682880 T0) ==20888==The signal is caused by a READ memory access. ==20888==Hint: address points to the zero page. #0 0x7f42119573bd in mozilla::dom::AudioNode::AudioNode(mozilla::dom::AudioContext*, unsigned int, mozilla::dom::ChannelCountMode, mozilla::dom::ChannelInterpretation) /builds/worker/workspace/build/src/dom/media/webaudio/AudioNode.cpp:57:53 #1 0x7f4211967d2d in mozilla::dom::AudioScheduledSourceNode::AudioScheduledSourceNode(mozilla::dom::AudioContext*, unsigned int, mozilla::dom::ChannelCountMode, mozilla::dom::ChannelInterpretation) /builds/worker/workspace/build/src/dom/media/webaudio/AudioScheduledSourceNode.cpp:17:5 #2 0x7f42119b9f9e in mozilla::dom::ConstantSourceNode::ConstantSourceNode(mozilla::dom::AudioContext*) /builds/worker/workspace/build/src/dom/media/webaudio/ConstantSourceNode.cpp:148:5 #3 0x7f42119bae61 in mozilla::dom::ConstantSourceNode::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::AudioContext&, mozilla::dom::ConstantSourceOptions const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/media/webaudio/ConstantSourceNode.cpp:195:43 #4 0x7f42103a1629 in mozilla::dom::ConstantSourceNodeBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ConstantSourceNodeBinding.cpp:345:64 #5 0x7f42170302bd in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15 #6 0x7f42170302bd in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:324 #7 0x7f42170302bd in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:580 #8 0x7f421701992e in ConstructFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:606:12 #9 0x7f421701992e in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3059 #10 0x7f42170015fa in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12 #11 0x7f4217031bc6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15 #12 0x7f4217032402 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:738:12 #13 0x7f4217a86029 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4709:12 #14 0x7f420efc9809 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:268:8 #15 0x7f42126ec973 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2255:25 #16 0x7f42126e7db6 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1895:10 #17 0x7f42126cb8ca in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1596:10 #18 0x7f42126c7db8 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18 #19 0x7f420dee752f in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:231:18 #20 0x7f420dee752f in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:700 #21 0x7f420dee1684 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:501:7 #22 0x7f420deebb0f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:55:18 #23 0x7f420c0efe86 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14 #24 0x7f420c10a348 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10 #25 0x7f420cedb011 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #26 0x7f420ce3b54b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #27 0x7f420ce3b54b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #28 0x7f420ce3b54b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #29 0x7f421284eabf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27 #30 0x7f4216b81ec1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30 #31 0x7f4216d7854b in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4686:22 #32 0x7f4216d7a115 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4848:8 #33 0x7f4216d7b4c6 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4943:21 #34 0x4ec4ec in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22 #35 0x4ec4ec in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304 #36 0x7f422a14f82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #37 0x41dbc8 in _start (/home/forb1dden/builds/mc-asan/firefox+0x41dbc8)

The line was introduced in https://hg.mozilla.org/mozilla-central/rev/02e5708a75fcdd9e8e4b065995f00b29896fb4b5#l16.12

Comment on attachment 8923497 [details] Bug 1412184 - Set the main thread after BindToOwner in AudioNode ctor. https://reviewboard.mozilla.org/r/194642/#review199672 Please verify the code using AbstractMainThread() can deal with nullptr, and fix if needed, or explain why it is safe. And rename AbstractMainThread(). ::: dom/media/webaudio/AudioNode.cpp:63 (Diff revision 1) > { > MOZ_ASSERT(aContext); > DOMEventTargetHelper::BindToOwner(aContext->GetParentObject()); > + > + if (aContext->GetOwnerGlobal()) { > + mAbstractMainThread = So AbstractMainThread() should be called GetAbstractMainThread(), since it may return null. http://searchfox.org/mozilla-central/rev/1ebd2eff44617df3b82eea7d2f3ca1b60cc591a0/dom/media/webaudio/AudioNode.h#230 And I'm having hard time to see what guarantees the code using AbstractMainThread() can deal with nullptr