Testcase found while fuzzing mozilla-central rev b21fa00b5f33 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch
$ python -m fuzzfetch --build b21fa00b5f33 --asan --fuzzing -n firefox
$ ./firefox/firefox -xpcshell -e "new EventSource('a')"

This is due to a missing null check in the EventSource constructor.

[@ get]

    ==2532==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000f0 (pc 0x7f30036f546b bp 0x7ffc35cd5dd0 sp 0x7ffc35cd5ba0 T0)
    ==2532==The signal is caused by a READ memory access.
    ==2532==Hint: address points to the zero page.
    SCARINESS: 10 (null-deref)
        #0 0x7f30036f546b in get /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:851:48
        #1 0x7f30036f546b in operator nsICookieJarSettings * /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:859:33
        #2 0x7f30036f546b in CookieJarSettings /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:842:12
        #3 0x7f30036f546b in mozilla::dom::EventSource::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::EventSourceInit const&, mozilla::ErrorResult&) /dom/base/EventSource.cpp:1989:40
        #4 0x7f30051d786c in mozilla::dom::EventSource_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/EventSourceBinding.cpp:712:57
        #5 0x7f300d18b8f5 in CallJSNative /js/src/vm/Interpreter.cpp:425:13
        #6 0x7f300d18b8f5 in CallJSNativeConstructor /js/src/vm/Interpreter.cpp:441:8
        #7 0x7f300d18b8f5 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /js/src/vm/Interpreter.cpp:636:10
        #8 0x7f300d174f8f in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3299:16
        #9 0x7f300d159de1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:394:13
        #10 0x7f300d18cb63 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:767:13
        #11 0x7f300d247732 in ExecuteInExtensibleLexicalEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<js::ExtensibleLexicalEnvironmentObject*>) /js/src/builtin/Eval.cpp:403:10
        #12 0x7f300d247070 in js::ExecuteInFrameScriptEnvironment(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JSObject*>) /js/src/builtin/Eval.cpp:438:8
        #13 0x7f300d66761a in EvalReturningScope(JSContext*, unsigned int, JS::Value*) /js/src/builtin/TestingFunctions.cpp:6040:10
        #14 0x25f8133f57f8  (<unknown module>)
    
    DEDUP_TOKEN: get
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:851:48 in get
    
    Command: /home/worker/firefox/firefox -xpcshell -len_control=50 -rss_limit_mb=7000 -use_value_profile=1 -entropic=1 ./corpora/ -handle_segv=0 -handle_bus=0 -handle_abrt=0 -handle_ill=0 -handle_fpe=0 -print_pcs=1
    
    ==2532==ABORTING

Hmm, but GetCurrentThreadWorkerPrivate(); should return non-null.

What does ./firefox/firefox -xpcshell -e "new EventSource('a')" do? How does that run anything in a worker?

Oh, I guess the issue is that we don't have a Window object.

The severity field is not set for this bug.
:edgar, could you have a look please?

For more information, please visit auto_nag documentation.

This looks like a weird XPCShell issue, so I'm marking it S3.

Jason, is this patch ready to land? Thanks.

(In reply to Andrew McCreight [:mccr8] from comment #4)

This looks like a weird XPCShell issue, so I'm marking it S3.

Jason, is this patch ready to land? Thanks.

It is unless :smaug has any objections.

I'm sure it is fine, given that he r+'ed it.

https://hg.mozilla.org/mozilla-central/rev/58965c6ba2bf