Found while fuzzing 20250208-053595a05e65 (--enable-address-sanitizer --enable-undefined-sanitizer --enable-fuzzing)
This is the top fuzzblocker by far, fuzzers have reported >15K in ~48h.
To reproduce via Grizzly Replay:
```
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
```
```
==55884==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7244eb87c361 bp 0x7ffdaf51f750 sp 0x7ffdaf51f720 T0)
==55884==The signal is caused by a READ memory access.
==55884==Hint: address points to the zero page.
#0 0x7244eb87c361 in mozilla::dom::ContentParent::AsyncSendShutDownMessage() /gecko/dom/ipc/ContentParent.cpp:1655:34
#1 0x7244eb83a92c in mozilla::dom::ContentParent::MaybeBeginShutDown(bool, bool) /gecko/dom/ipc/ContentParent.cpp:2241:5
#2 0x7244eb880c2f in mozilla::dom::ContentParent::RemoveKeepAlive(unsigned long) /gecko/dom/ipc/ContentParent.cpp:2132:3
#3 0x7244eb986bc0 in operator() /gecko/dom/ipc/UniqueContentParentKeepAlive.cpp:15:14
#4 0x7244eb986bc0 in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:302:7
#5 0x7244eb986bc0 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:272:5
#6 0x7244eb986bc0 in mozilla::dom::(anonymous namespace)::XpcomContentParentKeepAlive::cycleCollection::Unlink(void*) /gecko/dom/ipc/UniqueContentParentKeepAlive.cpp:98:19
#7 0x7244e21168ec in nsCycleCollector::CollectWhite() /gecko/xpcom/base/nsCycleCollector.cpp:3270:26
#8 0x7244e211aa1d in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, JS::SliceBudget&, nsICycleCollectorListener*, bool) /gecko/xpcom/base/nsCycleCollector.cpp:3678:26
#9 0x7244e211a0ca in nsCycleCollector::ShutdownCollect() /gecko/xpcom/base/nsCycleCollector.cpp:3585:20
#10 0x7244e211d166 in nsCycleCollector::Shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:3917:5
#11 0x7244e211f7ab in nsCycleCollector_shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:4250:18
#12 0x7244e2347275 in mozilla::ShutdownXPCOM(nsIServiceManager*) /gecko/xpcom/build/XPCOMInit.cpp:737:3
#13 0x7244ee575613 in ScopedXPCOMStartup::~ScopedXPCOMStartup() /gecko/toolkit/xre/nsAppRunner.cpp:1992:5
#14 0x7244ee586ed0 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:460:5
#15 0x7244ee586ed0 in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:302:7
#16 0x7244ee586ed0 in mozilla::UniquePtr<ScopedXPCOMStartup, mozilla::DefaultDelete<ScopedXPCOMStartup>>::operator=(std::nullptr_t) /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:272:5
#17 0x7244ee586525 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:6138:16
#18 0x7244ee5874e3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:6174:21
#19 0x5c6f6e67a1e4 in do_main /gecko/browser/app/nsBrowserApp.cpp:232:22
#20 0x5c6f6e67a1e4 in main /gecko/browser/app/nsBrowserApp.cpp:464:16
#21 0x724504796d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#22 0x724504796e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#23 0x5c6f6e599bb8 in _start (/home/worker/builds/m-c-20250208091603-fuzzing-asan-opt/firefox+0xd3bb8) (BuildId: b05c56e37c14a1419ec6d2aa0bc6a00c5a13f19e)
==55884==Register values:
rax = 0x0000000000000000 rbx = 0x00005070001726f0 rcx = 0x000000000000003f rdx = 0x00005c6f6f1a4c00
rdi = 0x0000507000172700 rsi = 0x0000000000001898 rbp = 0x00007ffdaf51f750 rsp = 0x00007ffdaf51f720
r8 = 0x0000000000001890 r9 = 0x0000000000000002 r10 = 0x00007fffffffff01 r11 = 0x05504b6186f2fa01
r12 = 0x00000fffb5ea3ef4 r13 = 0x0000000000000000 r14 = 0x0000000000000000 r15 = 0x0000000000000000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /gecko/dom/ipc/ContentParent.cpp:1655:34 in mozilla::dom::ContentParent::AsyncSendShutDownMessage()
```
Bug 1947303 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Found while fuzzing 20250208-053595a05e65 (--enable-address-sanitizer --enable-fuzzing)
This is the top fuzzblocker by far, fuzzers have reported >15K in ~48h.
To reproduce via Grizzly Replay:
```
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
```
```
==55884==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7244eb87c361 bp 0x7ffdaf51f750 sp 0x7ffdaf51f720 T0)
==55884==The signal is caused by a READ memory access.
==55884==Hint: address points to the zero page.
#0 0x7244eb87c361 in mozilla::dom::ContentParent::AsyncSendShutDownMessage() /gecko/dom/ipc/ContentParent.cpp:1655:34
#1 0x7244eb83a92c in mozilla::dom::ContentParent::MaybeBeginShutDown(bool, bool) /gecko/dom/ipc/ContentParent.cpp:2241:5
#2 0x7244eb880c2f in mozilla::dom::ContentParent::RemoveKeepAlive(unsigned long) /gecko/dom/ipc/ContentParent.cpp:2132:3
#3 0x7244eb986bc0 in operator() /gecko/dom/ipc/UniqueContentParentKeepAlive.cpp:15:14
#4 0x7244eb986bc0 in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:302:7
#5 0x7244eb986bc0 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:272:5
#6 0x7244eb986bc0 in mozilla::dom::(anonymous namespace)::XpcomContentParentKeepAlive::cycleCollection::Unlink(void*) /gecko/dom/ipc/UniqueContentParentKeepAlive.cpp:98:19
#7 0x7244e21168ec in nsCycleCollector::CollectWhite() /gecko/xpcom/base/nsCycleCollector.cpp:3270:26
#8 0x7244e211aa1d in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, JS::SliceBudget&, nsICycleCollectorListener*, bool) /gecko/xpcom/base/nsCycleCollector.cpp:3678:26
#9 0x7244e211a0ca in nsCycleCollector::ShutdownCollect() /gecko/xpcom/base/nsCycleCollector.cpp:3585:20
#10 0x7244e211d166 in nsCycleCollector::Shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:3917:5
#11 0x7244e211f7ab in nsCycleCollector_shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:4250:18
#12 0x7244e2347275 in mozilla::ShutdownXPCOM(nsIServiceManager*) /gecko/xpcom/build/XPCOMInit.cpp:737:3
#13 0x7244ee575613 in ScopedXPCOMStartup::~ScopedXPCOMStartup() /gecko/toolkit/xre/nsAppRunner.cpp:1992:5
#14 0x7244ee586ed0 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:460:5
#15 0x7244ee586ed0 in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:302:7
#16 0x7244ee586ed0 in mozilla::UniquePtr<ScopedXPCOMStartup, mozilla::DefaultDelete<ScopedXPCOMStartup>>::operator=(std::nullptr_t) /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:272:5
#17 0x7244ee586525 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:6138:16
#18 0x7244ee5874e3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:6174:21
#19 0x5c6f6e67a1e4 in do_main /gecko/browser/app/nsBrowserApp.cpp:232:22
#20 0x5c6f6e67a1e4 in main /gecko/browser/app/nsBrowserApp.cpp:464:16
#21 0x724504796d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#22 0x724504796e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#23 0x5c6f6e599bb8 in _start (/home/worker/builds/m-c-20250208091603-fuzzing-asan-opt/firefox+0xd3bb8) (BuildId: b05c56e37c14a1419ec6d2aa0bc6a00c5a13f19e)
==55884==Register values:
rax = 0x0000000000000000 rbx = 0x00005070001726f0 rcx = 0x000000000000003f rdx = 0x00005c6f6f1a4c00
rdi = 0x0000507000172700 rsi = 0x0000000000001898 rbp = 0x00007ffdaf51f750 rsp = 0x00007ffdaf51f720
r8 = 0x0000000000001890 r9 = 0x0000000000000002 r10 = 0x00007fffffffff01 r11 = 0x05504b6186f2fa01
r12 = 0x00000fffb5ea3ef4 r13 = 0x0000000000000000 r14 = 0x0000000000000000 r15 = 0x0000000000000000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /gecko/dom/ipc/ContentParent.cpp:1655:34 in mozilla::dom::ContentParent::AsyncSendShutDownMessage()
```