Closed
Bug 1338864
Opened 7 years ago
Closed 4 years ago
ASAN: null pointer deref in in ShiftData<nsTArrayInfallibleAllocator> (nsTArray-inl.h:260)
Categories
(Core :: Storage: IndexedDB, defect, P5)
Tracking
()
RESOLVED
INCOMPLETE
Tracking | Status | |
---|---|---|
firefox54 | --- | affected |
People
(Reporter: geeknik, Unassigned)
Details
(4 keywords, Whiteboard: [sg:dos]DWS_NEXT)
Attachments
(2 files)
Triggered while fuzzing Firefox Nightly ASAN Build ID 20170211155106 with Quokka and Dharma. Crashlog is 64KB, only showing the highlights here. ==116877==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa1f7e398b7 bp 0x7fa1c4cc70b0 sp 0x7fa1c4cc7000 T59) *snip* #0 0x7fa1f7e398b6 in ShiftData<nsTArrayInfallibleAllocator> /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:260 #1 0x7fa1f7e398b6 in RemoveElementsAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2087 #2 0x7fa1f7e398b6 in RemoveElementAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1765 #3 0x7fa1f7e398b6 in RemoveElement<mozilla::dom::indexedDB::(anonymous namespace)::ConnectionPool::DatabaseInfo *, nsDefaultComparator<mozilla::dom::indexedDB::(anonymous namespace)::ConnectionPool::DatabaseInfo *, mozilla::dom::indexedDB::(anonymous namespace)::ConnectionPool::DatabaseInfo *> > /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1791 #4 0x7fa1f7e398b6 in RemoveElement<mozilla::dom::indexedDB::(anonymous namespace)::ConnectionPool::DatabaseInfo *> /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1800 #5 0x7fa1f7e398b6 in Run /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:13227 #6 0x7fa1f7e398b6 in ?? ??:0 #7 0x7fa1f2581e8b in ProcessNextEvent /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1261 (discriminator 1) #8 0x7fa1f2581e8b in ?? ??:0 #9 0x7fa1f257e7e0 in _Z19NS_ProcessNextEventP9nsIThreadb /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389 #10 0x7fa1f257e7e0 in ?? ??:0 #11 0x7fa1f7e38322 in Run /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:13473 #12 0x7fa1f7e38322 in ?? ??:0 #13 0x7fa1f2581e8b in ProcessNextEvent /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1261 (discriminator 1) #14 0x7fa1f2581e8b in ?? ??:0 #15 0x7fa1f257e7e0 in _Z19NS_ProcessNextEventP9nsIThreadb /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389 #16 0x7fa1f257e7e0 in ?? ??:0 #17 0x7fa1f338e5fc in Run /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:338 #18 0x7fa1f338e5fc in ?? ??:0 #19 0x7fa1f32ff4b8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238 (discriminator 1) #20 0x7fa1f32ff4b8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231 (discriminator 1) #21 0x7fa1f32ff4b8 in Run /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211 (discriminator 1) #22 0x7fa1f32ff4b8 in ?? ??:0 #23 0x7fa1f257af5a in ThreadFunc /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:494 #24 0x7fa1f257af5a in ?? ??:0 #25 0x7fa209b7b368 in _pt_root /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216 #26 0x7fa209b7b368 in ?? ??:0 #27 0x7fa20d0d40a3 in start_thread /build/glibc-daoqzt/glibc-2.19/nptl/pthread_create.c:309 (discriminator 2) #28 0x7fa20d0d40a3 in ?? ??:0 #29 0x7fa20c1db62c in clone /build/glibc-daoqzt/glibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111 #30 0x7fa20c1db62c in ?? ??:0 *snip* 320 or so frames in the stack trace.
Reporter | ||
Comment 1•7 years ago
|
||
Updated•7 years ago
|
Attachment #8836435 -
Attachment mime type: text/plain → text/html
Comment 2•7 years ago
|
||
can't reproduce on a nightly opt build. I would have expected a null deref to crash with or without ASAN.
Group: core-security → dom-core-security
Keywords: testcase
Comment 3•7 years ago
|
||
Gonna assume the root problem is in IndexedDB code, rather than nsTArray code.
Component: JavaScript Engine → DOM: IndexedDB
Updated•7 years ago
|
Flags: needinfo?(jvarga)
Comment 5•7 years ago
|
||
Maybe it does, after all. IDB seems to spin event loop and then accessing something deleted?
Flags: needinfo?(jvarga)
Updated•7 years ago
|
Updated•7 years ago
|
Priority: -- → P2
Updated•6 years ago
|
Whiteboard: [sg:dos] → [sg:dos]DWS_NEXT
Comment 7•4 years ago
|
||
We have no further information and the stack trace is too old to be significant any more. Leaving it open for reaction of the reporter, though.
Priority: P2 → P5
Updated•4 years ago
|
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•