Closed
Bug 1338864
Opened 7 years ago
Closed 4 years ago
ASAN: null pointer deref in in ShiftData<nsTArrayInfallibleAllocator> (nsTArray-inl.h:260)
Categories
(Core :: Storage: IndexedDB, defect, P5)
Tracking
()
RESOLVED
INCOMPLETE
| Tracking | Status | |
|---|---|---|
| firefox54 | --- | affected |
People
(Reporter: geeknik, Unassigned)
Details
(4 keywords, Whiteboard: [sg:dos]DWS_NEXT)
Attachments
(2 files)
Triggered while fuzzing Firefox Nightly ASAN Build ID 20170211155106 with Quokka and Dharma. Crashlog is 64KB, only showing the highlights here.
==116877==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa1f7e398b7 bp 0x7fa1c4cc70b0 sp 0x7fa1c4cc7000 T59)
*snip*
#0 0x7fa1f7e398b6 in ShiftData<nsTArrayInfallibleAllocator> /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:260
#1 0x7fa1f7e398b6 in RemoveElementsAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2087
#2 0x7fa1f7e398b6 in RemoveElementAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1765
#3 0x7fa1f7e398b6 in RemoveElement<mozilla::dom::indexedDB::(anonymous namespace)::ConnectionPool::DatabaseInfo *, nsDefaultComparator<mozilla::dom::indexedDB::(anonymous namespace)::ConnectionPool::DatabaseInfo *, mozilla::dom::indexedDB::(anonymous namespace)::ConnectionPool::DatabaseInfo *> > /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1791
#4 0x7fa1f7e398b6 in RemoveElement<mozilla::dom::indexedDB::(anonymous namespace)::ConnectionPool::DatabaseInfo *> /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1800
#5 0x7fa1f7e398b6 in Run /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:13227
#6 0x7fa1f7e398b6 in ?? ??:0
#7 0x7fa1f2581e8b in ProcessNextEvent /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1261 (discriminator 1)
#8 0x7fa1f2581e8b in ?? ??:0
#9 0x7fa1f257e7e0 in _Z19NS_ProcessNextEventP9nsIThreadb /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389
#10 0x7fa1f257e7e0 in ?? ??:0
#11 0x7fa1f7e38322 in Run /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:13473
#12 0x7fa1f7e38322 in ?? ??:0
#13 0x7fa1f2581e8b in ProcessNextEvent /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1261 (discriminator 1)
#14 0x7fa1f2581e8b in ?? ??:0
#15 0x7fa1f257e7e0 in _Z19NS_ProcessNextEventP9nsIThreadb /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389
#16 0x7fa1f257e7e0 in ?? ??:0
#17 0x7fa1f338e5fc in Run /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:338
#18 0x7fa1f338e5fc in ?? ??:0
#19 0x7fa1f32ff4b8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238 (discriminator 1)
#20 0x7fa1f32ff4b8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231 (discriminator 1)
#21 0x7fa1f32ff4b8 in Run /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211 (discriminator 1)
#22 0x7fa1f32ff4b8 in ?? ??:0
#23 0x7fa1f257af5a in ThreadFunc /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:494
#24 0x7fa1f257af5a in ?? ??:0
#25 0x7fa209b7b368 in _pt_root /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
#26 0x7fa209b7b368 in ?? ??:0
#27 0x7fa20d0d40a3 in start_thread /build/glibc-daoqzt/glibc-2.19/nptl/pthread_create.c:309 (discriminator 2)
#28 0x7fa20d0d40a3 in ?? ??:0
#29 0x7fa20c1db62c in clone /build/glibc-daoqzt/glibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
#30 0x7fa20c1db62c in ?? ??:0
*snip*
320 or so frames in the stack trace.
|
Reporter | |
Comment 1•7 years ago
|
||
|
||
Updated•7 years ago
|
Attachment #8836435 -
Attachment mime type: text/plain → text/html
|
|
||
Comment 2•7 years ago
|
||
can't reproduce on a nightly opt build. I would have expected a null deref to crash with or without ASAN.
Group: core-security → dom-core-security
Keywords: testcase
|
||
Comment 3•7 years ago
|
||
Gonna assume the root problem is in IndexedDB code, rather than nsTArray code.
Component: JavaScript Engine → DOM: IndexedDB
|
||
Updated•7 years ago
|
Flags: needinfo?(jvarga)
|
|
||
Comment 5•7 years ago
|
||
Maybe it does, after all. IDB seems to spin event loop and then accessing something deleted?
Flags: needinfo?(jvarga)
|
|
||
Updated•7 years ago
|
|
||
Updated•7 years ago
|
Priority: -- → P2
|
||
Updated•6 years ago
|
Whiteboard: [sg:dos] → [sg:dos]DWS_NEXT
|
||
Comment 7•4 years ago
|
||
We have no further information and the stack trace is too old to be significant any more. Leaving it open for reaction of the reporter, though.
Priority: P2 → P5
|
|
||
Updated•4 years ago
|
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•