Closed Bug 1375066 Opened 7 years ago Closed 7 years ago

Crash @ [mozilla::dom::IDBFactory::CreateForWindow]

Categories

(Core :: Storage: IndexedDB, defect)

Product:
Core
Component:
Storage: IndexedDB
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1374675

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, csectype-nullptr, testcase)

Attachments

(1 file)

Testcase
884 bytes, text/html
Details
Attached file Testcase 
Testcase found while fuzzing mozilla-inbound rev 20170621-2b07ef4f3381.

ASAN:DEADLYSIGNAL
=================================================================
==18547==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000a0 (pc 0x7f8ea04298bc bp 0x7ffe3a4a7c20 sp 0x7ffe3a4a79a0 T0)
==18547==The signal is caused by a READ memory access.
==18547==Hint: address points to the zero page.
    #0 0x7f8ea04298bb in mozilla::dom::IDBFactory::CreateForWindow(nsPIDOMWindowInner*, mozilla::dom::IDBFactory**) /home/worker/workspace/build/src/dom/indexedDB/IDBFactory.cpp:173:12
    #1 0x7f8e9d15675e in nsGlobalWindow::GetIndexedDB(mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:11398:14
    #2 0x7f8e9e6c627c in mozilla::dom::WindowBinding::get_indexedDB(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitGetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15527:62
    #3 0x7f8e9e65d276 in mozilla::dom::WindowBinding::genericGetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15757:13
    #4 0x7f8ea533d4a3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #5 0x7f8ea533d4a3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #6 0x7f8ea533eadf in InternalCall /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:515:12
    #7 0x7f8ea533eadf in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
    #8 0x7f8ea533eadf in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:649
    #9 0x7f8ea622000a in CallGetter /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2062:16
    #10 0x7f8ea622000a in GetExistingProperty<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2110
    #11 0x7f8ea622000a in NativeGetPropertyInline<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2341
    #12 0x7f8ea622000a in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2375
    #13 0x7f8ea5f6d6e1 in GetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1536:12
    #14 0x7f8ea5f6d6e1 in js::Wrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:144
    #15 0x7f8e9d0df72f in nsOuterWindowProxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:1378:23
    #16 0x7f8ea5f4ace5 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:340:21
    #17 0x7f8ea5f6d6cb in GetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1535:16
    #18 0x7f8ea5f6d6cb in js::Wrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:144
    #19 0x7f8ea5f2fe5e in js::CrossCompartmentWrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:226:23
    #20 0x7f8ea5f4ace5 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:340:21
Flags: in-testsuite?
The patch of bug 1352401 has been backed out from m-i. It shall be backed out soon in m-c.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Blocks: fuzzing-indexeddb
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: