Closed
Bug 1379542
Opened 7 years ago
Closed 3 years ago
ASAN: null pointer deref in HasWrapperFlag()
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox56 | --- | affected |
People
(Reporter: geeknik, Unassigned)
Details
(Keywords: crash, csectype-nullptr, nightly-community)
While fuzzing Firefox Nightly (ASan Build ID 20170709212950) with lcamtuf's ref_fuzz5, this null pointer dereference was triggered and Firefox promptly crashed on Debian 8 x64. ==1689==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f2952880ec4 bp 0x7ffc99d31930 sp 0x7ffc99d31880 T0) ==1689==The signal is caused by a READ memory access. ==1689==Hint: address points to the zero page. #0 0x7f2952880ec3 in HasWrapperFlag /home/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:354 #1 0x7f2952880ec3 in IsDOMBinding /home/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:202 #2 0x7f2952880ec3 in CouldBeDOMBinding /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:719 #3 0x7f2952880ec3 in DoGetOrCreateDOMReflector<mozilla::dom::ImageBitmap, mozilla::dom::binding_detail::GetOrCreateReflectorWrapBehavior::eWrapIntoContextCompartment> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:910 #4 0x7f2952880ec3 in GetOrCreateDOMReflector<mozilla::dom::ImageBitmap> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:994 #5 0x7f2952880ec3 in GetOrCreate /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1679 #6 0x7f2952880ec3 in GetOrCreateDOMReflector<RefPtr<mozilla::dom::ImageBitmap> > /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1701 #7 0x7f2952880ec3 in transferToImageBitmap /home/worker/workspace/build/src/obj-firefox/dom/bindings/OffscreenCanvasBinding.cpp:204 #8 0x7f2952880ec3 in ?? ??:0 #9 0x7f2953aa314e in GenericBindingMethod /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3028 (discriminator 4) #10 0x7f2953aa314e in ?? ??:0 #11 0x7f2959fa9de4 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293 (discriminator 3) #12 0x7f2959fa9de4 in InternalCallOrConstruct /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470 (discriminator 3) #13 0x7f2959fa9de4 in ?? ??:0 #14 0x7f2959f92c0b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521 #15 0x7f2959f92c0b in Interpret /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060 #16 0x7f2959f92c0b in ?? ??:0 #17 0x7f2959f79988 in RunScript /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410 #18 0x7f2959f79988 in ?? ??:0 #19 0x7f2959fac6f7 in ExecuteKernel /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:699 (discriminator 1) #20 0x7f2959fac6f7 in ?? ??:0 #21 0x7f2959ffc62e in EvalKernel /home/worker/workspace/build/src/js/src/builtin/Eval.cpp:327 (discriminator 2) #22 0x7f2959ffc62e in ?? ??:0 #23 0x7f2959ffd27e in DirectEval /home/worker/workspace/build/src/js/src/builtin/Eval.cpp:438 (discriminator 5) #24 0x7f2959ffd27e in ?? ??:0 #25 0x7f295a1cd9e2 in DoCallFallback /home/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2536 (discriminator 2) #26 0x7f295a1cd9e2 in ?? ??:0 #9 0x2ee003dbc1b6 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/home/geeknik/firefox/libxul.so+0x55b6ec3) ==1689==ABORTING
Updated•7 years ago
|
Priority: -- → P3
Reporter | ||
Updated•7 years ago
|
status-firefox56:
--- → affected
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
Hi Brian, we are checking on really old bugs trying to find what can be closed either because of old functionality or something that has been fixed already on latest versions. I would like to know if this bug is still happening or is there any newer crash report link?
thanks
Flags: needinfo?(geeknik)
per last comment, changing but to resolved WFM
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•