1379542 - ASAN: null pointer deref in HasWrapperFlag()

Status: RESOLVED WORKSFORME

(Core :: DOM: Core & HTML, defect, P3)

Description

[Brian Carpenter [:geeknik]]

While fuzzing Firefox Nightly (ASan Build ID 20170709212950) with lcamtuf's ref_fuzz5, this null pointer dereference was triggered and Firefox promptly crashed on Debian 8 x64.

==1689==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f2952880ec4 bp 0x7ffc99d31930 sp 0x7ffc99d31880 T0)
==1689==The signal is caused by a READ memory access.
==1689==Hint: address points to the zero page.
    #0 0x7f2952880ec3 in HasWrapperFlag /home/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:354
    #1 0x7f2952880ec3 in IsDOMBinding /home/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:202
    #2 0x7f2952880ec3 in CouldBeDOMBinding /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:719
    #3 0x7f2952880ec3 in DoGetOrCreateDOMReflector<mozilla::dom::ImageBitmap, mozilla::dom::binding_detail::GetOrCreateReflectorWrapBehavior::eWrapIntoContextCompartment> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:910
    #4 0x7f2952880ec3 in GetOrCreateDOMReflector<mozilla::dom::ImageBitmap> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:994
    #5 0x7f2952880ec3 in GetOrCreate /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1679
    #6 0x7f2952880ec3 in GetOrCreateDOMReflector<RefPtr<mozilla::dom::ImageBitmap> > /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1701
    #7 0x7f2952880ec3 in transferToImageBitmap /home/worker/workspace/build/src/obj-firefox/dom/bindings/OffscreenCanvasBinding.cpp:204
    #8 0x7f2952880ec3 in ?? ??:0
    #9 0x7f2953aa314e in GenericBindingMethod /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3028 (discriminator 4)
    #10 0x7f2953aa314e in ?? ??:0
    #11 0x7f2959fa9de4 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293 (discriminator 3)
    #12 0x7f2959fa9de4 in InternalCallOrConstruct /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470 (discriminator 3)
    #13 0x7f2959fa9de4 in ?? ??:0
    #14 0x7f2959f92c0b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521
    #15 0x7f2959f92c0b in Interpret /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
    #16 0x7f2959f92c0b in ?? ??:0
    #17 0x7f2959f79988 in RunScript /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410
    #18 0x7f2959f79988 in ?? ??:0
    #19 0x7f2959fac6f7 in ExecuteKernel /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:699 (discriminator 1)
    #20 0x7f2959fac6f7 in ?? ??:0
    #21 0x7f2959ffc62e in EvalKernel /home/worker/workspace/build/src/js/src/builtin/Eval.cpp:327 (discriminator 2)
    #22 0x7f2959ffc62e in ?? ??:0
    #23 0x7f2959ffd27e in DirectEval /home/worker/workspace/build/src/js/src/builtin/Eval.cpp:438 (discriminator 5)
    #24 0x7f2959ffd27e in ?? ??:0
    #25 0x7f295a1cd9e2 in DoCallFallback /home/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2536 (discriminator 2)
    #26 0x7f295a1cd9e2 in ?? ??:0
    #9 0x2ee003dbc1b6  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/geeknik/firefox/libxul.so+0x55b6ec3)
==1689==ABORTING

Comment 1

[Pablo]

Hi Brian, we are checking on really old bugs trying to find what can be closed either because of old functionality or something that has been fixed already on latest versions. I would like to know if this bug is still happening or is there any newer crash report link?

thanks

Comment 2

[Brian Carpenter [:geeknik]]

You can go ahead and close this.

Comment 3

[Pablo]

per last comment, changing but to resolved WFM