Closed Bug 1444750 Opened 2 years ago Closed 2 years ago

Crash [@ mozilla::dom::ContentChild::ProcessingError]

Categories

(Core :: DOM: Web Payments, defect, P3, critical)

59 Branch
defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [fuzzblocker])

Attachments

(1 file, 1 obsolete file)

Attached file trigger.html (obsolete) —
Testcase found while fuzzing mozilla-central rev 8863806b9e28.

==3875==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa994ca0440 bp 0x7ffc908908b0 sp 0x7ffc90890800 T0)
==3875==The signal is caused by a WRITE memory access.
==3875==Hint: address points to the zero page.
    #0 0x7fa994ca043f in mozilla::dom::ContentChild::ProcessingError(mozilla::ipc::HasResultCodes::Result, char const*) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:2382:7
    #1 0x7fa98e770fb4 in mozilla::ipc::MessageChannel::MaybeHandleError(mozilla::ipc::HasResultCodes::Result, IPC::Message const&, char const*) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2536:16
    #2 0x7fa98e76da01 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2063:17
    #3 0x7fa98e76f1fc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1909:5
    #4 0x7fa98e76f858 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1942:15
    #5 0x7fa98d8a5ca6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #6 0x7fa98d8c1240 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #7 0x7fa98e7785e6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
    #8 0x7fa98e6c6ec9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #9 0x7fa98e6c6ec9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #10 0x7fa98e6c6ec9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #11 0x7fa99546121a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #12 0x7fa9999242bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:892:22
    #13 0x7fa98e6c6ec9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #14 0x7fa98e6c6ec9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #15 0x7fa98e6c6ec9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #16 0x7fa999923c9a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:718:34
    #17 0x4f6f2c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #18 0x4f6f2c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #19 0x7fa9ad44e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:2382:7 in mozilla::dom::ContentChild::ProcessingError(mozilla::ipc::HasResultCodes::Result, char const*)
==3875==ABORTING
Flags: in-testsuite?
Attached file trigger.html
Attachment #8957945 - Attachment is obsolete: true
Are you fuzzing with the pref dom.payments.request.enabled on? This DOM API should be disabled by default: https://dxr.mozilla.org/mozilla-central/search?q=PaymentRequest%3A%3APrefEnabled
Flags: needinfo?(jkratzer)
(In reply to Matthew N. [:MattN] (PM if requests are blocking you) from comment #2)
> Are you fuzzing with the pref dom.payments.request.enabled on? This DOM API
> should be disabled by default:
> https://dxr.mozilla.org/mozilla-central/
> search?q=PaymentRequest%3A%3APrefEnabled

Yes, this issue was identified with that pref enabled.
Flags: needinfo?(jkratzer)
I can't repro in an ASAN build with e10s enabled and dom.payments.request.enabled set to true. The crash looks like a MOZ_CRASH to me, so should not be a security bug.
Priority: -- → P3
Jason, can you still reproduce this?
Flags: needinfo?(jkratzer)
(In reply to Blake Kaplan (:mrbkap) from comment #5)
> Jason, can you still reproduce this?

It does not.  After bisecting, it looks like it was fixed sometime in the following range:
[2018-08-10 10:56:09] Reduced build range to:
[2018-08-10 10:56:09] > Start: c43177719f368d4316d244cac5382f8cfce3832f (20180316092627)
[2018-08-10 10:56:09] > End: d8e8ec54ed9db4d2e280407a89d8aa8bf747f769 (20180316095355)
Flags: needinfo?(jkratzer)
Closing as WFM, as none of us were able to reproduce.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.