Closed Bug 1470181 Opened Last year Closed Last year

MOZ_RELEASE_ASSERT in deserializing object ids in JS IPC under fuzzing

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox62 --- fixed

People

(Reporter: Alex_Gaynor, Assigned: Alex_Gaynor)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #1465860 +++

This is not a security issue, but it is a blocker to the efficiency of fuzzing:

==13142==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc367d70267 bp 0x7ffeff1bc190 sp 0x7ffeff1bbe60 T0)
==13142==The signal is caused by a WRITE memory access.
==13142==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7fc367d70266 in mozilla::jsipc::WrapperOwner::fromRemoteObjectVariant(JSContext*, mozilla::jsipc::RemoteObject const&) /builds/worker/workspace/build/src/js/ipc/WrapperOwner.cpp:1226:12
    #1 0x7fc367d3b945 in mozilla::jsipc::JavaScriptShared::fromVariant(JSContext*, mozilla::jsipc::JSVariant const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:319:27
    #2 0x7fc367d408af in mozilla::jsipc::JavaScriptShared::Unwrap(JSContext*, nsTArray<mozilla::jsipc::CpowEntry> const&, JS::MutableHandle<JSObject*>) /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:730:14
    #3 0x7fc367d40137 in mozilla::jsipc::CrossProcessCpowHolder::~CrossProcessCpowHolder() /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:697:14
    #4 0x7fc36ed4f750 in mozilla::dom::nsIContentParent::RecvAsyncMessage(nsTString<char16_t> const&, nsTArray<mozilla::jsipc::CpowEntry>&&, IPC::Principal const&, mozilla::dom::ClonedMessageData const&) /builds/worker/workspace/build/src/dom/ipc/nsIContentParent.cpp:346:1
    #5 0x7fc3672c3b19 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:7769:20
    #6 0x7fc375d97b28 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /builds/worker/workspace/build/src/obj-firefox/dist/include/ProtocolFuzzer.h:49:18
    #7 0x7fc375d9764a in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) /builds/worker/workspace/build/src/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:33:3
This primarily effects the efficiency of fuzzing.
Comment on attachment 8986782 [details]
Bug 1470181 - handle deserialization failure gracefully in JS IPC; r?evilpie

Tom Schuster [:evilpie] has approved the revision.

https://phabricator.services.mozilla.com/D1751
Attachment #8986782 - Flags: review+
Keywords: checkin-needed
Pushed by rvandermeulen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/91899c39ed9e
handle deserialization failure gracefully in JS IPC; r=evilpie
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/91899c39ed9e
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in before you can comment on or make changes to this bug.