Closed
Bug 1470181
Opened 6 years ago
Closed 6 years ago
MOZ_RELEASE_ASSERT in deserializing object ids in JS IPC under fuzzing
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla62
| Tracking | Status | |
|---|---|---|
| firefox62 | --- | fixed |
People
(Reporter: Alex_Gaynor, Assigned: Alex_Gaynor)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
+++ This bug was initially created as a clone of Bug #1465860 +++ This is not a security issue, but it is a blocker to the efficiency of fuzzing: ==13142==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc367d70267 bp 0x7ffeff1bc190 sp 0x7ffeff1bbe60 T0) ==13142==The signal is caused by a WRITE memory access. ==13142==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fc367d70266 in mozilla::jsipc::WrapperOwner::fromRemoteObjectVariant(JSContext*, mozilla::jsipc::RemoteObject const&) /builds/worker/workspace/build/src/js/ipc/WrapperOwner.cpp:1226:12 #1 0x7fc367d3b945 in mozilla::jsipc::JavaScriptShared::fromVariant(JSContext*, mozilla::jsipc::JSVariant const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:319:27 #2 0x7fc367d408af in mozilla::jsipc::JavaScriptShared::Unwrap(JSContext*, nsTArray<mozilla::jsipc::CpowEntry> const&, JS::MutableHandle<JSObject*>) /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:730:14 #3 0x7fc367d40137 in mozilla::jsipc::CrossProcessCpowHolder::~CrossProcessCpowHolder() /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:697:14 #4 0x7fc36ed4f750 in mozilla::dom::nsIContentParent::RecvAsyncMessage(nsTString<char16_t> const&, nsTArray<mozilla::jsipc::CpowEntry>&&, IPC::Principal const&, mozilla::dom::ClonedMessageData const&) /builds/worker/workspace/build/src/dom/ipc/nsIContentParent.cpp:346:1 #5 0x7fc3672c3b19 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:7769:20 #6 0x7fc375d97b28 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /builds/worker/workspace/build/src/obj-firefox/dist/include/ProtocolFuzzer.h:49:18 #7 0x7fc375d9764a in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) /builds/worker/workspace/build/src/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:33:3
|
||
Comment 1•6 years ago
|
||
This primarily effects the efficiency of fuzzing.
|
|
||
Comment 2•6 years ago
|
||
Comment on attachment 8986782 [details] Bug 1470181 - handle deserialization failure gracefully in JS IPC; r?evilpie Tom Schuster [:evilpie] has approved the revision. https://phabricator.services.mozilla.com/D1751
Attachment #8986782 -
Flags: review+
|
Assignee | |
Updated•6 years ago
|
Keywords: checkin-needed
Pushed by rvandermeulen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/91899c39ed9e handle deserialization failure gracefully in JS IPC; r=evilpie
Keywords: checkin-needed
|
||
Comment 4•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/91899c39ed9e
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in
before you can comment on or make changes to this bug.
Description
•