Closed
Bug 1470181
Opened 6 years ago
Closed 6 years ago
MOZ_RELEASE_ASSERT in deserializing object ids in JS IPC under fuzzing
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox62 | --- | fixed |
People
(Reporter: Alex_Gaynor, Assigned: Alex_Gaynor)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
+++ This bug was initially created as a clone of Bug #1465860 +++
This is not a security issue, but it is a blocker to the efficiency of fuzzing:
==13142==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc367d70267 bp 0x7ffeff1bc190 sp 0x7ffeff1bbe60 T0)
==13142==The signal is caused by a WRITE memory access.
==13142==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x7fc367d70266 in mozilla::jsipc::WrapperOwner::fromRemoteObjectVariant(JSContext*, mozilla::jsipc::RemoteObject const&) /builds/worker/workspace/build/src/js/ipc/WrapperOwner.cpp:1226:12
#1 0x7fc367d3b945 in mozilla::jsipc::JavaScriptShared::fromVariant(JSContext*, mozilla::jsipc::JSVariant const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:319:27
#2 0x7fc367d408af in mozilla::jsipc::JavaScriptShared::Unwrap(JSContext*, nsTArray<mozilla::jsipc::CpowEntry> const&, JS::MutableHandle<JSObject*>) /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:730:14
#3 0x7fc367d40137 in mozilla::jsipc::CrossProcessCpowHolder::~CrossProcessCpowHolder() /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:697:14
#4 0x7fc36ed4f750 in mozilla::dom::nsIContentParent::RecvAsyncMessage(nsTString<char16_t> const&, nsTArray<mozilla::jsipc::CpowEntry>&&, IPC::Principal const&, mozilla::dom::ClonedMessageData const&) /builds/worker/workspace/build/src/dom/ipc/nsIContentParent.cpp:346:1
#5 0x7fc3672c3b19 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:7769:20
#6 0x7fc375d97b28 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /builds/worker/workspace/build/src/obj-firefox/dist/include/ProtocolFuzzer.h:49:18
#7 0x7fc375d9764a in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) /builds/worker/workspace/build/src/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:33:3
Comment 1•6 years ago
|
||
This primarily effects the efficiency of fuzzing.
Comment 2•6 years ago
|
||
Comment on attachment 8986782 [details]
Bug 1470181 - handle deserialization failure gracefully in JS IPC; r?evilpie
Tom Schuster [:evilpie] has approved the revision.
https://phabricator.services.mozilla.com/D1751
Attachment #8986782 -
Flags: review+
Assignee | ||
Updated•6 years ago
|
Keywords: checkin-needed
Pushed by rvandermeulen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/91899c39ed9e
handle deserialization failure gracefully in JS IPC; r=evilpie
Keywords: checkin-needed
Comment 4•6 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in
before you can comment on or make changes to this bug.
Description
•