Closed
Bug 1470897
Opened 6 years ago
Closed 6 years ago
Assertion failure: is<T>(), at obj-firefox/dist/include/mozilla/Variant.h:681 in Telemetry IPC
Categories
(Toolkit :: Telemetry, defect, P1)
Toolkit
Telemetry
Tracking
()
RESOLVED
FIXED
mozilla63
People
(Reporter: Alex_Gaynor, Assigned: janerik)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
This was found by the IPC fuzzer.
It's not a security issue, but it is a fuzzing-efficiency issue. Ideally the IPC endpoint would return an error, rather than crashing on an assertion failure.
Assertion failure: is<T>(), at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Variant.h:681
==440==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9ef543fc3c bp 0x7ffdb002fb50 sp 0x7ffdb002f520 T0)
==440==The signal is caused by a WRITE memory access.
==440==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x7f9ef543fc3b in as<unsigned int> obj-firefox/dist/include/mozilla/Variant.h:681:5
#1 0x7f9ef543fc3b in (anonymous namespace)::internal_ApplyKeyedScalarActions(mozilla::BaseAutoLock<mozilla::StaticMutex> const&, nsTArray<mozilla::Telemetry::KeyedScalarAction> const&, mozilla::Maybe<mozilla::Telemetry::ProcessID> const&) toolkit/components/telemetry/TelemetryScalar.cpp:2088
#2 0x7f9ef543db2a in TelemetryScalar::UpdateChildKeyedData(mozilla::Telemetry::ProcessID, nsTArray<mozilla::Telemetry::KeyedScalarAction> const&) toolkit/components/telemetry/TelemetryScalar.cpp:3334:3
#3 0x7f9ef0388086 in mozilla::dom::ContentParent::RecvUpdateChildKeyedScalars(nsTArray<mozilla::Telemetry::KeyedScalarAction>&&) dom/ipc/ContentParent.cpp:5463:3
#4 0x7f9ee89c069b in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PContentParent.cpp:7477:20
#5 0x7f9ef74912b8 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) obj-firefox/dist/include/ProtocolFuzzer.h:49:18
#6 0x7f9ef7490dda in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:33:3
#7 0x5925dd in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
#8 0x591e5b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:442:3
#9 0x59334d in fuzzer::Fuzzer::MutateAndTestOne() tools/fuzzing/libfuzzer/FuzzerLoop.cpp:650:19
#10 0x593d05 in fuzzer::Fuzzer::Loop(std::vector<std::string, fuzzer::fuzzer_allocator<std::string> > const&) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:773:5
#11 0x58b3a5 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:754:6
#12 0x7f9ef5738c16 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10
#13 0x7f9ef5655dca in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3932:35
#14 0x7f9ef566a993 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4876:12
#15 0x7f9ef566c50e in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4983:21
#16 0x4f52dc in do_main browser/app/nsBrowserApp.cpp:233:22
#17 0x4f52dc in main browser/app/nsBrowserApp.cpp:311
#18 0x7f9f0f10c1c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
#19 0x4248bc in _start (/home/worker/firefox/firefox+0x4248bc)
DEDUP_TOKEN: as<unsigned int>
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV obj-firefox/dist/include/mozilla/Variant.h:681:5 in as<unsigned int>
Command: ./firefox/firefox -print_pcs=1 -handle_segv=0 -handle_bus=0 -handle_abrt=0 ./corpora/ -handle_ill=0 -handle_fpe=0
==440==ABORTING
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → jrediger
Priority: -- → P1
|
|
Assignee | |
Comment 1•6 years ago
|
||
MozReview-Commit-ID: GbbBarULSOR
|
||
Comment 2•6 years ago
|
||
Comment on attachment 8989786 [details] Bug 1470897 - Catch invalid data, show a warning and continue processing. Chris H-C :chutten has approved the revision. https://phabricator.services.mozilla.com/D1951
Attachment #8989786 -
Flags: review+
|
||
Comment 3•6 years ago
|
||
Hrm, Phabricator Automation doesn't echo back my review message. "Can you set up a follow-up mentored bug for adding test coverage for these cases?"
Pushed by jrediger@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3bc036e4200b Catch invalid data, show a warning and continue processing. r=chutten
|
||
Comment 5•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/3bc036e4200b
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox63:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
|
||
Comment 6•6 years ago
|
||
I'm assuming this isn't something we need to fix in 62. Please request uplift if I'm wrong.
You need to log in
before you can comment on or make changes to this bug.
Description
•