Assertion failure: is<T>(), at obj-firefox/dist/include/mozilla/Variant.h:681 in Telemetry IPC

RESOLVED FIXED in Firefox 63

Status

()

defect
P1
normal
RESOLVED FIXED
10 months ago
9 months ago

People

(Reporter: Alex_Gaynor, Assigned: janerik)

Tracking

(Blocks 1 bug)

Trunk
mozilla63
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox62 wontfix, firefox63 fixed)

Details

Attachments

(1 attachment)

(Reporter)

Description

10 months ago
This was found by the IPC fuzzer.

It's not a security issue, but it is a fuzzing-efficiency issue. Ideally the IPC endpoint would return an error, rather than crashing on an assertion failure.

Assertion failure: is<T>(), at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Variant.h:681
==440==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9ef543fc3c bp 0x7ffdb002fb50 sp 0x7ffdb002f520 T0)
==440==The signal is caused by a WRITE memory access.
==440==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7f9ef543fc3b in as<unsigned int> obj-firefox/dist/include/mozilla/Variant.h:681:5
    #1 0x7f9ef543fc3b in (anonymous namespace)::internal_ApplyKeyedScalarActions(mozilla::BaseAutoLock<mozilla::StaticMutex> const&, nsTArray<mozilla::Telemetry::KeyedScalarAction> const&, mozilla::Maybe<mozilla::Telemetry::ProcessID> const&) toolkit/components/telemetry/TelemetryScalar.cpp:2088
    #2 0x7f9ef543db2a in TelemetryScalar::UpdateChildKeyedData(mozilla::Telemetry::ProcessID, nsTArray<mozilla::Telemetry::KeyedScalarAction> const&) toolkit/components/telemetry/TelemetryScalar.cpp:3334:3
    #3 0x7f9ef0388086 in mozilla::dom::ContentParent::RecvUpdateChildKeyedScalars(nsTArray<mozilla::Telemetry::KeyedScalarAction>&&) dom/ipc/ContentParent.cpp:5463:3
    #4 0x7f9ee89c069b in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PContentParent.cpp:7477:20
    #5 0x7f9ef74912b8 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) obj-firefox/dist/include/ProtocolFuzzer.h:49:18
    #6 0x7f9ef7490dda in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:33:3
    #7 0x5925dd in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
    #8 0x591e5b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:442:3
    #9 0x59334d in fuzzer::Fuzzer::MutateAndTestOne() tools/fuzzing/libfuzzer/FuzzerLoop.cpp:650:19
    #10 0x593d05 in fuzzer::Fuzzer::Loop(std::vector<std::string, fuzzer::fuzzer_allocator<std::string> > const&) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:773:5
    #11 0x58b3a5 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:754:6
    #12 0x7f9ef5738c16 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10
    #13 0x7f9ef5655dca in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3932:35
    #14 0x7f9ef566a993 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4876:12
    #15 0x7f9ef566c50e in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4983:21
    #16 0x4f52dc in do_main browser/app/nsBrowserApp.cpp:233:22
    #17 0x4f52dc in main browser/app/nsBrowserApp.cpp:311
    #18 0x7f9f0f10c1c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
    #19 0x4248bc in _start (/home/worker/firefox/firefox+0x4248bc)

DEDUP_TOKEN: as<unsigned int>
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV obj-firefox/dist/include/mozilla/Variant.h:681:5 in as<unsigned int>

Command: ./firefox/firefox -print_pcs=1 -handle_segv=0 -handle_bus=0 -handle_abrt=0 ./corpora/ -handle_ill=0 -handle_fpe=0

==440==ABORTING
(Assignee)

Updated

10 months ago
Assignee: nobody → jrediger
Priority: -- → P1
(Assignee)

Comment 1

10 months ago
MozReview-Commit-ID: GbbBarULSOR
Comment on attachment 8989786 [details]
Bug 1470897 - Catch invalid data, show a warning and continue processing.

Chris H-C :chutten has approved the revision.

https://phabricator.services.mozilla.com/D1951
Attachment #8989786 - Flags: review+

Comment 3

10 months ago
Hrm, Phabricator Automation doesn't echo back my review message. 

"Can you set up a follow-up mentored bug for adding test coverage for these cases?"

Comment 4

10 months ago
Pushed by jrediger@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3bc036e4200b
Catch invalid data, show a warning and continue processing. r=chutten
(Assignee)

Updated

10 months ago
Blocks: 1473520

Comment 5

10 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/3bc036e4200b
Status: NEW → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
I'm assuming this isn't something we need to fix in 62.  Please request uplift if I'm wrong.
You need to log in before you can comment on or make changes to this bug.