Assertion failure: is<T>(), at obj-firefox/dist/include/mozilla/Variant.h:681 in Telemetry IPC

RESOLVED FIXED in Firefox 63



Last year
11 months ago


(Reporter: Alex_Gaynor, Assigned: janerik)


(Blocks 1 bug)

Dependency tree / graph

Firefox Tracking Flags

(firefox62 wontfix, firefox63 fixed)



(1 attachment)

This was found by the IPC fuzzer.

It's not a security issue, but it is a fuzzing-efficiency issue. Ideally the IPC endpoint would return an error, rather than crashing on an assertion failure.

Assertion failure: is<T>(), at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Variant.h:681
==440==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9ef543fc3c bp 0x7ffdb002fb50 sp 0x7ffdb002f520 T0)
==440==The signal is caused by a WRITE memory access.
==440==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7f9ef543fc3b in as<unsigned int> obj-firefox/dist/include/mozilla/Variant.h:681:5
    #1 0x7f9ef543fc3b in (anonymous namespace)::internal_ApplyKeyedScalarActions(mozilla::BaseAutoLock<mozilla::StaticMutex> const&, nsTArray<mozilla::Telemetry::KeyedScalarAction> const&, mozilla::Maybe<mozilla::Telemetry::ProcessID> const&) toolkit/components/telemetry/TelemetryScalar.cpp:2088
    #2 0x7f9ef543db2a in TelemetryScalar::UpdateChildKeyedData(mozilla::Telemetry::ProcessID, nsTArray<mozilla::Telemetry::KeyedScalarAction> const&) toolkit/components/telemetry/TelemetryScalar.cpp:3334:3
    #3 0x7f9ef0388086 in mozilla::dom::ContentParent::RecvUpdateChildKeyedScalars(nsTArray<mozilla::Telemetry::KeyedScalarAction>&&) dom/ipc/ContentParent.cpp:5463:3
    #4 0x7f9ee89c069b in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PContentParent.cpp:7477:20
    #5 0x7f9ef74912b8 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) obj-firefox/dist/include/ProtocolFuzzer.h:49:18
    #6 0x7f9ef7490dda in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:33:3
    #7 0x5925dd in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
    #8 0x591e5b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:442:3
    #9 0x59334d in fuzzer::Fuzzer::MutateAndTestOne() tools/fuzzing/libfuzzer/FuzzerLoop.cpp:650:19
    #10 0x593d05 in fuzzer::Fuzzer::Loop(std::vector<std::string, fuzzer::fuzzer_allocator<std::string> > const&) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:773:5
    #11 0x58b3a5 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:754:6
    #12 0x7f9ef5738c16 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10
    #13 0x7f9ef5655dca in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3932:35
    #14 0x7f9ef566a993 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4876:12
    #15 0x7f9ef566c50e in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4983:21
    #16 0x4f52dc in do_main browser/app/nsBrowserApp.cpp:233:22
    #17 0x4f52dc in main browser/app/nsBrowserApp.cpp:311
    #18 0x7f9f0f10c1c0 in __libc_start_main (/lib/x86_64-linux-gnu/
    #19 0x4248bc in _start (/home/worker/firefox/firefox+0x4248bc)

DEDUP_TOKEN: as<unsigned int>
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV obj-firefox/dist/include/mozilla/Variant.h:681:5 in as<unsigned int>

Command: ./firefox/firefox -print_pcs=1 -handle_segv=0 -handle_bus=0 -handle_abrt=0 ./corpora/ -handle_ill=0 -handle_fpe=0

Assignee: nobody → jrediger
Priority: -- → P1
Comment on attachment 8989786 [details]
Bug 1470897 - Catch invalid data, show a warning and continue processing.

Chris H-C :chutten has approved the revision.
Attachment #8989786 - Flags: review+
Hrm, Phabricator Automation doesn't echo back my review message. 

"Can you set up a follow-up mentored bug for adding test coverage for these cases?"

Comment 4

Last year
Pushed by
Catch invalid data, show a warning and continue processing. r=chutten

Comment 5

Last year
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
I'm assuming this isn't something we need to fix in 62.  Please request uplift if I'm wrong.
You need to log in before you can comment on or make changes to this bug.