1477902 - MOZ_CRASH: mozilla::ipc::MessageChannel::Close()

Status: RESOLVED WORKSFORME

(Firefox :: Untriaged, defect)

Description

[u473386]

Attachment: bug

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Steps to reproduce:

Harmless, but blocks ContentParentIPC fuzzing.

==5527==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f09aea87754 bp 0x7ffc5e46f3b0 sp 0x7ffc5e46f2a0 T0)
==5527==The signal is caused by a WRITE memory access.
==5527==Hint: address points to the zero page.
    #0 0x7f09aea87753 in mozilla::ipc::MessageChannel::Close() mozilla-central/ipc/glue/MessageChannel.cpp:2735:13
    #1 0x7f09b3e6d716 in mozilla::dom::ContentParent::ShutDownProcess(mozilla::dom::ContentParent::ShutDownMethod) mozilla-central/dom/ipc/ContentParent.cpp:1432:5
    #2 0x7f09b3e73f75 in mozilla::dom::ContentParent::RecvFinishShutdown() mozilla-central/dom/ipc/ContentParent.cpp:1461:3
    #3 0x7f09aecad13f in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) mozilla-central/obj-fuzz/ipc/ipdl/PContentParent.cpp:6599:20
    #4 0x7f09b86af132 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) mozilla-central/obj-fuzz/dist/include/ProtocolFuzzer.h:49:18
    #5 0x7f09b86aec3a in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) mozilla-central/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:33:3

Comment 1

[Alex Gaynor [:Alex_Gaynor]]

This fuzzer is best run with the MOZ_IPC_MESSAGE_FUZZ_BLACKLIST environment variable pointed to https://github.com/MozillaSecurity/fuzzdata/blob/master/settings/ipc/libfuzzer.content.blacklist.txt (on disk).

There's several messages that produce uninteresting crashes. FinishShutdown is one example of these.

Comment 2

[u473386]

Thanks, I didn't know this.