Closed Bug 1477906 Opened 7 years ago Closed 7 years ago

ContentParentIPC fuzzer messages

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: u473386, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 Steps to reproduce: While fuzzing ContentParentIPC I noticed many error messages like those. I assume that's intentional or expected. IPDL protocol error: Handler returned error code! ###!!! [Unknown][MessageChannel::Send] Error: Need a route (firefox:6236): Gtk-CRITICAL **: gtk_clipboard_get_for_display: assertion 'display != NULL' failed Also this. INFO: libFuzzer disabled leak detection after every mutation. Most likely the target function accumulates allocated memory in a global state w/o actually leaking it. You may try running this binary with -trace_malloc=[12] to get a trace of mallocs and frees. If LeakSanitizer is enabled in this process it will still run on the process shutdown. Running with the flags, it appears the mallocs without matching frees are primarily as below. #7 0x36497d in moz_xmalloc mozilla-central/memory/mozalloc/mozalloc.cpp:70:17 #8 0x7f34b42186b3 in __gnu_cxx::_Hashtable_node<std::pair<int const, nsCOMPtr<nsIEventTarget> > >** std::vector<__gnu_cxx::_Hashtable_node<std::pair<int const, nsCOMPtr<nsIEventTarget> > >*, std::allocator<__gnu_cxx::_Hashtable_node<std::pair<int const, nsCOMPtr<nsIEventTarget> > >*> >::_M_allocate_and_copy<std::move_iterator<__gnu_cxx::_Hashtable_node<std::pair<int const, nsCOMPtr<nsIEventTarget> > >**> >(unsigned long, std::move_iterator<__gnu_cxx::_Hashtable_node<std::pair<int const, nsCOMPtr<nsIEventTarget> > >**>, std::move_iterator<__gnu_cxx::_Hashtable_node<std::pair<int const, nsCOMPtr<nsIEventTarget> > >**>) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:1224:29 #9 0x7f34b42180e5 in std::vector<__gnu_cxx::_Hashtable_node<std::pair<int const, nsCOMPtr<nsIEventTarget> > >*, std::allocator<__gnu_cxx::_Hashtable_node<std::pair<int const, nsCOMPtr<nsIEventTarget> > >*> >::reserve(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/vector.tcc:73:20 #10 0x7f34b4217e9c in __gnu_cxx::hashtable<std::pair<int const, nsCOMPtr<nsIEventTarget> >, int, __gnu_cxx::hash<int>, std::_Select1st<std::pair<int const, nsCOMPtr<nsIEventTarget> > >, std::equal_to<int>, std::allocator<nsCOMPtr<nsIEventTarget> > >::_M_initialize_buckets(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/backward/hashtable.h:594:13 #11 0x7f34b4217cd2 in __gnu_cxx::hashtable<std::pair<int const, nsCOMPtr<nsIEventTarget> >, int, __gnu_cxx::hash<int>, std::_Select1st<std::pair<int const, nsCOMPtr<nsIEventTarget> > >, std::equal_to<int>, std::allocator<nsCOMPtr<nsIEventTarget> > >::hashtable(unsigned long, __gnu_cxx::hash<int> const&, std::equal_to<int> const&, std::allocator<std::pair<int const, nsCOMPtr<nsIEventTarget> > > const&) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/backward/hashtable.h:349:9 #12 0x7f34b4217b0c in __gnu_cxx::hash_map<int, nsCOMPtr<nsIEventTarget>, __gnu_cxx::hash<int>, std::equal_to<int>, std::allocator<nsCOMPtr<nsIEventTarget> > >::hash_map() /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/ext/hash_map:125:9 #13 0x7f34b41e5a16 in mozilla::ipc::IToplevelProtocol::ToplevelState::ToplevelState(char const*, mozilla::ipc::IToplevelProtocol*, mozilla::ipc::Side) mozilla-central/ipc/glue/ProtocolUtils.cpp:838:35 #14 0x7f34b41f5f4e in mozilla::detail::UniqueSelector<mozilla::ipc::IToplevelProtocol::ToplevelState>::SingleObject mozilla::MakeUnique<mozilla::ipc::IToplevelProtocol::ToplevelState, char const*&, mozilla::ipc::IToplevelProtocol*, mozilla::ipc::Side&>(char const*&, mozilla::ipc::IToplevelProtocol*&&, mozilla::ipc::Side&) mozilla-central/obj-fuzz/dist/include/mozilla/UniquePtr.h:680:27 #15 0x7f34b41e46c3 in mozilla::ipc::IToplevelProtocol::IToplevelProtocol(char const*, IPCMessageStart, mozilla::ipc::Side) mozilla-central/ipc/glue/ProtocolUtils.cpp:677:22 #16 0x7f34b43ebe36 in mozilla::dom::PContentParent::PContentParent() mozilla-central/obj-fuzz/ipc/ipdl/PContentParent.cpp:256:5 #17 0x7f34b95cf51e in mozilla::dom::ContentParent::ContentParent(mozilla::dom::ContentParent*, nsTSubstring<char16_t> const&, int) mozilla-central/dom/ipc/ContentParent.cpp:2152:16 #18 0x7f34bce05a13 in mozilla::ipc::ProtocolFuzzerHelper::CreateContentParent(mozilla::dom::ContentParent*, nsTSubstring<char16_t> const&) mozilla-central/tools/fuzzing/ipc/ProtocolFuzzer.cpp:28:18 #19 0x7f34bde03cd6 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) mozilla-central/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:27:5 #7 0x36497d in moz_xmalloc mozilla-central/memory/mozalloc/mozalloc.cpp:70:17 #8 0x7f34b4200f38 in std::_Deque_base<IPC::MessageInfo, std::allocator<IPC::MessageInfo> >::_M_allocate_map(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_deque.h:615:9 #9 0x7f34b4200c60 in std::_Deque_base<IPC::MessageInfo, std::allocator<IPC::MessageInfo> >::_M_initialize_map(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_deque.h:688:30 #10 0x7f34b41cd4e1 in mozilla::ipc::MessageChannel::MessageChannel(char const*, mozilla::ipc::IToplevelProtocol*) mozilla-central/ipc/glue/MessageChannel.cpp:507:17 #11 0x7f34b41f5f4e in mozilla::detail::UniqueSelector<mozilla::ipc::IToplevelProtocol::ToplevelState>::SingleObject mozilla::MakeUnique<mozilla::ipc::IToplevelProtocol::ToplevelState, char const*&, mozilla::ipc::IToplevelProtocol*, mozilla::ipc::Side&>(char const*&, mozilla::ipc::IToplevelProtocol*&&, mozilla::ipc::Side&) mozilla-central/obj-fuzz/dist/include/mozilla/UniquePtr.h:680:27 #12 0x7f34b41e46c3 in mozilla::ipc::IToplevelProtocol::IToplevelProtocol(char const*, IPCMessageStart, mozilla::ipc::Side) mozilla-central/ipc/glue/ProtocolUtils.cpp:677:22 #13 0x7f34b43ebe36 in mozilla::dom::PContentParent::PContentParent() mozilla-central/obj-fuzz/ipc/ipdl/PContentParent.cpp:256:5 #14 0x7f34b95cf51e in mozilla::dom::ContentParent::ContentParent(mozilla::dom::ContentParent*, nsTSubstring<char16_t> const&, int) mozilla-central/dom/ipc/ContentParent.cpp:2152:16 #15 0x7f34bce05a13 in mozilla::ipc::ProtocolFuzzerHelper::CreateContentParent(mozilla::dom::ContentParent*, nsTSubstring<char16_t> const&) mozilla-central/tools/fuzzing/ipc/ProtocolFuzzer.cpp:28:18 #16 0x7f34bde03cd6 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) mozilla-central/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:27:5 #7 0x36497d in moz_xmalloc mozilla-central/memory/mozalloc/mozalloc.cpp:70:17 #8 0x7f093efeeeac in operator new mozilla-central/obj-fuzz/dist/include/mozilla/mozalloc.h:136:12 #9 0x7f093efeeeac in nsFrameMessageManager::NewProcessMessageManager(bool) mozilla-central/dom/base/nsFrameMessageManager.cpp:1707 #10 0x7f093efeed12 in NS_NewParentProcessMessageManager(nsISupports**) mozilla-central/dom/base/nsFrameMessageManager.cpp:1684:3 #11 0x7f0943891d00 in CreateParentMessageManager(nsISupports*, nsID const&, void**) mozilla-central/layout/build/nsLayoutModule.cpp:392:1 #12 0x7f093c29ce76 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) mozilla-central/xpcom/components/nsComponentManager.cpp:1117:19 #13 0x7f093c297e46 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) mozilla-central/xpcom/components/nsComponentManager.cpp:1477:10 #14 0x7f093c2a0704 in nsGetServiceByContractID::operator()(nsID const&, void**) const mozilla-central/xpcom/components/nsComponentManagerUtils.cpp:280:21 #15 0x7f093c131b53 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) mozilla-central/xpcom/base/nsCOMPtr.cpp:95:7 #16 0x7f093efeee5d in nsFrameMessageManager::NewProcessMessageManager(bool) mozilla-central/dom/base/nsFrameMessageManager.cpp:1695:8 #17 0x7f094266dd05 in mozilla::dom::nsIContentParent::nsIContentParent() mozilla-central/dom/ipc/nsIContentParent.cpp:46:21 #18 0x7f09425cf52d in mozilla::dom::ContentParent::ContentParent(mozilla::dom::ContentParent*, nsTSubstring<char16_t> const&, int) mozilla-central/dom/ipc/ContentParent.cpp:2155:5 #19 0x7f0945e05a13 in mozilla::ipc::ProtocolFuzzerHelper::CreateContentParent(mozilla::dom::ContentParent*, nsTSubstring<char16_t> const&) mozilla-central/tools/fuzzing/ipc/ProtocolFuzzer.cpp:28:18 #20 0x7f0946e03cd6 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) mozilla-central/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:27:5
Two things: (a) Yes, this fuzzer prints a lot of nonsense to stderr; I generally run with `-close_fd_mask=3` to silence it. (b) Yes, this fuzzer also leaks memory and leaks state between runs. Unfortunately that's unavoidable.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.