Open Bug 1502242 Opened 1 year ago Updated 9 months ago

Crash [@GetMutableData]

Categories

(Core :: Storage: IndexedDB, defect, P3, critical)

defect

Tracking

()

Tracking Status
firefox65 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file testcase.html
Testcase found while fuzzing mozilla-central rev 3cc04ee79005.  Please note that the testcase must be served via a local webserver.

Testcase also produces the following assertion on debug builds:

Assertion failure: aNewLength <= base_string_type::mLength (Truncate cannot make string longer), at /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTSubstring.h:923

==29245==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f2b63b9edd0 bp 0x7ffdb34cf8d0 sp 0x7ffdb34cf7a0 T0)
==29245==The signal is caused by a WRITE memory access.
==29245==Hint: address points to the zero page.
    #0 0x7f2b63b9edcf in GetMutableData /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTSubstring.h:964:64
    #1 0x7f2b63b9edcf in mozilla::dom::indexedDB::Key::ToLocaleBasedKey(mozilla::dom::indexedDB::Key&, nsTString<char> const&) const /builds/worker/workspace/build/src/dom/indexedDB/Key.cpp:175
    #2 0x7f2b63c1e288 in mozilla::dom::IDBObjectStore::AppendIndexUpdateInfo(long, mozilla::dom::indexedDB::KeyPath const&, bool, bool, nsTString<char> const&, JSContext*, JS::Handle<JS::Value>, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) /builds/worker/workspace/build/src/dom/indexedDB/IDBObjectStore.cpp:1050:16
    #3 0x7f2b63c23a79 in mozilla::dom::IDBObjectStore::GetAddInfo(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, mozilla::dom::IDBObjectStore::StructuredCloneWriteInfo&, mozilla::dom::indexedDB::Key&, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) /builds/worker/workspace/build/src/dom/indexedDB/IDBObjectStore.cpp:1597:10
    #4 0x7f2b63bdeff9 in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/indexedDB/IDBObjectStore.cpp:1662:9
    #5 0x7f2b61936540 in Add /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/IDBObjectStore.h:214:12
    #6 0x7f2b61936540 in mozilla::dom::IDBObjectStore_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBObjectStore*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/IDBObjectStoreBinding.cpp:504
    #7 0x7f2b61a3bf84 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3315:13
    #8 0x7f2b6a8db638 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468:15
    #9 0x7f2b6a8db638 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560
    #10 0x7f2b6a8c29f8 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:620:12
    #11 0x7f2b6a8c29f8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3462
    #12 0x7f2b6a8a82a8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:12
    #13 0x7f2b6a8dc046 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:587:15
    #14 0x7f2b6a8ddcf2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:633:10
    #15 0x7f2b699a41c6 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2975:12
    #16 0x7f2b60fc2896 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37
    #17 0x7f2b622cbb79 in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #18 0x7f2b622c8e09 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214:12
    #19 0x7f2b6227ce6a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1107:52
    #20 0x7f2b6227f4c1 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1309:15
    #21 0x7f2b62261bd6 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
    #22 0x7f2b62261bd6 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:424
    #23 0x7f2b6225fe58 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:641:16
    #24 0x7f2b62266917 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1156:11
    #25 0x7f2b6226cf06 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #26 0x7f2b6221b830 in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/events/DOMEventTargetHelper.cpp:185:5
    #27 0x7f2b6229101a in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/events/EventTarget.cpp:213:13
    #28 0x7f2b63ba9390 in mozilla::dom::indexedDB::(anonymous namespace)::DispatchSuccessEvent(mozilla::dom::indexedDB::(anonymous namespace)::ResultHelper*, mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/indexedDB/ActorsChild.cpp:862:12
    #29 0x7f2b63bae2b7 in mozilla::dom::indexedDB::BackgroundDatabaseChild::RecvPBackgroundIDBVersionChangeTransactionConstructor(mozilla::dom::indexedDB::PBackgroundIDBVersionChangeTransactionChild*, unsigned long const&, unsigned long const&, long const&, long const&) /builds/worker/workspace/build/src/dom/indexedDB/ActorsChild.cpp:2279:3
    #30 0x7f2b5c2718a4 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseChild.cpp:598:20
    #31 0x7f2b5bfb99dd in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #32 0x7f2b5b7cfbe9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2255:25
    #33 0x7f2b5b7cb56a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2182:17
    #34 0x7f2b5b7cd771 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2019:5
    #35 0x7f2b5b7ce637 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2052:15
    #36 0x7f2b5a550515 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #37 0x7f2b5a58da1e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1245:14
    #38 0x7f2b5a5966fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
    #39 0x7f2b6426e7e4 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3007:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
    #40 0x7f2b6426e7e4 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3007
    #41 0x7f2b6426c31d in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2786:11
    #42 0x7f2b60bdc8ab in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1290:9
    #43 0x7f2b61a3bf84 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3315:13
    #44 0x7f2b6a8db638 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468:15
    #45 0x7f2b6a8db638 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560
    #46 0x7f2b6910c4e8 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:3689:14
    #47 0x1c24d7375e47  (<unknown module>)
Flags: in-testsuite?
Jan, how urgent do you think this is?
Flags: needinfo?(jvarga)
Priority: -- → P3
Blocks: 1541370
Flags: needinfo?(jvarga)
You need to log in before you can comment on or make changes to this bug.