AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:314:3 in MOZ_Crash(char const*, int, char const*)

RESOLVED FIXED in Firefox 67

Status

defect
--
critical
RESOLVED FIXED
3 months ago
2 months ago

People

(Reporter: jkratzer, Assigned: emilio)

Tracking

(Blocks 1 bug, {crash, regression})

unspecified
Firefox 67
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox65 wontfix, firefox66 wontfix, firefox67 fixed)

Details

Attachments

(1 attachment)

Reporter

Description

3 months ago

Found on mozilla-central rev 78601cacfe69.

The following ASAN crash can be triggered by running

InspectorUtils.cssPropertySupportsType('background-color', 'foo')

==18561==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f87a6edf87e bp 0x7fffbe7199a0 sp 0x7fffbe7199a0 T0)
==18561==The signal is caused by a WRITE memory access.
==18561==Hint: address points to the zero page.
#0 0x7f87a6edf87d in MOZ_Crash(char const*, int, char const*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:314:3
#1 0x7f87a6edf83a in GeckoCrash /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:5230:3
#2 0x7f87a8f4f92b in gkrust_shared::panic_hook::hb615763544542754 /builds/worker/workspace/build/src/toolkit/library/rust/shared/lib.rs:234:8
#3 0x7f87a8f4f858 in core::ops::function::Fn::call::hea53cc92d70a4c1c /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libcore/ops/function.rs:78:4
#4 0x7f87a96ee7c1 in std::panicking::rust_panic_with_hook::h8cbdfe43764887be /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/panicking.rs:495:16
#5 0x7f87a96ee50d in std::panicking::continue_panic_fmt::h3d3c5a833c00a5e1 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/panicking.rs:398:4
#6 0x7f87a96ee4bb in std::panicking::begin_panic_fmt::h11fdc4cc73917110 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/panicking.rs:353:4
#7 0x7f87a93c83dd in Servo_Property_SupportsType /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:1166:13
#8 0x7f87a3c1e23c in mozilla::dom::InspectorUtils::CssPropertySupportsType(mozilla::dom::GlobalObject&, nsTSubstring<char16_t> const&, unsigned int, mozilla::ErrorResult&) /builds/worker/workspace/build/src/layout/inspector/InspectorUtils.cpp:448:17
#9 0x7f879fae53e1 in mozilla::dom::InspectorUtils_Binding::cssPropertySupportsType(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/InspectorUtilsBinding.cpp:3652:15
#10 0x7f87a71c4a57 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:13
#11 0x7f87a71c4a57 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:532
#12 0x7f87a71ac7ff in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:591:10
#13 0x7f87a71ac7ff in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3055
#14 0x7f87a718f478 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:420:10
#15 0x7f87a71ca2a5 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:779:13
#16 0x7f87a74e300d in EvaluateInEnv /builds/worker/workspace/build/src/js/src/vm/Debugger.cpp:9218:10
#17 0x7f87a74e300d in DebuggerGenericEval(JSContext*, mozilla::Range<char16_t const>, JS::Handle<JSObject*>, js::EvalOptions const&, js::ResumeMode&, JS::MutableHandle<JS::Value>, js::Debugger*, JS::Handle<JSObject*>, js::FrameIter*) /builds/worker/workspace/build/src/js/src/vm/Debugger.cpp:9303
#18 0x7f87a7521731 in js::DebuggerObject::executeInGlobal(JSContext*, JS::Handle<js::DebuggerObject*>, mozilla::Range<char16_t const>, JS::Handle<JSObject*>, js::EvalOptions const&, js::ResumeMode&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Debugger.cpp:12109:10
#19 0x7f87a75220eb in js::DebuggerObject::executeInGlobalWithBindingsMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Debugger.cpp:11132:8
#20 0x7f87a71c4a57 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:13
#21 0x7f87a71c4a57 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:532
#22 0x7f87a71ac7ff in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:591:10
#23 0x7f87a71ac7ff in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3055
#24 0x7f87a718f478 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:420:10
#25 0x7f87a71c53c6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560:13
#26 0x7f87a831ac3c in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:3881:10
#27 0x2ef7b3250b37 (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:314:3 in MOZ_Crash(char const*, int, char const*)

Reporter

Updated

3 months ago
Summary: ddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:314:3 in MOZ_Crash(char const*, int, char const*) → AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:314:3 in MOZ_Crash(char const*, int, char const*)
Assignee

Comment 1

3 months ago

Yeah, we should probably throw rather than crashing when given an invalid type:

https://searchfox.org/mozilla-central/rev/3e0f1d95fcf8832413457e3bec802113bdd1f8e8/servo/ports/geckolib/glue.rs#1166

:)

Flags: needinfo?(emilio)
Assignee

Updated

3 months ago
Assignee: nobody → emilio
Flags: needinfo?(emilio)

Comment 3

3 months ago
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d34db0a03314
Don't crash when given bad types to cssPropertySupportsType. r=heycam

Comment 4

3 months ago
bugherder
Status: NEW → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 67
You need to log in before you can comment on or make changes to this bug.