Closed Bug 1534340 Opened 5 years ago Closed 5 years ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/netwerk/cookie/CookieServiceChild.cpp in mozilla::net::CookieServiceChild::RequireThirdPartyCheck(nsILoadInfo*)

Categories

(Core :: Networking: Cookies, defect, P2)

Product:
Core
Component:
Networking: Cookies
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- fixed
firefox68 --- fixed

People

(Reporter: jkratzer, Assigned: baku)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, regression, testcase, Whiteboard: [necko-triaged])

Crash Data

Attachments

(2 files)

testcase.html
239 bytes, text/html
Details
Bug 1534340 - Fix a nullptr check in CookieServiceChild::RequireThirdPartyCheck, r?dragana
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev f4c23517cec8.

==22533==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f0d01b16a44 bp 0x7ffdde17a8f0 sp 0x7ffdde17a800 T0)
==22533==The signal is caused by a READ memory access.
==22533==Hint: address points to the zero page.
#0 0x7f0d01b16a43 in mozilla::net::CookieServiceChild::RequireThirdPartyCheck(nsILoadInfo*) /builds/worker/workspace/build/src/netwerk/cookie/CookieServiceChild.cpp
#1 0x7f0d01b1d432 in mozilla::net::CookieServiceChild::SetCookieStringInternal(nsIURI*, nsIChannel*, char const*, char const*, bool) /builds/worker/workspace/build/src/netwerk/cookie/CookieServiceChild.cpp:527:7
#2 0x7f0d05c8af64 in nsContentSink::ProcessHeaderData(nsAtom*, nsTSubstring<char16_t> const&, nsIContent*) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:327:22
#3 0x7f0d05c924ea in nsContentSink::ProcessMETATag(nsIContent*) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:807:12
#4 0x7f0d0443b178 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:921:24
#5 0x7f0d0443e3e0 in nsHtml5TreeOpExecutor::FlushDocumentWrite() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:601:18
#6 0x7f0d04393d6f in nsHtml5Parser::Parse(nsTSubstring<char16_t> const&, void*, nsTSubstring<char> const&, bool, nsDTDMode) /builds/worker/workspace/build/src/parser/html/nsHtml5Parser.cpp:433:20
#7 0x7f0d09bd7d13 in nsHTMLDocument::WriteCommon(nsTSubstring<char16_t> const&, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1531:17
#8 0x7f0d09bd6d6d in nsHTMLDocument::WriteCommon(mozilla::dom::Sequence<nsTString<char16_t> > const&, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1434:5
#9 0x7f0d08894851 in mozilla::dom::HTMLDocument_Binding::write(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:397:9
#10 0x7f0d08e3ba21 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3144:13
#11 0x7f0d104b3db7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#12 0x7f0d104b3db7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#13 0x7f0d1049b4b7 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:593:10
#14 0x7f0d1049b4b7 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3075
#15 0x7f0d1047e898 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
#16 0x7f0d104b4726 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
#17 0x7f0d104b6372 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#18 0x7f0d110b1c19 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2623:10
#19 0x7f0d084482e9 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#20 0x7f0d0969dff2 in HandleEvent<mozilla::dom::EventTarget > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#21 0x7f0d0969dff2 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1038
#22 0x7f0d096a0623 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1237:17
#23 0x7f0d096807a0 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:350:5
#24 0x7f0d096807a0 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:351
#25 0x7f0d0967e9c8 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:553:16
#26 0x7f0d09685613 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1048:11
#27 0x7f0d0968d3a6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
#28 0x7f0d05d99544 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1024:17
#29 0x7f0d056ac44c in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4054:28
#30 0x7f0d056ac1be in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4024:10
#31 0x7f0d059f082a in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:4696:3
#32 0x7f0d05af573b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#33 0x7f0d05af573b in apply<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#34 0x7f0d05af573b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#35 0x7f0d016d86a5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#36 0x7f0d01717f31 in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1179:14
#37 0x7f0d0172033d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#38 0x7f0d029c4c1f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#39 0x7f0d028994ce in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#40 0x7f0d028994ce in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#41 0x7f0d028994ce in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#42 0x7f0d0bc98353 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#43 0x7f0d101d543e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20
#44 0x7f0d028994ce in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#45 0x7f0d028994ce in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#46 0x7f0d028994ce in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#47 0x7f0d101d4593 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34
#48 0x55a7a2fe0874 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#49 0x55a7a2fe0874 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:265
#50 0x7f0d24e26b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?

baku, can you take a look? this is from bug 1525245.

Blocks: 1525245
Assignee: nobody → amarchesini
Priority: -- → P2
Whiteboard: [necko-triaged]
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a98c096737fd
Fix a nullptr check in CookieServiceChild::RequireThirdPartyCheck, r=dragana

https://hg.mozilla.org/mozilla-central/rev/a98c096737fd

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

I see a couple crash reports from the wild that look like this. Should we consider backporting to Beta?

Crash Signature: [@ mozilla::net::CookieServiceChild::RequireThirdPartyCheck ]
status-firefox66: --- → unaffected
status-firefox67: --- → affected
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+

Andrea, would it make sense to backport the patch to 67 or should it ride the train? Thanks

Flags: needinfo?(amarchesini)

Comment on attachment 9051718 [details]
Bug 1534340 - Fix a nullptr check in CookieServiceChild::RequireThirdPartyCheck, r?dragana

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: Bug 1525245
  • User impact if declined: A crash can occur when a meta element is added.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is just a null check in the existence of loadInfo.
  • String changes made/needed:
Flags: needinfo?(amarchesini)
Attachment #9051718 - Flags: approval-mozilla-beta?

Comment on attachment 9051718 [details]
Bug 1534340 - Fix a nullptr check in CookieServiceChild::RequireThirdPartyCheck, r?dragana

Low risk patch fixing a few crashes on beta, uplift approved for 67 beta 10, thanks.

Attachment #9051718 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: