1568052 - crash near null in [@ gfxPlatformFontList::InitOtherFamilyNames]

Status: RESOLVED WORKSFORME

(Core :: Graphics: Text, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: test.bin

The attached testcase crashes on mozilla-central revision 6d98669f6869 (build with --enable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --enable-fuzzing --disable-debug).

To reproduce the issue:

1. Build or download an ASan --enable-fuzzing build including gtests
2. Run FUZZER=ContentParentIPC LIBFUZZER=1 MOZ_RUN_GTEST=1 objdir/dist/bin/firefox test.bin

==13534==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000700 (pc 0x7f332e47835d bp 0x7ffc48f073c0 sp 0x7ffc48f07300 T0)
==13534==The signal is caused by a READ memory access.
==13534==Hint: address points to the zero page.
    #0 0x7f332e47835c in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:308:32
    #1 0x7f332e47835c in SharedFontList /builds/worker/workspace/build/src/gfx/thebes/gfxPlatformFontList.h:248
    #2 0x7f332e47835c in gfxPlatformFontList::InitOtherFamilyNames(unsigned int, bool) /builds/worker/workspace/build/src/gfx/thebes/gfxPlatformFontList.cpp:2192
    #3 0x7f3334775d18 in mozilla::dom::ContentParent::RecvInitOtherFamilyNames(unsigned int const&, bool const&, bool*) /builds/worker/workspace/build/src/dom/ipc/ContentParent.cpp:5082:44
    #4 0x7f332bf99298 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&, IPC::Message*&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:12219:57
    #5 0x7f333b57637b in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /builds/worker/workspace/build/src/obj-firefox/dist/include/ProtocolFuzzer.h:94:18
    #6 0x7f333b575918 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) /builds/worker/workspace/build/src/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:27:3
    #7 0x55f654e10ad4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /builds/worker/workspace/build/src/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:529:15
    #8 0x55f654dfe5a7 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /builds/worker/workspace/build/src/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:286:6
    #9 0x55f654e03791 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /builds/worker/workspace/build/src/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:715:9
    #10 0x7f3339a53c1f in mozilla::FuzzerRunner::Run(int*, char***) /builds/worker/workspace/build/src/tools/fuzzing/interface/harness/FuzzerRunner.cpp:61:10
    #11 0x7f333995bbd1 in XREMain::XRE_mainStartup(bool*) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:3823:35
    #12 0x7f3339975372 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4758:12
    #13 0x7f33399771c9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4852:21
    #14 0x55f654caddd4 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:213:22
    #15 0x55f654caddd4 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:295

Comment 1

[Jonathan Kew [:jfkthame]]

What's the fuzzer actually doing here - is it testing this IPC message in a process that hasn't completed all the usual gecko initialization, like creating its gfxPlatform instance? Or is this supposed to be a fully-functional parent process that's being fuzzed?

Comment 2

[Tyson Smith [:tsmith]]

This fuzzer is no longer run. It has been replace by Nyx.

Closing since this is an old bug and is likely due to problems with the fuzzer itself.