Closed
Bug 1577552
Opened 5 years ago
Closed 5 years ago
IPC: crash [@mozilla::dom::ContentParent::RecvAttachBrowsingContext]
Categories
(Core :: DOM: Content Processes, defect)
Core
DOM: Content Processes
Tracking
()
RESOLVED
DUPLICATE
of bug 1581076
| Tracking | Status | |
|---|---|---|
| firefox70 | --- | affected |
People
(Reporter: posidron, Unassigned)
References
()
Details
(Keywords: oss-fuzz)
Attachments
(1 file)
|
93 bytes,
application/octet-stream
|
Details |
Task
| Item | Description |
|---|---|
| Crash Type | Null-dereference WRITE |
| Sanitizer | address (ASAN) |
| Platform | linux |
| Job Type | libfuzzer_asan_firefox |
| Fuzz Target | ContentParentIPC |
Callstack
==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4f346459b5 bp 0x7ffd7d245670 sp 0x7ffd7d2454a0 T0)
==1==The signal is caused by a WRITE memory access.
==1==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x7f4f346459b4 in mozilla::dom::ContentParent::RecvAttachBrowsingContext(mozilla::dom::BrowsingContext::IPCInitializer&&) mozilla-central/dom/ipc/ContentParent.cpp:5844:13
#1 0x7f4f2f852fa4 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /work/obj-fuzz/ipc/ipdl/PContentParent.cpp:10942:57
#2 0x7f4f2e075ed2 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /work/obj-fuzz/dist/include/ProtocolFuzzer.h:96:18
#3 0x7f4f2e0757e8 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) mozilla-central/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:27:3
#4 0x562d2e9fa29f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
#5 0x562d2e9e69de in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)
#6 0x562d2e9e8c99 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))
#7 0x7f4f378ba791 in mozilla::FuzzerRunner::Run(int*, char***) mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:61:10
#8 0x7f4f3780b6ae in XREMain::XRE_mainStartup(bool*) mozilla-central/toolkit/xre/nsAppRunner.cpp:3758:35
#9 0x7f4f37813e15 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4698:12
#10 0x7f4f378147c1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4792:21
#11 0x562d2e8feb4a in do_main(int, char**, char**)
#12 0x562d2e8fe332 in main
#13 0x7f4f4952d82f in __libc_start_main
#14 0x562d2e820028 in _start
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_firefox_6180546f5e5f1d75138bf6cea3784693af7a2aa9/revisions/firefox/libxul.so+0x1153a9b4)
==1==ABORTING
|
Reporter | |
Updated•5 years ago
|
Severity: normal → critical
|
||
Comment 1•5 years ago
|
||
The priority flag is not set for this bug.
:jimm, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(jmathies)
|
||
Comment 2•5 years ago
|
||
This api was added via fission work.
Flags: needinfo?(jmathies) → needinfo?(nkochar)
|
||
Updated•5 years ago
|
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(nkochar)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•