Closed Bug 1577552 Opened 3 years ago Closed 3 years ago

IPC: crash [@mozilla::dom::ContentParent::RecvAttachBrowsingContext]

Categories

(Core :: DOM: Content Processes, defect)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1581076
Tracking Status
firefox70 --- affected

People

(Reporter: posidron, Unassigned)

References

()

Details

(Keywords: oss-fuzz)

Attachments

(1 file)

Task

Item Description
Crash Type Null-dereference WRITE
Sanitizer address (ASAN)
Platform linux
Job Type libfuzzer_asan_firefox
Fuzz Target ContentParentIPC

Callstack

==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4f346459b5 bp 0x7ffd7d245670 sp 0x7ffd7d2454a0 T0)
==1==The signal is caused by a WRITE memory access.
==1==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7f4f346459b4 in mozilla::dom::ContentParent::RecvAttachBrowsingContext(mozilla::dom::BrowsingContext::IPCInitializer&&) mozilla-central/dom/ipc/ContentParent.cpp:5844:13
    #1 0x7f4f2f852fa4 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /work/obj-fuzz/ipc/ipdl/PContentParent.cpp:10942:57
    #2 0x7f4f2e075ed2 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /work/obj-fuzz/dist/include/ProtocolFuzzer.h:96:18
    #3 0x7f4f2e0757e8 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) mozilla-central/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:27:3
    #4 0x562d2e9fa29f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
    #5 0x562d2e9e69de in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)
    #6 0x562d2e9e8c99 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))
    #7 0x7f4f378ba791 in mozilla::FuzzerRunner::Run(int*, char***) mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:61:10
    #8 0x7f4f3780b6ae in XREMain::XRE_mainStartup(bool*) mozilla-central/toolkit/xre/nsAppRunner.cpp:3758:35
    #9 0x7f4f37813e15 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4698:12
    #10 0x7f4f378147c1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4792:21
    #11 0x562d2e8feb4a in do_main(int, char**, char**)
    #12 0x562d2e8fe332 in main
    #13 0x7f4f4952d82f in __libc_start_main
    #14 0x562d2e820028 in _start
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_firefox_6180546f5e5f1d75138bf6cea3784693af7a2aa9/revisions/firefox/libxul.so+0x1153a9b4)
==1==ABORTING
Severity: normal → critical

The priority flag is not set for this bug.
:jimm, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jmathies)

This api was added via fission work.

Flags: needinfo?(jmathies) → needinfo?(nkochar)
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(nkochar)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.