Closed Bug 1586170 Opened 5 years ago Closed 4 years ago

reference binding to null pointer of type 'const unsigned char' in [@ mozilla::NrIceTurnServer::ToNicerTurnStruct]

Categories

(Core :: WebRTC, defect, P3)

Product:
Core
Component:
WebRTC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox71 --- wontfix
firefox72 --- wontfix
firefox73 --- fixed

People

(Reporter: tsmith, Assigned: away)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined)

Attachments

(1 file)

Fix ubsan issue in NrIceTurnServer::ToNicerTurnStruct
47 bytes, text/x-phabricator-request
Details | Review

This is triggered with an UBSan build. To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="null"
ac_add_options --disable-jemalloc

TEST-START | /webrtc/RTCConfiguration-bundlePolicy.html
...
/builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/bits/stl_vector.h:796:16: runtime error: reference binding to null pointer of type 'const unsigned char'
    #0 0x7f5e184f10da in operator[] /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/bits/stl_vector.h:796:9
    #1 0x7f5e184f10da in mozilla::NrIceTurnServer::ToNicerTurnStruct(nr_ice_turn_server_*) const src/media/mtransport/nricectx.cpp:259
    #2 0x7f5e184fc73a in mozilla::NrIceCtx::SetTurnServers(std::vector<mozilla::NrIceTurnServer, std::allocator<mozilla::NrIceTurnServer> > const&) src/media/mtransport/nricectx.cpp:821:35
    #3 0x7f5e1838c7d4 in operator() src/media/webrtc/signaling/src/peerconnection/MediaTransportHandler.cpp:406:15
    #4 0x7f5e1838c7d4 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaTransportHandlerSTS::CreateIceCtx(std::string const&, nsTArray<mozilla::dom::RTCIceServer> const&, mozilla::dom::RTCIceTransportPolicy)::$_0, mozilla::MozPromise<bool, std::string, false> >::Run() src/obj-firefox/dist/include/mozilla/MozPromise.h:1450
    #5 0x7f5e164cd79f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #6 0x7f5e164d6de6 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #7 0x7f5e1760ec0f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #8 0x7f5e1752c617 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #9 0x7f5e1752c617 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #10 0x7f5e1752c617 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #11 0x7f5e1dc746e1 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #12 0x7f5e2181df7d in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #13 0x7f5e1752c617 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #14 0x7f5e1752c617 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #15 0x7f5e1752c617 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #16 0x7f5e2181d4ad in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #17 0x562dde02de79 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #18 0x562dde02e1b9 in main src/browser/app/nsBrowserApp.cpp:272:18
    #19 0x7f5e385a382f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #20 0x562dddf4fe38 in _start (application/firefox/firefox+0x95e38)
Priority: -- → P3

ekr, is this still your turf these days? UBSan isn't happy about taking &password_[0] if the vector's size is zero; it may not have any storage allocated.

Flags: needinfo?(ekr)

This is :drno or :docfaraday now

Flags: needinfo?(ekr)

UBSan was complaining about taking &password_[0] when the vector had zero capacity, because its STL's implementation of operator[] used a reference in an intermediate step, and putting null into a reference is prohibited.

While I'm here, I dropped the const_cast, since the callee was changed to accept const UCHAR* years ago.

Assignee: nobody → dmajor
Status: NEW → ASSIGNED
Pushed by dmajor@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7373e508deee
Fix ubsan issue in NrIceTurnServer::ToNicerTurnStruct r=bwc

https://hg.mozilla.org/mozilla-central/rev/7373e508deee

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox73: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.

status-firefox72: --- → ?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: