Closed Bug 1590090 Opened 5 years ago Closed 5 years ago

IPC: crash [@mozilla::jsipc::CrossProcessCpowHolder::~CrossProcessCpowHolder]

Categories

(Core :: DOM: Content Processes, defect, P3)

Product:
Core
Component:
DOM: Content Processes
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: posidron, Unassigned)

References

(
URL
)

Details

(Keywords: oss-fuzz)

Attachments

(1 file)

clusterfuzz-testcase-ContentParentIPC-5721756488171520
177 bytes, application/octet-stream
Details

Latest tested revision: https://github.com/mozilla/gecko-dev/commit/669c97fe4270e5df6e12d0f95c4cd0b2fc7c3f78

Task

Item Description
Crash Type Null-dereference READ
Sanitizer address (ASAN)
Platform linux
Job Type libfuzzer_asan_firefox
Fuzz Target ContentParentIPC
Reliably Reproduces YES

Callstack

==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6786c42fb9 bp 0x7ffea48d9d90 sp 0x7ffea48d9be0 T0)
==1==The signal is caused by a READ memory access.
==1==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7f6786c42fb8 in mozilla::jsipc::CrossProcessCpowHolder::~CrossProcessCpowHolder() mozilla-central/js/ipc/JavaScriptShared.cpp:614:10
    #1 0x7f678b28a248 in mozilla::dom::ContentParent::RecvRpcMessage(nsTString<char16_t> const&, mozilla::dom::ClonedMessageData const&, nsTArray<mozilla::jsipc::CpowEntry>&&, IPC::Principal const&, nsTArray<mozilla::dom::ipc::StructuredCloneData>*) mozilla-central/dom/ipc/ContentParent.cpp:4033:1
    #2 0x7f678640ea49 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&, IPC::Message*&) /work/obj-fuzz/ipc/ipdl/PContentParent.cpp:12058:57
    #3 0x7f6784bee93b in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /work/obj-fuzz/dist/include/ProtocolFuzzer.h:94:18
    #4 0x7f6784bee298 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) mozilla-central/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:27:3
    #5 0x56537239a79f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
    #6 0x565372386e8e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)
    #7 0x5653723891b9 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))
    #8 0x7f678e500ff3 in mozilla::FuzzerRunner::Run(int*, char***) mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:54:10
    #9 0x7f678e44a77a in XREMain::XRE_mainStartup(bool*) mozilla-central/toolkit/xre/nsAppRunner.cpp:3775:35
    #10 0x7f678e4528cd in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4721:12
    #11 0x7f678e453253 in XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4815:21
    #12 0x565372262c54 in do_main(int, char**, char**)
    #13 0x5653722624b2 in main
    #14 0x7f67a18b382f in __libc_start_main
    #15 0x5653721b8028 in _start
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_firefox_6180546f5e5f1d75138bf6cea3784693af7a2aa9/revisions/firefox/libxul.so+0xe49efb8)
==1==ABORTING

This is line 614 of JavaScriptShared.cpp:
js_->Unwrap(cx, cpows_, &cpows);

We instantiate js_ when we create the CPOW. I'm not sure under what circumstances we can have gotten a cpow but ManagedPJavaScriptParent() returned null. That seems to be the source of the value.

The priority flag is not set for this bug.
:jimm, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jmathies)
Flags: needinfo?(jmathies)
Priority: -- → P3

Bug 1631358 is removing RPC messages.

Status: NEW → RESOLVED
Closed: 5 years ago
Depends on: 1631358
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: