Closed
Bug 1590099
Opened 6 years ago
Closed 4 years ago
IPC: crash [@mozilla::layers::CompositorManagerParent::RecvReportMemory]
Categories
(Core :: Graphics: Layers, defect, P3)
Core
Graphics: Layers
Tracking
()
RESOLVED
INCOMPLETE
| Tracking | Status | |
|---|---|---|
| firefox72 | --- | affected |
People
(Reporter: posidron, Unassigned)
References
()
Details
(Keywords: oss-fuzz, Whiteboard: [fuzzblocker])
Attachments
(1 file)
|
32 bytes,
application/octet-stream
|
Details |
Task
| Item | Description |
|---|---|
| Crash Type | Null-dereference READ |
| Sanitizer | undefined (UBSAN) |
| Platform | linux |
| Job Type | libfuzzer_ubsan_firefox |
| Fuzz Target | CompositorManagerParentIPC |
| Reliably Reproduces | YES |
Environment
UBSAN_OPTIONS="allocator_release_to_os_interval_ms=500:external_symbolizer_path=/bin/llvm-symbolizer:halt_on_error=1:handle_abort=1:handle_segv=1:handle_sigbus=1:handle_sigfpe=1:handle_sigill=1:print_stacktrace=1:print_summary=1:print_suppressions=0:silence_unsigned_overflow=1:strip_path_prefix=/workspace/:symbolize=0:use_sigaltstack=1"
Callstack
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==1==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x0000000001b8 (pc 0x7fae62040e40 bp 0x7fff8f3fde80 sp 0x7fff8f3fdb58 T1)
==1==The signal is caused by a READ memory access.
==1==Hint: address points to the zero page.
#0 0x7fae62040e3f in libxul.so
#1 0x7fae62f83da5 in mozilla::layers::CompositorManagerParent::RecvReportMemory(std::function<void (mozilla::wr::MemoryReport const&)>&&) mozilla-central/gfx/layers/ipc/CompositorManagerParent.cpp:310:39
#2 0x7fae6222aa0c in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /work/obj-fuzz/ipc/ipdl/PCompositorManagerParent.cpp:449:67
#3 0x7fae6132ca91 in void mozilla::ipc::FuzzProtocol<mozilla::layers::CompositorManagerParent>(mozilla::layers::CompositorManagerParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /work/obj-fuzz/dist/include/ProtocolFuzzer.h:96:18
#4 0x7fae6132c59e in RunCompositorManagerParentIPCFuzzing(unsigned char const*, unsigned long) mozilla-central/gfx/layers/ipc/fuzztest/compositor_manager_parent_ipc_libfuzz.cpp:30:3
#5 0x55f9a8753d8f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
#6 0x55f9a873e4ab in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)
#7 0x55f9a8740a09 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))
#8 0x7fae664c1a29 in mozilla::FuzzerRunner::Run(int*, char***) mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:54:10
#9 0x7fae6646985b in XREMain::XRE_mainStartup(bool*) mozilla-central/toolkit/xre/nsAppRunner.cpp:3775:35
#10 0x7fae6646dd30 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4721:12
#11 0x7fae6646e255 in XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4815:21
#12 0x55f9a868d0a8 in do_main(int, char**, char**)
#13 0x55f9a868cc46 in main
#14 0x7fae7906582f in __libc_start_main
#15 0x55f9a866b028 in _start
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_firefox_008d6de92713224b5a96fd56953fbf4e5d586f6e/revisions/firefox/libxul.so+0x9a74e3f)
==1==ABORTING
Notes
If the crash is benign then the crash can be blacklisted upon request and the particular message will be ignored in further fuzzing runs.
|
Reporter | |
Comment 2•6 years ago
•
|
||
@jrmuizel
git clone --depth=1 https://github.com/google/oss-fuzz
cd oss-fuzz
python infra/helper.py build_image firefox
python infra/helper.py build_fuzzers --sanitizer undefined
python infra/helper.py reproduce firefox CompositorManagerParentIPC <testcase_dir_path>
Keep in mind that reproducing IPC is a flaky business. This way of reproduction does only work because you are using the testcase within a test directory as sample corpus.
More information: https://google.github.io/oss-fuzz/advanced-topics/reproducing/
Flags: needinfo?(cdiehl)
|
||
Comment 3•6 years ago
|
||
What's the relationship between this and 1577575 ? Are they identical?
See Also: → 1577575
|
||
Comment 4•6 years ago
|
||
The priority flag is not set for this bug.
:jbonisteel, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(jbonisteel)
|
||
Updated•6 years ago
|
Priority: -- → P3
|
||
Updated•6 years ago
|
Flags: needinfo?(jbonisteel)
|
||
Comment 5•6 years ago
•
|
||
Jeff, would a Pernosco session help get this issue fixed? oss-fuzz has marked it as a fuzzblocker.
Flags: needinfo?(jmuizelaar)
Whiteboard: [fuzzblocker]
|
|
||
Comment 7•6 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/-YO3aOK9VpGBAKAzmVJayg/index.html
It will expire in 7 days.
|
||
Comment 8•4 years ago
|
||
Hey Tyson,
Can you still reproduce this issue or should we close it?
Flags: needinfo?(twsmith)
|
|
||
Comment 9•4 years ago
|
||
Marking this as Resolved > Incomplete as per reporter's lack of response.
If anyone can still reproduce this issue re-open it or file a new bug.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
|
|
||
Updated•4 years ago
|
Flags: needinfo?(twsmith)
You need to log in
before you can comment on or make changes to this bug.
Description
•