MOZ_CRASH: Attempt to deserialize absent BrowsingContext
Categories
(Core :: DOM: Content Processes, defect, P2)
Tracking
()
People
(Reporter: tsmith, Assigned: nika)
References
Details
(Keywords: oss-fuzz)
Attachments
(1 file)
Info
Reproduced with: m-c 20191219-8e1b11b00157
Fuzz Target: ContentParentIPC
Reliably Reproduces: Yes
Pernosco session: https://pernos.co/debug/MdouPzvDvEG7zmrgq_lJHA/index.html
If the crash is benign then the crash can be blacklisted upon request and the particular message will be ignored in further fuzzing runs.
Callstack
MOZ_CRASH: Attempt to deserialize absent BrowsingContext
#0 mozilla::ipc::IPDLParamTraits<mozilla::dom::BrowsingContext*>::Read(IPC::Message const*, PickleIterator*, mozilla::ipc::IProtocol*, RefPtr<mozilla::dom::BrowsingContext>*) docshell/base/BrowsingContext.cpp:1520:12
#1 mozilla::ipc::IPDLParamTraits<mozilla::dom::WindowGlobalInit>::Read(IPC::Message const*, PickleIterator*, mozilla::ipc::IProtocol*, mozilla::dom::WindowGlobalInit*) objdir-ff-ubsan/ipc/ipdl/DOMTypes.cpp:1952:12
#2 mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) objdir-ff-ubsan/ipc/ipdl/PContentParent.cpp:6265:20
#3 void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) objdir-ff-ubsan/dist/include/ProtocolFuzzer.h:96:18
#4 RunContentParentIPCFuzzing(unsigned char const*, unsigned long) dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:27:3
#5 fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:529:15
#6 fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:286:6
#7 fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:715:9
#8 mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:54:10
#9 XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3752:35
#10 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4722:12
#11 XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4818:21
#12 do_main(int, char**, char**) browser/app/nsBrowserApp.cpp:217:22
#13 main browser/app/nsBrowserApp.cpp:339:16
|
||
Updated•5 years ago
|
|
||
Comment 2•5 years ago
|
||
Why did you move this to IPC? It looks like an issue with how docshell deals with browsing contexts.
(Bug 1603976 also has this crash, but the stack here looks unrelated to that.)
|
|
||
Comment 3•5 years ago
|
||
Nika, it looks like you added this crash. Should we deal with it differently in fuzz builds or something?
|
Assignee | |
Comment 4•5 years ago
|
||
Yeah, we probably should handle this differently in fuzz builds. I'm guessing that fuzz builds already handle deserialization failure errors gracefully, so we could downgrade this crash into one of those by returning false here.
|
|
Assignee | |
Comment 5•5 years ago
|
||
|
||
Comment 6•5 years ago
|
||
The component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit auto_nag documentation.
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Comment 7•5 years ago
|
||
(Oops, sorry, I was first going to more to IPC, but then realized this isn't such, and marked P3.)
|
||
Comment 9•5 years ago
|
||
| bugherder | ||
|
||
Comment 10•5 years ago
|
||
Doesn't sound like this bug needs to be backported, but feel free to nominate for uplift if that's incorrect.
Description
•