1612568 - MOZ_CRASH: Attempt to deserialize absent WindowContext

Status: RESOLVED FIXED

(Core :: DOM: Content Processes, defect, P2)

Description

[Tyson Smith [:tsmith]]

This check should be disable while fuzzing.

https://searchfox.org/mozilla-central/rev/2e355fa82aaa87e8424a9927c8136be184eeb6c7/docshell/base/WindowContext.cpp#207

==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f04e9706a12 bp 0x7ffd47efe5f0 sp 0x7ffd47efe4c0 T0)
==1==The signal is caused by a WRITE memory access.
==1==Hint: address points to the zero page.
    #0 0x7f04e9706a11 in mozilla::ipc::IPDLParamTraits<mozilla::dom::WindowContext*>::Read(IPC::Message const*, PickleIterator*, mozilla::ipc::IProtocol*, RefPtr<mozilla::dom::WindowContext>*) mozilla-central/docshell/base/WindowContext.cpp:217:28
    #1 0x7f04e1c26005 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /work/obj-fuzz/ipc/ipdl/PContentParent.cpp:12269:20
    #2 0x7f04e035f8f2 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /work/obj-fuzz/dist/include/ProtocolFuzzer.h:96:18
    #3 0x7f04e035f228 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) mozilla-central/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:27:3
    #4 0x56073dda969f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_firefox_6180546f5e5f1d75138bf6cea3784693af7a2aa9/revisions/firefox/firefox+0x30c69f)
    #5 0x56073dd9535e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_firefox_6180546f5e5f1d75138bf6cea3784693af7a2aa9/revisions/firefox/firefox+0x2f835e)
    #6 0x56073dd976c9 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_firefox_6180546f5e5f1d75138bf6cea3784693af7a2aa9/revisions/firefox/firefox+0x2fa6c9)
    #7 0x7f04ea063873 in mozilla::FuzzerRunner::Run(int*, char***) mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:54:10
    #8 0x7f04e9faa435 in XREMain::XRE_mainStartup(bool*) mozilla-central/toolkit/xre/nsAppRunner.cpp:3696:35
    #9 0x7f04e9fb23cb in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4682:12
    #10 0x7f04e9fb29c3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4746:21
    #11 0x56073dc69c34 in do_main(int, char**, char**) (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_firefox_6180546f5e5f1d75138bf6cea3784693af7a2aa9/revisions/firefox/firefox+0x1ccc34)
    #12 0x56073dc6948b in main (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_firefox_6180546f5e5f1d75138bf6cea3784693af7a2aa9/revisions/firefox/firefox+0x1cc48b)

Comment 1

[Andreas Farre [:farre]|pto Jul 8 -> Aug 2]

Attachment: Bug 1612568 - Avoid hard-crashing on malformed data while fuzzing. r=nika

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:neha, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 3

[Pulsebot]

Pushed by afarre@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/43e80a088f4b
Avoid hard-crashing on malformed data while fuzzing. r=nika

Comment 4

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/43e80a088f4b