Closed
Bug 1629390
Opened 5 years ago
Closed 4 years ago
Hit MOZ_CRASH(invalid UTF-8 string: ReportTooBigCharacter) at /builds/worker/checkouts/gecko/js/src/vm/CharacterEncoding.cpp:347
Categories
(Core :: DOM: Bindings (WebIDL), defect, P2)
Core
DOM: Bindings (WebIDL)
Tracking
()
VERIFIED
FIXED
mozilla78
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox75 | --- | wontfix |
| firefox76 | --- | wontfix |
| firefox77 | --- | wontfix |
| firefox78 | --- | verified |
People
(Reporter: jkratzer, Assigned: peterv)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev acc1632e35c7 (built with --enable-debug).
Hit MOZ_CRASH(invalid UTF-8 string: ReportTooBigCharacter) at /builds/worker/checkouts/gecko/js/src/vm/CharacterEncoding.cpp:347
rax = 0x0000561354e3c380 rdx = 0x0000000000000000
rcx = 0x00007f57737800e0 rbx = 0x00000000ffffffff
rsi = 0x00007f577ed888b0 rdi = 0x00007f577ed87680
rbp = 0x00007f5763efb9a0 rsp = 0x00007f5763efb8e0
r8 = 0x00007f577ed888b0 r9 = 0x00007f5763eff700
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x0000000000000032 r13 = 0x00007f5763efb930
r14 = 0x0000000000000015 r15 = 0x0000000000000017
rip = 0x00007f576cdf94d1
OS|Linux|0.0.0 Linux 4.19.34-coreos #1 SMP Mon Apr 22 20:32:34 -00 2019 x86_64
CPU|amd64|family 6 model 62 stepping 4|16
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|29
29|0|libxul.so|JS::ConstUTF8CharsZ::validate(unsigned long)|hg:hg.mozilla.org/mozilla-central:js/src/vm/CharacterEncoding.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|612|0x1a3
29|1|libxul.so|JSErrorBase::initBorrowedMessage(char const*)|hg:hg.mozilla.org/mozilla-central:js/public/ErrorReport.h:acc1632e35c7afc826d16bea8e1dd812b4f5117c|137|0x1b
29|2|libxul.so|ExpandErrorArgumentsHelper<JSErrorReport>|hg:hg.mozilla.org/mozilla-central:js/public/ErrorReport.h:acc1632e35c7afc826d16bea8e1dd812b4f5117c|132|0xf
29|3|libxul.so|ExpandErrorArguments<char>|hg:hg.mozilla.org/mozilla-central:js/src/vm/ErrorReporting.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|491|0x5
29|4|libxul.so|js::ReportErrorNumberUTF8Array(JSContext*, js::IsWarning, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, char const**)|hg:hg.mozilla.org/mozilla-central:js/src/vm/ErrorReporting.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|534|0x95
29|5|libxul.so|mozilla::binding_danger::TErrorResult<mozilla::binding_danger::JustAssertCleanupPolicy>::SetPendingExceptionWithMessage(JSContext*, char const*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|301|0x1b
29|6|libxul.so|mozilla::binding_danger::TErrorResult<mozilla::binding_danger::JustAssertCleanupPolicy>::MaybeSetPendingException(JSContext*, char const*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/ErrorResult.h:acc1632e35c7afc826d16bea8e1dd812b4f5117c|285|0x5
29|7|libxul.so|mozilla::dom::Request_Binding::_constructor|s3:gecko-generated-sources:e79a185bcd38b067c8c1e5e1f638c56b5e1b9d7e54615696475935560d8bb911957e09c4f86f607bcef159ddf4ef6676575d603e3815c6e4610bb64cf8eb7908/dom/bindings/RequestBinding.cpp:|1877|0x5
29|8|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|489|0x19
29|9|libxul.so|CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|505|0x11
29|10|libxul.so|InternalConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|707|0xc
29|11|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|3028|0x16
29|12|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|422|0x152
29|13|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|616|0xf
29|14|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|644|0x10
29|15|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|661|0x8
29|16|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|2798|0x1f
29|17|libxul.so|mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)|s3:gecko-generated-sources:a39a0c7064327d8bf5f33af316b4cc9c9d3236184b2183673b9f8103182682809cdd62ab814947d309a2f0405582be39e80ec6d762aad6de8c66e51e15d2f95d/dom/bindings/EventHandlerBinding.cpp:|276|0x5
29|18|libxul.so|mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*)|hg:hg.mozilla.org/mozilla-central:dom/events/JSEventHandler.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|201|0x14e
29|19|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|1079|0xc
29|20|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|1271|0x1c
29|21|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|326|0x6b
29|22|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|558|0x12
29|23|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|1055|0x1a
29|24|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|1160|0x16
29|25|libxul.so|mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/events/DOMEventTargetHelper.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|169|0x5
29|26|libxul.so|mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventTarget.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|178|0x34
29|27|libxul.so|mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool)|hg:hg.mozilla.org/mozilla-central:dom/workers/MessageEventRunnable.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|106|0xb
29|28|libxul.so|mozilla::dom::WorkerRunnable::Run()|hg:hg.mozilla.org/mozilla-central:dom/workers/WorkerRunnable.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|370|0x10
29|29|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|1200|0xe
29|30|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|481|0x11
29|31|libxul.so|mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*)|hg:hg.mozilla.org/mozilla-central:dom/workers/WorkerPrivate.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|2913|0xe
29|32|libxul.so|WorkerThreadPrimaryRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/workers/RuntimeService.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|2298|0xc
29|33|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|1200|0xe
29|34|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|481|0x11
29|35|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|332|0xd
29|36|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:acc1632e35c7afc826d16bea8e1dd812b4f5117c|315|0x19
29|37|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:acc1632e35c7afc826d16bea8e1dd812b4f5117c|290|0x8
29|38|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:acc1632e35c7afc826d16bea8e1dd812b4f5117c|444|0x8
29|39|libnspr4.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:acc1632e35c7afc826d16bea8e1dd812b4f5117c|201|0x7
29|40|libpthread.so.0||||0x76db
29|41|libc.so.6||||0x12188f
Flags: in-testsuite?
|
||
Comment 1•5 years ago
|
||
Andre, what do you think about this fuzzing-discovered bug?
Flags: needinfo?(andrebargull)
|
||
Comment 2•5 years ago
|
||
It's similar to bug 1628359.
Some error handling code in Request::Constructor sets the error message to a Latin-1 string, which is later treated as UTF-8, resulting in the assertion from comment #0.
Flags: needinfo?(andrebargull)
|
|
||
Comment 3•5 years ago
|
||
Should this also go under "DOM: Bindings (WebIDL)" component, then?
Flags: needinfo?(andrebargull)
|
|
||
Comment 4•5 years ago
|
||
I guess it's okay to move this one to "DOM: Bindings (WebIDL)", too. At least until it's clear if the binding code should handle this case or if each individual component needs to make sure to use the correct encoding.
Flags: needinfo?(andrebargull)
|
|
||
Updated•5 years ago
|
Component: DOM: Networking → DOM: Content Processes
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Component: DOM: Content Processes → DOM: Bindings (WebIDL)
|
||
Comment 5•5 years ago
|
||
Moving to "DOM: Bindings (WebIDL)" component and assigning to peterv.
bz wrote this mozilla::dom::Request_Binding::_constructor code in dom/bindings/RequestBinding.cpp.
This byte string is not guaranteed to be valid UTF-8:
Severity: normal → critical
Priority: -- → P2
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 7•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200422093542-d8eecc663784.
The bug appears to have been introduced in the following build range:
> Start: 8ab81c8e93adff2d4187aabf1ddcfcae8bfc4e16 (20200306201041)
> End: fddaf6472c50b10ed9671f2effe2159964f8cfe5 (20200307093221)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8ab81c8e93adff2d4187aabf1ddcfcae8bfc4e16&tochange=fddaf6472c50b10ed9671f2effe2159964f8cfe5
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
Keywords: regression
|
|
Assignee | |
Comment 8•4 years ago
|
||
Pushed by pvanderbeken@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/07005a4accac Don't crash when throwing exception with invalid UTF-8. r=smaug
|
||
Comment 10•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox78:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
|
||
Updated•4 years ago
|
status-firefox75:
--- → wontfix
status-firefox76:
--- → wontfix
status-firefox-esr68:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
|
||
Comment 11•4 years ago
|
||
The patch landed in nightly and beta is affected.
:peterv, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(peterv)
|
|
Assignee | |
Updated•4 years ago
|
Flags: needinfo?(peterv)
|
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 12•4 years ago
|
||
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200518152416-a627b6676824. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•