Closed
Bug 1636520
Opened 4 years ago
Closed 4 years ago
AddressSanitizer: SEGV /builds/worker/checkouts/gecko/netwerk/ipc/DocumentChannel.cpp:295:3 in mozilla::net::DocumentChannel::SetLoadFlags(unsigned int)
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
RESOLVED
DUPLICATE
of bug 1634598
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Attachments
(1 file)
|
503 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 19e273db8019.
==12304==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f2e3aae99ba bp 0x7fff52686370 sp 0x7fff52686370 T0)
==12304==The signal is caused by a WRITE memory access.
==12304==Hint: address points to the zero page.
#0 0x7f2e3aae99b9 in mozilla::net::DocumentChannel::SetLoadFlags(unsigned int) /builds/worker/checkouts/gecko/netwerk/ipc/DocumentChannel.cpp:295:3
#1 0x7f2e39dc6719 in mozilla::net::nsLoadGroup::MergeLoadFlags(nsIRequest*, unsigned int&) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:935:20
#2 0x7f2e39dc59a5 in mozilla::net::nsLoadGroup::AddRequest(nsIRequest*, nsISupports*) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:445:10
#3 0x7f2e3aaec645 in mozilla::net::DocumentChannelChild::AsyncOpen(nsIStreamListener*) /builds/worker/checkouts/gecko/netwerk/ipc/DocumentChannelChild.cpp:66:17
#4 0x7f2e3c566c78 in nsURILoader::OpenURI(nsIChannel*, unsigned int, nsIInterfaceRequestor*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:743:17
#5 0x7f2e45196d61 in nsDocShell::OpenInitializedChannel(nsIChannel*, nsIURILoader*, unsigned int) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:9897:20
#6 0x7f2e4518f8f8 in nsDocShell::DoURILoad(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:9712:8
#7 0x7f2e45107a5d in nsDocShell::InternalLoad(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8923:8
#8 0x7f2e451a48d0 in nsDocShell::OnLinkClickSync(nsIContent*, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIInputStream*, nsIInputStream*, bool, nsIDocShell**, nsIRequest**, bool, nsIPrincipal*, nsIContentSecurityPolicy*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:12002:17
#9 0x7f2e451c1c18 in OnLinkClickEvent::Run() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:11728:17
#10 0x7f2e39aee60d in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
#11 0x7f2e39b26e16 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
#12 0x7f2e39b3154c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
#13 0x7f2e3ae5eb6f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#14 0x7f2e3ad4c017 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#15 0x7f2e3ad4c017 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#16 0x7f2e3ad4c017 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#17 0x7f2e42029268 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#18 0x7f2e45be5236 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:909:20
#19 0x7f2e3ad4c017 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#20 0x7f2e3ad4c017 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#21 0x7f2e3ad4c017 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#22 0x7f2e45be48e2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:740:34
#23 0x563b0b0f1ed3 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#24 0x563b0b0f1ed3 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#25 0x7f2e5d12cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
|
||
Comment 1•4 years ago
|
||
Because this bug's Severity is normal and has not been changed, and this bug's priority is -- (none,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)
Severity: normal → --
|
||
Comment 2•4 years ago
|
||
We're hitting MOZ_CRASH in DocumentChannel::SetLoadFlags.
Matt, could we make sure to include the crashtest when we land bug 1634598?
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(matt.woodrow)
Resolution: --- → DUPLICATE
|
||
Comment 3•4 years ago
|
||
We have some existing tests that hit this same issue with fission enabled, but we can land this one too.
Flags: needinfo?(matt.woodrow)
|
Reporter | |
Comment 4•4 years ago
|
||
Bugmon Analysis: Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•4 years ago
|
status-firefox79:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•