AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
Categories
(Core :: WebRTC, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox89 | --- | fixed |
People
(Reporter: jkratzer, Assigned: kmag)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
The fuzzing team is currently in the process of developing a new process for fuzzing DOM interfaces via xpcshell. During this development, the following crash was identified.
Steps to reproduce (via xpcshell):
js> new RTCIceCandidate()
==340570==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000080 (pc 0x7fc42e175bc4 bp 0x7ffc04bf7c50 sp 0x7ffc04bf7c40 T0)
==340570==The signal is caused by a READ memory access.
==340570==Hint: address points to the zero page.
#0 0x7fc42e175bc4 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
#1 0x7fc42e175bc4 in operator mozilla::dom::BrowsingContext * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:299:12
#2 0x7fc42e175bc4 in GetBrowsingContext /builds/worker/checkouts/gecko/dom/base/nsPIDOMWindowInlines.h:77:10
#3 0x7fc42e175bc4 in nsPIDOMWindowInner::IsCurrentInnerWindow() const /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:2753:14
#4 0x7fc42ff18331 in mozilla::dom::ConstructJSImplementation(char const*, nsIGlobalObject*, JS::MutableHandle<JSObject*>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:2559:18
#5 0x7fc42f00711a in already_AddRefed<mozilla::dom::RTCIceCandidate> mozilla::dom::ConstructJSImplementation<mozilla::dom::RTCIceCandidate>(char const*, nsIGlobalObject*, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:2473:3
#6 0x7fc42eea7508 in already_AddRefed<mozilla::dom::RTCIceCandidate> mozilla::dom::ConstructJSImplementation<mozilla::dom::RTCIceCandidate>(char const*, mozilla::dom::GlobalObject const&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:2494:10
#7 0x7fc42eea6f6c in mozilla::dom::RTCIceCandidate::Constructor(mozilla::dom::GlobalObject const&, JSContext*, mozilla::dom::RTCIceCandidateInit const&, mozilla::ErrorResult&, JS::Handle<JSObject*>) /builds/worker/workspace/obj-build/dom/bindings/RTCIceCandidateBinding.cpp:1681:5
#8 0x7fc42ef89c86 in mozilla::dom::RTCIceCandidate_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/RTCIceCandidateBinding.cpp:978:61
#9 0x7fc4365f9911 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:435:13
#10 0x7fc4365f9911 in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:8
#11 0x7fc4365f9911 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:643:10
#12 0x7fc4365d6f4f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3233:16
#13 0x7fc4365c5b53 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:13
#14 0x7fc4365fac23 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:772:13
#15 0x7fc43686c0d4 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:444:10
#16 0x7fc43686bdd0 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:461:10
#17 0x7fc42cf173e1 in ProcessUtf8Line /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:707:8
#18 0x7fc42cf173e1 in ProcessFile(mozilla::dom::AutoJSAPI&, char const*, _IO_FILE*, bool) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:795:10
#19 0x7fc42cf17f1f in Process(mozilla::dom::AutoJSAPI&, char const*, bool) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:823:13
#20 0x7fc42ced4fbe in ProcessArgs(mozilla::dom::AutoJSAPI&, char**, int, XPCShellDirProvider*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:989:12
#21 0x7fc42ced1958 in XRE_XPCShellMain(int, char**, char**, XREShellData const*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:1347:14
#22 0x55e275635242 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:184:24
#23 0x55e275635242 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:347:16
#24 0x7fc44b0580b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Comment 1•4 years ago
|
||
This is likely not a bug. mozilla::dom::ConstructJSImplementation
is trying to get the current window and there is none in xpcshell. We could look into why the window here would be required and if we can stub this but there is no guarantee that the implementation can be used in xpcshell.
Comment 2•4 years ago
•
|
||
Looking at this more closely, this might be a side-effect of the fix for bug 1658214.
Kris, in that bug you fixed a problem in BindingUtils
where you check IsCurrentInnerWindow
to prevent a security problem. I think the way the check is made, the side-effect might be that if there is no window at all (e.g. in xpcshell), we crash and therefore can no longer use APIs that call mozilla::dom::ConstructJSImplementation
.
Is it safe for me to think about excluding the case where there is no window at all and/or special-case xpcshell for this purpose?
Assignee | ||
Comment 3•4 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #2)
Is it safe for me to think about excluding the case where there is no window at all and/or special-case xpcshell for this purpose?
I think we should probably just bail out rather than crashing in the case where there's no window. There's no point in trying to fuzz the JS-implemented objects when there's no window, since they basically won't work at all. They're also deprecated, so we won't be adding any more.
Assignee | ||
Comment 4•4 years ago
|
||
We don't want to support this, but we also shouldn't crash if someone attempts
it.
Updated•4 years ago
|
Comment 5•4 years ago
|
||
Looks like this is being actively worked, so I'll mark it p2/s3.
Comment 7•4 years ago
|
||
bugherder |
Description
•