Closed Bug 1696452 Opened 3 years ago Closed 3 years ago

AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get

Categories

(Core :: WebRTC, defect, P2)

defect

Tracking

()

RESOLVED FIXED
89 Branch
Tracking Status
firefox89 --- fixed

People

(Reporter: jkratzer, Assigned: kmag)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

The fuzzing team is currently in the process of developing a new process for fuzzing DOM interfaces via xpcshell. During this development, the following crash was identified.

Steps to reproduce (via xpcshell):
js> new RTCIceCandidate()

==340570==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000080 (pc 0x7fc42e175bc4 bp 0x7ffc04bf7c50 sp 0x7ffc04bf7c40 T0)
==340570==The signal is caused by a READ memory access.
==340570==Hint: address points to the zero page.
    #0 0x7fc42e175bc4 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7fc42e175bc4 in operator mozilla::dom::BrowsingContext * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:299:12
    #2 0x7fc42e175bc4 in GetBrowsingContext /builds/worker/checkouts/gecko/dom/base/nsPIDOMWindowInlines.h:77:10
    #3 0x7fc42e175bc4 in nsPIDOMWindowInner::IsCurrentInnerWindow() const /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:2753:14
    #4 0x7fc42ff18331 in mozilla::dom::ConstructJSImplementation(char const*, nsIGlobalObject*, JS::MutableHandle<JSObject*>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:2559:18
    #5 0x7fc42f00711a in already_AddRefed<mozilla::dom::RTCIceCandidate> mozilla::dom::ConstructJSImplementation<mozilla::dom::RTCIceCandidate>(char const*, nsIGlobalObject*, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:2473:3
    #6 0x7fc42eea7508 in already_AddRefed<mozilla::dom::RTCIceCandidate> mozilla::dom::ConstructJSImplementation<mozilla::dom::RTCIceCandidate>(char const*, mozilla::dom::GlobalObject const&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:2494:10
    #7 0x7fc42eea6f6c in mozilla::dom::RTCIceCandidate::Constructor(mozilla::dom::GlobalObject const&, JSContext*, mozilla::dom::RTCIceCandidateInit const&, mozilla::ErrorResult&, JS::Handle<JSObject*>) /builds/worker/workspace/obj-build/dom/bindings/RTCIceCandidateBinding.cpp:1681:5
    #8 0x7fc42ef89c86 in mozilla::dom::RTCIceCandidate_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/RTCIceCandidateBinding.cpp:978:61
    #9 0x7fc4365f9911 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:435:13
    #10 0x7fc4365f9911 in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:8
    #11 0x7fc4365f9911 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:643:10
    #12 0x7fc4365d6f4f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3233:16
    #13 0x7fc4365c5b53 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:13
    #14 0x7fc4365fac23 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:772:13
    #15 0x7fc43686c0d4 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:444:10
    #16 0x7fc43686bdd0 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:461:10
    #17 0x7fc42cf173e1 in ProcessUtf8Line /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:707:8
    #18 0x7fc42cf173e1 in ProcessFile(mozilla::dom::AutoJSAPI&, char const*, _IO_FILE*, bool) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:795:10
    #19 0x7fc42cf17f1f in Process(mozilla::dom::AutoJSAPI&, char const*, bool) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:823:13
    #20 0x7fc42ced4fbe in ProcessArgs(mozilla::dom::AutoJSAPI&, char**, int, XPCShellDirProvider*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:989:12
    #21 0x7fc42ced1958 in XRE_XPCShellMain(int, char**, char**, XREShellData const*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:1347:14
    #22 0x55e275635242 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:184:24
    #23 0x55e275635242 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:347:16
    #24 0x7fc44b0580b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

This is likely not a bug. mozilla::dom::ConstructJSImplementation is trying to get the current window and there is none in xpcshell. We could look into why the window here would be required and if we can stub this but there is no guarantee that the implementation can be used in xpcshell.

Looking at this more closely, this might be a side-effect of the fix for bug 1658214.

Kris, in that bug you fixed a problem in BindingUtils where you check IsCurrentInnerWindow to prevent a security problem. I think the way the check is made, the side-effect might be that if there is no window at all (e.g. in xpcshell), we crash and therefore can no longer use APIs that call mozilla::dom::ConstructJSImplementation.

Is it safe for me to think about excluding the case where there is no window at all and/or special-case xpcshell for this purpose?

Flags: needinfo?(kmaglione+bmo)

(In reply to Christian Holler (:decoder) from comment #2)

Is it safe for me to think about excluding the case where there is no window at all and/or special-case xpcshell for this purpose?

I think we should probably just bail out rather than crashing in the case where there's no window. There's no point in trying to fuzz the JS-implemented objects when there's no window, since they basically won't work at all. They're also deprecated, so we won't be adding any more.

Flags: needinfo?(kmaglione+bmo)

We don't want to support this, but we also shouldn't crash if someone attempts
it.

Assignee: nobody → kmaglione+bmo
Status: NEW → ASSIGNED

Looks like this is being actively worked, so I'll mark it p2/s3.

Severity: -- → S3
Priority: -- → P2
Pushed by maglione.k@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/794eb141555c
Handle attempts to construct JS-implemented interfaces in non-Window globals. r=peterv
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch
Blocks: domino
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: