Closed Bug 1747078 Opened 2 years ago Closed 2 years ago

AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash | Trying to run a non-debug fuzzing build

Categories

(Core :: Networking, defect, P3)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox97 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, intermittent-failure, testcase, Whiteboard: [necko-triaged])

Attachments

(1 file)

testcase.html
1.98 KB, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 9d18f8b3780f (built with --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch
$ python -m fuzzfetch --build 6531d095b2a7 --asan --fuzzing -n build
$ ./build/firefox ./testcase.html

==1034217==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fb5ccd501a0 bp 0x7fb5a93ef6f0 sp 0x7fb5a93ef6e0 T7)
==1034217==The signal is caused by a WRITE memory access.
==1034217==Hint: address points to the zero page.
    #0 0x7fb5ccd501a0 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
    #1 0x7fb5ccd501a0 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
    #2 0x7fb5ccd500c6 in mozglue_static::panic_hook::h61696a4324a5d117 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
    #3 0x7fb5ccd4ed85 in core::ops::function::Fn::call::h4225dabb1a2af65e /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
    #4 0x7fb5cfac8b7f in std::panicking::rust_panic_with_hook::h12df1cde34faedfe (/home/jkratzer/builds/mc-asan/libxul.so+0x1ec8cb7f)
    #5 0x7fb5ca713b71 in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::h0e601601fc8d6270 /builds/worker/fetches/rust/library/std/src/panicking.rs:544:9
    #6 0x7fb5ca7124b9 in std::sys_common::backtrace::__rust_end_short_backtrace::hc30c3006a10690ac /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:139:18
    #7 0x7fb5b8f5b733 in std::panicking::begin_panic::h5fbcb1f5137e5083 /builds/worker/fetches/rust/library/std/src/panicking.rs:543:12
    #8 0x7fb5ca7284eb in neqo_crypto::aead_fuzzing::Aead::new::h64437c1ef23257e6 /builds/worker/checkouts/gecko/third_party/rust/neqo-crypto/src/aead_fuzzing.rs:19:9
    #9 0x7fb5ca5f6f67 in neqo_transport::crypto::CryptoDxState::new::h268b9fb564a9ed12 /builds/worker/checkouts/gecko/third_party/rust/neqo-transport/src/crypto.rs:400:19
    #10 0x7fb5ca5f8344 in neqo_transport::crypto::CryptoDxState::new_initial::h32cc6be997ac4f64 /builds/worker/checkouts/gecko/third_party/rust/neqo-transport/src/crypto.rs:442:9
    #11 0x7fb5ca600c82 in neqo_transport::crypto::CryptoStates::init::h6760df3916bce248 /builds/worker/checkouts/gecko/third_party/rust/neqo-transport/src/crypto.rs:890:17
    #12 0x7fb5ca3177d9 in neqo_transport::connection::Connection::new_client::ha12828caf823dce2 /builds/worker/checkouts/gecko/third_party/rust/neqo-transport/src/connection/mod.rs:312:9
    #13 0x7fb5ca3177d9 in neqo_http3::connection_client::Http3Client::new::hde08da65c5b407c2 /builds/worker/checkouts/gecko/third_party/rust/neqo-http3/src/connection_client.rs:88:13
    #14 0x7fb5ca266190 in neqo_glue::NeqoHttp3Conn::new::ha72c722c88340127 /builds/worker/checkouts/gecko/netwerk/socket/neqo_glue/src/lib.rs:137:30
    #15 0x7fb5ca266190 in neqo_http3conn_new /builds/worker/checkouts/gecko/netwerk/socket/neqo_glue/src/lib.rs:231:11
    #16 0x7fb5bad97730 in Init /builds/worker/workspace/obj-build/dist/include/mozilla/net/NeqoHttp3Conn.h:21:12
    #17 0x7fb5bad97730 in mozilla::net::Http3Session::Init(mozilla::net::nsHttpConnectionInfo const*, nsINetAddr*, nsINetAddr*, mozilla::net::HttpConnectionUDP*, unsigned int, nsIInterfaceRequestor*) /builds/worker/checkouts/gecko/netwerk/protocol/http/Http3Session.cpp:119:17
    #18 0x7fb5bae8691b in mozilla::net::HttpConnectionUDP::Init(mozilla::net::nsHttpConnectionInfo*, nsIDNSRecord*, nsresult, nsIInterfaceRequestor*, unsigned int) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpConnectionUDP.cpp:146:23
    #19 0x7fb5bad2ecb4 in mozilla::net::DnsAndConnectSocket::TransportSetup::SetupConn(mozilla::net::nsAHttpTransaction*, mozilla::net::ConnectionEntry*, nsresult, unsigned int, mozilla::net::HttpConnectionBase**) /builds/worker/checkouts/gecko/netwerk/protocol/http/DnsAndConnectSocket.cpp:1020:19
    #20 0x7fb5bad2b91b in mozilla::net::DnsAndConnectSocket::SetupConn(bool, nsresult) /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h
    #21 0x7fb5bad2af69 in mozilla::net::DnsAndConnectSocket::OnLookupComplete(nsICancelable*, nsIDNSRecord*, nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/DnsAndConnectSocket.cpp:446:5
    #22 0x7fb5bad2d534 in non-virtual thunk to mozilla::net::DnsAndConnectSocket::OnLookupComplete(nsICancelable*, nsIDNSRecord*, nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/DnsAndConnectSocket.cpp
    #23 0x7fb5ba4f02c6 in operator() /builds/worker/checkouts/gecko/netwerk/dns/DNSListenerProxy.cpp:29:59
    #24 0x7fb5ba4f02c6 in mozilla::detail::RunnableFunction<mozilla::net::DNSListenerProxy::OnLookupComplete(nsICancelable*, nsIDNSRecord*, nsresult)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #25 0x7fb5ba00d04b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1177:16
    #26 0x7fb5ba017e7c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #27 0x7fb5ba3fdf11 in mozilla::net::nsSocketTransportService::Run() /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp:1190:11
    #28 0x7fb5ba3ffb6c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp
    #29 0x7fb5ba00d04b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1177:16
    #30 0x7fb5ba017e7c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #31 0x7fb5bb52b15d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #32 0x7fb5bb3a8fb1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #33 0x7fb5bb3a8fb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #34 0x7fb5bb3a8fb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #35 0x7fb5ba00554f in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
    #36 0x7fb5dcdd902e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #37 0x7fb5de005608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #38 0x7fb5ddbcd292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
Thread T7 (Socket Thread) created by T0 (GeckoMain) here:
    #0 0x556842cd7e2c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
    #1 0x7fb5dcdc90b4 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7fb5dcdba35e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7fb5ba0088a5 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:615:18
    #4 0x7fb5ba015c5f in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:581:12
    #5 0x7fb5ba0211f1 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:163:57
    #6 0x7fb5ba3fb961 in NS_NewNamedThread<14UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:85:10
    #7 0x7fb5ba3fb961 in mozilla::net::nsSocketTransportService::Init() /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp:760:7
    #8 0x7fb5b9f7c9d3 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10672:7
    #9 0x7fb5b9fba507 in CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:177:46
    #10 0x7fb5b9fba507 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276:17
    #11 0x7fb5b9fbc384 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1465:10
    #12 0x7fb5b9fc1792 in CallGetService /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:61:43
    #13 0x7fb5b9fc1792 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:253:21
    #14 0x7fb5b9e1a8fd in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:91:7
    #15 0x7fb5ba34e90b in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:774:5
    #16 0x7fb5ba34e90b in mozilla::net::nsIOService::InitializeSocketTransportService() /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:425:29
    #17 0x7fb5ba34d670 in mozilla::net::nsIOService::SetOffline(bool) /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:1276:7
    #18 0x7fb5ba34b8f1 in mozilla::net::nsIOService::Init() /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:309:3
    #19 0x7fb5ba34f59b in mozilla::net::nsIOService::GetInstance() /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:482:9
    #20 0x7fb5b9f6d271 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:8772:48
    #21 0x7fb5b9fba507 in CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:177:46
    #22 0x7fb5b9fba507 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276:17
    #23 0x7fb5b9fbc384 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1465:10
    #24 0x7fb5bc700b17 in CallGetService<nsIIOService> /builds/worker/workspace/obj-build/dist/include/nsServiceManagerUtils.h:52:10
    #25 0x7fb5bc700b17 in nsScriptSecurityManager::Init() /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:1476:17
    #26 0x7fb5bc701019 in nsScriptSecurityManager::InitStatics() /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:1537:28
    #27 0x7fb5bc482640 in nsXPConnect::InitStatics() /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:153:3
    #28 0x7fb5bc4135c8 in xpcModuleCtor() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCModule.cpp:11:3
    #29 0x7fb5c3102068 in nsLayoutModuleInitialize() /builds/worker/checkouts/gecko/layout/build/nsLayoutModule.cpp:100:7
    #30 0x7fb5b9fb2466 in nsComponentManagerImpl::Init() /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:408:5
    #31 0x7fb5ba08301d in NS_InitXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:446:51
    #32 0x7fb5c6efb7d6 in ScopedXPCOMStartup::Initialize(bool) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:1730:8
    #33 0x7fb5c6f122ae in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5543:22
    #34 0x7fb5c6f13003 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5606:21
    #35 0x556842d22a79 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:225:22
    #36 0x556842d22a79 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:395:16
    #37 0x7fb5ddad20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

==1034217==ABORTING
Flags: in-testsuite?

The crash is at this line.
It seems that we should remove this assertion, since fuzzing is not always running on debug builds.

Dragana, what do you think?

Flags: needinfo?(dd.mozilla)

That assertion has been added on purpose so that the encryption is only disabled on a debug build.

See bug 1743672 fro more info.

Flags: needinfo?(dd.mozilla)
See Also: → 1743672
Severity: S2 → S4
Priority: -- → P3
Whiteboard: [necko-triaged]
Summary: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash → AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash | Trying to run a non-debug fuzzing build

The fail this bug was filled for hasn't happened at least in the last 30 days so closing as incomplete. The failure starred here are about Bug 1791335.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: