Open Bug 1747078 Opened 7 months ago Updated 1 month ago

AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash

Categories

(Core :: Networking, defect, P3)

defect

Tracking

()

Tracking Status
firefox97 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [necko-triaged])

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 9d18f8b3780f (built with --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch
$ python -m fuzzfetch --build 6531d095b2a7 --asan --fuzzing -n build
$ ./build/firefox ./testcase.html
==1034217==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fb5ccd501a0 bp 0x7fb5a93ef6f0 sp 0x7fb5a93ef6e0 T7)
==1034217==The signal is caused by a WRITE memory access.
==1034217==Hint: address points to the zero page.
    #0 0x7fb5ccd501a0 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
    #1 0x7fb5ccd501a0 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
    #2 0x7fb5ccd500c6 in mozglue_static::panic_hook::h61696a4324a5d117 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
    #3 0x7fb5ccd4ed85 in core::ops::function::Fn::call::h4225dabb1a2af65e /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
    #4 0x7fb5cfac8b7f in std::panicking::rust_panic_with_hook::h12df1cde34faedfe (/home/jkratzer/builds/mc-asan/libxul.so+0x1ec8cb7f)
    #5 0x7fb5ca713b71 in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::h0e601601fc8d6270 /builds/worker/fetches/rust/library/std/src/panicking.rs:544:9
    #6 0x7fb5ca7124b9 in std::sys_common::backtrace::__rust_end_short_backtrace::hc30c3006a10690ac /builds/worker/fetches/rust/library/std/src/sys_common/backtrace.rs:139:18
    #7 0x7fb5b8f5b733 in std::panicking::begin_panic::h5fbcb1f5137e5083 /builds/worker/fetches/rust/library/std/src/panicking.rs:543:12
    #8 0x7fb5ca7284eb in neqo_crypto::aead_fuzzing::Aead::new::h64437c1ef23257e6 /builds/worker/checkouts/gecko/third_party/rust/neqo-crypto/src/aead_fuzzing.rs:19:9
    #9 0x7fb5ca5f6f67 in neqo_transport::crypto::CryptoDxState::new::h268b9fb564a9ed12 /builds/worker/checkouts/gecko/third_party/rust/neqo-transport/src/crypto.rs:400:19
    #10 0x7fb5ca5f8344 in neqo_transport::crypto::CryptoDxState::new_initial::h32cc6be997ac4f64 /builds/worker/checkouts/gecko/third_party/rust/neqo-transport/src/crypto.rs:442:9
    #11 0x7fb5ca600c82 in neqo_transport::crypto::CryptoStates::init::h6760df3916bce248 /builds/worker/checkouts/gecko/third_party/rust/neqo-transport/src/crypto.rs:890:17
    #12 0x7fb5ca3177d9 in neqo_transport::connection::Connection::new_client::ha12828caf823dce2 /builds/worker/checkouts/gecko/third_party/rust/neqo-transport/src/connection/mod.rs:312:9
    #13 0x7fb5ca3177d9 in neqo_http3::connection_client::Http3Client::new::hde08da65c5b407c2 /builds/worker/checkouts/gecko/third_party/rust/neqo-http3/src/connection_client.rs:88:13
    #14 0x7fb5ca266190 in neqo_glue::NeqoHttp3Conn::new::ha72c722c88340127 /builds/worker/checkouts/gecko/netwerk/socket/neqo_glue/src/lib.rs:137:30
    #15 0x7fb5ca266190 in neqo_http3conn_new /builds/worker/checkouts/gecko/netwerk/socket/neqo_glue/src/lib.rs:231:11
    #16 0x7fb5bad97730 in Init /builds/worker/workspace/obj-build/dist/include/mozilla/net/NeqoHttp3Conn.h:21:12
    #17 0x7fb5bad97730 in mozilla::net::Http3Session::Init(mozilla::net::nsHttpConnectionInfo const*, nsINetAddr*, nsINetAddr*, mozilla::net::HttpConnectionUDP*, unsigned int, nsIInterfaceRequestor*) /builds/worker/checkouts/gecko/netwerk/protocol/http/Http3Session.cpp:119:17
    #18 0x7fb5bae8691b in mozilla::net::HttpConnectionUDP::Init(mozilla::net::nsHttpConnectionInfo*, nsIDNSRecord*, nsresult, nsIInterfaceRequestor*, unsigned int) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpConnectionUDP.cpp:146:23
    #19 0x7fb5bad2ecb4 in mozilla::net::DnsAndConnectSocket::TransportSetup::SetupConn(mozilla::net::nsAHttpTransaction*, mozilla::net::ConnectionEntry*, nsresult, unsigned int, mozilla::net::HttpConnectionBase**) /builds/worker/checkouts/gecko/netwerk/protocol/http/DnsAndConnectSocket.cpp:1020:19
    #20 0x7fb5bad2b91b in mozilla::net::DnsAndConnectSocket::SetupConn(bool, nsresult) /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h
    #21 0x7fb5bad2af69 in mozilla::net::DnsAndConnectSocket::OnLookupComplete(nsICancelable*, nsIDNSRecord*, nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/DnsAndConnectSocket.cpp:446:5
    #22 0x7fb5bad2d534 in non-virtual thunk to mozilla::net::DnsAndConnectSocket::OnLookupComplete(nsICancelable*, nsIDNSRecord*, nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/DnsAndConnectSocket.cpp
    #23 0x7fb5ba4f02c6 in operator() /builds/worker/checkouts/gecko/netwerk/dns/DNSListenerProxy.cpp:29:59
    #24 0x7fb5ba4f02c6 in mozilla::detail::RunnableFunction<mozilla::net::DNSListenerProxy::OnLookupComplete(nsICancelable*, nsIDNSRecord*, nsresult)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #25 0x7fb5ba00d04b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1177:16
    #26 0x7fb5ba017e7c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #27 0x7fb5ba3fdf11 in mozilla::net::nsSocketTransportService::Run() /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp:1190:11
    #28 0x7fb5ba3ffb6c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp
    #29 0x7fb5ba00d04b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1177:16
    #30 0x7fb5ba017e7c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #31 0x7fb5bb52b15d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #32 0x7fb5bb3a8fb1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #33 0x7fb5bb3a8fb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #34 0x7fb5bb3a8fb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #35 0x7fb5ba00554f in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
    #36 0x7fb5dcdd902e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #37 0x7fb5de005608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #38 0x7fb5ddbcd292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
Thread T7 (Socket Thread) created by T0 (GeckoMain) here:
    #0 0x556842cd7e2c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
    #1 0x7fb5dcdc90b4 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7fb5dcdba35e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7fb5ba0088a5 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:615:18
    #4 0x7fb5ba015c5f in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:581:12
    #5 0x7fb5ba0211f1 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:163:57
    #6 0x7fb5ba3fb961 in NS_NewNamedThread<14UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:85:10
    #7 0x7fb5ba3fb961 in mozilla::net::nsSocketTransportService::Init() /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp:760:7
    #8 0x7fb5b9f7c9d3 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10672:7
    #9 0x7fb5b9fba507 in CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:177:46
    #10 0x7fb5b9fba507 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276:17
    #11 0x7fb5b9fbc384 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1465:10
    #12 0x7fb5b9fc1792 in CallGetService /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:61:43
    #13 0x7fb5b9fc1792 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:253:21
    #14 0x7fb5b9e1a8fd in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:91:7
    #15 0x7fb5ba34e90b in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:774:5
    #16 0x7fb5ba34e90b in mozilla::net::nsIOService::InitializeSocketTransportService() /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:425:29
    #17 0x7fb5ba34d670 in mozilla::net::nsIOService::SetOffline(bool) /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:1276:7
    #18 0x7fb5ba34b8f1 in mozilla::net::nsIOService::Init() /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:309:3
    #19 0x7fb5ba34f59b in mozilla::net::nsIOService::GetInstance() /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:482:9
    #20 0x7fb5b9f6d271 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:8772:48
    #21 0x7fb5b9fba507 in CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:177:46
    #22 0x7fb5b9fba507 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276:17
    #23 0x7fb5b9fbc384 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1465:10
    #24 0x7fb5bc700b17 in CallGetService<nsIIOService> /builds/worker/workspace/obj-build/dist/include/nsServiceManagerUtils.h:52:10
    #25 0x7fb5bc700b17 in nsScriptSecurityManager::Init() /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:1476:17
    #26 0x7fb5bc701019 in nsScriptSecurityManager::InitStatics() /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:1537:28
    #27 0x7fb5bc482640 in nsXPConnect::InitStatics() /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:153:3
    #28 0x7fb5bc4135c8 in xpcModuleCtor() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCModule.cpp:11:3
    #29 0x7fb5c3102068 in nsLayoutModuleInitialize() /builds/worker/checkouts/gecko/layout/build/nsLayoutModule.cpp:100:7
    #30 0x7fb5b9fb2466 in nsComponentManagerImpl::Init() /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:408:5
    #31 0x7fb5ba08301d in NS_InitXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:446:51
    #32 0x7fb5c6efb7d6 in ScopedXPCOMStartup::Initialize(bool) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:1730:8
    #33 0x7fb5c6f122ae in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5543:22
    #34 0x7fb5c6f13003 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5606:21
    #35 0x556842d22a79 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:225:22
    #36 0x556842d22a79 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:395:16
    #37 0x7fb5ddad20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

==1034217==ABORTING
Flags: in-testsuite?

The crash is at this line.
It seems that we should remove this assertion, since fuzzing is not always running on debug builds.

Dragana, what do you think?

Flags: needinfo?(dd.mozilla)

That assertion has been added on purpose so that the encryption is only disabled on a debug build.

See bug 1743672 fro more info.

Flags: needinfo?(dd.mozilla)
See Also: → 1743672
Severity: S2 → S4
Priority: -- → P3
Whiteboard: [necko-triaged]
You need to log in before you can comment on or make changes to this bug.