Closed Bug 1752782 Opened 3 years ago Closed 3 years ago

Crash [@ load] through [@ mozilla::dom::ClonedErrorHolder::ToErrorValue]

Categories

(Core :: DOM: Content Processes, defect)

Product:
Core
Component:
DOM: Content Processes
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
99 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox97 --- wontfix
firefox98 --- wontfix
firefox99 --- fixed

People

(Reporter: decoder, Assigned: decoder)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files)

Detailed Crash Information
5.84 KB, text/plain
Details
Testcase
64 bytes, application/octet-stream
Details
Bug 1752782 - Handle void message in ClonedErrorHolder. r?mccr8
48 bytes, text/x-phabricator-request
Details | Review

The attached testcase crashes on mozilla-central revision 20220124-e40a136dc876.

Backtrace:

==871==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4323cae097 bp 0x7ffd6e780d90 sp 0x7ffd6e780d80 T0)
    #0 0x7f4323cae097 in load c++/7.5.0/bits/atomic_base.h:396:9
    #1 0x7f4323cae097 in load mozilla/Atomics.h:195:17
    #2 0x7f4323cae097 in operator unsigned long dist/include/mozilla/Atomics.h:340:31
    #3 0x7f4323cae097 in headerFlagsField /js/src/gc/Cell.h:617:55
    #4 0x7f4323cae097 in flags /js/src/vm/StringType.h:201:35
    #5 0x7f4323cae097 in isAtom /js/src/vm/StringType.h:537:32
    #6 0x7f4323cae097 in js::ContextChecks::check(JSString*, int) /js/src/vm/JSContext-inl.h:118:14
    #7 0x7f4323e83b84 in void JSContext::checkImpl<JS::Handle<JSObject*>, JS::Handle<JSString*>, JS::Handle<JSString*> >(JS::Handle<JSObject*> const&, JS::Handle<JSString*> const&, JS::Handle<JSString*> const&) /js/src/vm/JSContext-inl.h:213:33
    #8 0x7f4323e41b5c in check<JS::Handle<JSObject *>, JS::Handle<JSString *>, JS::Handle<JSString *> > /js/src/vm/JSContext-inl.h:220:5
    #9 0x7f4323e41b5c in JS::CreateError(JSContext*, JSExnType, JS::Handle<JSObject*>, JS::Handle<JSString*>, unsigned int, unsigned int, JSErrorReport*, JS::Handle<JSString*>, JS::Handle<mozilla::Maybe<JS::Value> >, JS::MutableHandle<JS::Value>) /js/src/jsexn.cpp:738:7
    #10 0x7f431e41aa52 in mozilla::dom::ClonedErrorHolder::ToErrorValue(JSContext*, JS::MutableHandle<JS::Value>) /dom/ipc/ClonedErrorHolder.cpp:297:10
    #11 0x7f431e41a296 in mozilla::dom::ClonedErrorHolder::ReadStructuredClone(JSContext*, JSStructuredCloneReader*, mozilla::dom::StructuredCloneHolder*) /dom/ipc/ClonedErrorHolder.cpp:226:43
    #12 0x7f431a514d28 in mozilla::dom::StructuredCloneHolder::CustomReadHandler(JSContext*, JSStructuredCloneReader*, JS::CloneDataPolicy const&, unsigned int, unsigned int) /dom/base/StructuredCloneHolder.cpp:1005:12
    #13 0x7f4323cddc82 in JSStructuredCloneReader::startRead(JS::MutableHandle<JS::Value>, js::gc::InitialHeap) /js/src/vm/StructuredClone.cpp:2826:11
    #14 0x7f4323cc6de1 in JSStructuredCloneReader::read(JS::MutableHandle<JS::Value>, unsigned long) /js/src/vm/StructuredClone.cpp:3238:8
    #15 0x7f4323cc64fa in ReadStructuredClone(JSContext*, JSStructuredCloneData const&, JS::StructuredCloneScope, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*) /js/src/vm/StructuredClone.cpp:703:12
    #16 0x7f4323ce573e in JS_ReadStructuredClone(JSContext*, JSStructuredCloneData const&, unsigned int, JS::StructuredCloneScope, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*) /js/src/vm/StructuredClone.cpp:3394:10
    #17 0x7f431a512218 in mozilla::dom::StructuredCloneHolder::ReadFromBuffer(nsIGlobalObject*, JSContext*, JSStructuredCloneData&, unsigned int, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, mozilla::ErrorResult&) /dom/base/StructuredCloneHolder.cpp:409:8
    #18 0x7f431a512134 in mozilla::dom::StructuredCloneHolder::ReadFromBuffer(nsIGlobalObject*, JSContext*, JSStructuredCloneData&, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, mozilla::ErrorResult&) /dom/base/StructuredCloneHolder.cpp:395:3
    #19 0x7f431e4d76e7 in mozilla::dom::ipc::StructuredCloneData::Read(JSContext*, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, mozilla::ErrorResult&) /dom/ipc/StructuredCloneData.cpp:116:3
    #20 0x7f431e4cf3ac in mozilla::dom::ipc::StructuredCloneData::Read(JSContext*, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /dom/ipc/StructuredCloneData.cpp:104:3
    #21 0x7f431537d69f in FuzzingRunDomSC(unsigned char const*, unsigned long) /dom/base/fuzztest/FuzzStructuredClone.cpp:62:10
    [...]

To reproduce the issue, perform the following steps:

  1. Download the attached testcase, save as "test.bin".
    2a. Build with --enable-fuzzing (requires Clang and ASan, also build gtests using ./mach gtest dontruntests).
    2b. Alternatively you can download builds from TC using python -mfuzzfetch -a --fuzzing --target firefox gtest (see https://github.com/MozillaSecurity/fuzzfetch).
  2. Run FUZZER=StructuredCloneReaderDOM objdir/dist/bin/firefox test.bin

I've already debugged this and have a patch. In this case mMessage is void, so we can either return false or assign an empty string like we do for mFilename in this case (I did the latter).

Attached file Testcase
Crash Signature: [@ load] → [@ JS::CreateError][@ mozilla::dom::ClonedErrorHolder::ToErrorValue]
Assignee: nobody → choller
Pushed by choller@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/276e6c73ddad Handle void message in ClonedErrorHolder. r=mccr8

https://hg.mozilla.org/mozilla-central/rev/276e6c73ddad

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox99: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: