Closed Bug 1780435 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(Should not access the preference 'capability.policy.policynames' in the Content Processes) at /modules/libpref/Preferences.cpp:1071

Categories

(Core :: Preferences: Backend, defect)

Product:
Core
Component:
Preferences: Backend
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1780403
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox102 --- unaffected
firefox103 --- unaffected
firefox104 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])

Attachments

(1 file)

Testcase
223 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev 553b7242667d (built with: --enable-debug --enable-fuzzing).

This bug appears to be a recent regression. A large number of crashes matching this signature have been identified by the fuzzers since earlier today. Due to the simplicity of the testcase, the rate at which these crashes are occurring, I'm going to mark this as a fuzzblocker

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 553b7242667d --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Should not access the preference 'capability.policy.policynames' in the Content Processes) at /modules/libpref/Preferences.cpp:1071

    ==48263==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8ca0270432 bp 0x7ffc771c9cb0 sp 0x7ffc771c9c80 T48263)
    ==48263==The signal is caused by a WRITE memory access.
    ==48263==Hint: address points to the zero page.
        #0 0x7f8ca0270432 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7f8ca0270432 in PrefWrapper::WantValueKind(mozilla::PrefType, mozilla::PrefValueKind) const /modules/libpref/Preferences.cpp:1069:7
        #2 0x7f8ca025d507 in GetValue /modules/libpref/Preferences.cpp:1126:5
        #3 0x7f8ca025d507 in nsresult mozilla::Internals::GetPrefValue<nsTSubstring<char>&>(char const*, nsTSubstring<char>&, mozilla::PrefValueKind) /modules/libpref/Preferences.cpp:4598:18
        #4 0x7f8ca10d8637 in nsScriptSecurityManager::EnsureFileURIAllowlist() /caps/nsScriptSecurityManager.cpp:1778:3
        #5 0x7f8ca10d6858 in nsScriptSecurityManager::InFileURIAllowlist(nsIURI*, bool*) /caps/nsScriptSecurityManager.cpp:1256:22
        #6 0x7f8ca10d5acc in nsScriptSecurityManager::CheckLoadURIFlags(nsIURI*, nsIURI*, nsIURI*, nsIURI*, unsigned int, bool, unsigned long) /caps/nsScriptSecurityManager.cpp:1052:5
        #7 0x7f8ca10d4c6d in nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal*, nsIURI*, unsigned int, unsigned long) /caps/nsScriptSecurityManager.cpp:891:14
        #8 0x7f8ca1c3999b in mozilla::dom::LocationBase::CheckURL(nsIURI*, nsIPrincipal&, mozilla::ErrorResult&) /dom/base/LocationBase.cpp:47:22
        #9 0x7f8ca1c3513d in mozilla::dom::LocationBase::SetURI(nsIURI*, nsIPrincipal&, mozilla::ErrorResult&, bool) /dom/base/LocationBase.cpp:131:7
        #10 0x7f8ca1c3b055 in mozilla::dom::LocationBase::SetHrefWithBase(nsTSubstring<char16_t> const&, nsIURI*, nsIPrincipal&, bool, mozilla::ErrorResult&) /dom/base/LocationBase.cpp:234:5
        #11 0x7f8ca1c3961f in mozilla::dom::LocationBase::DoSetHref(nsTSubstring<char16_t> const&, nsIPrincipal&, bool, mozilla::ErrorResult&) /dom/base/LocationBase.cpp:189:3
        #12 0x7f8ca2178546 in mozilla::dom::Location_Binding::set_href(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/LocationBinding.cpp:130:24
        #13 0x7f8ca3169988 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::CrossOriginThisPolicy>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3233:8
        #14 0x7f8ca8676390 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:417:13
        #15 0x7f8ca8675bfa in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:504:12
        #16 0x7f8ca86770b8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:602:8
        #17 0x7f8ca86782ff in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /js/src/vm/Interpreter.cpp:743:10
        #18 0x7f8ca774301e in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<mozilla::Maybe<JS::PropertyDescriptor> >, JS::ObjectOpResult&) /js/src/proxy/BaseProxyHandler.cpp:239:8
        #19 0x7f8ca317f8e4 in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /dom/bindings/DOMJSProxyHandler.cpp:248:10
        #20 0x7f8ca2130438 in mozilla::dom::Location_Binding::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/worker/workspace/obj-build/dom/bindings/LocationBinding.cpp:1719:32
        #21 0x7f8ca7753f2f in js::Proxy::setInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /js/src/proxy/Proxy.cpp:542:19
        #22 0x7f8ca7753a99 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /js/src/proxy/Proxy.cpp:550:10
        #23 0x7f8ca867d038 in SetProperty /js/src/vm/ObjectOperations-inl.h:305:12
        #24 0x7f8ca867d038 in SetObjectElementOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool) /js/src/vm/Interpreter.cpp:1814:10
        #25 0x7f8ca866ab18 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3074:12
        #26 0x7f8ca8664462 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
        #27 0x7f8ca8675af6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:536:13
        #28 0x7f8ca86770b8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:602:8
        #29 0x7f8ca732aae1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #30 0x7f8ca2f21fd0 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50:8
        #31 0x7f8ca1ce2a12 in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
        #32 0x7f8ca1ce27b4 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /dom/base/TimeoutHandler.cpp:167:29
        #33 0x7f8ca19b6892 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /dom/base/nsGlobalWindowInner.cpp:6479:38
        #34 0x7f8ca1cf45fa in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /dom/base/TimeoutManager.cpp:903:44
        #35 0x7f8ca1ce0310 in mozilla::dom::TimeoutExecutor::MaybeExecute() /dom/base/TimeoutExecutor.cpp:179:11
        #36 0x7f8ca1ce08b9 in Notify /dom/base/TimeoutExecutor.cpp:246:5
        #37 0x7f8ca1ce08b9 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /dom/base/TimeoutExecutor.cpp
        #38 0x7f8ca01bd34c in operator() /xpcom/threads/nsTimerImpl.cpp:656:44
        #39 0x7f8ca01bd34c in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
        #40 0x7f8ca01bd34c in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:655:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
        #41 0x7f8ca01bd34c in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:655:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
        #42 0x7f8ca01bd34c in match<(lambda at /xpcom/threads/nsTimerImpl.cpp:655:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
        #43 0x7f8ca01bd34c in nsTimerImpl::Fire(int) /xpcom/threads/nsTimerImpl.cpp:654:22
        #44 0x7f8ca018c84e in nsTimerEvent::Run() /xpcom/threads/TimerThread.cpp:365:11
        #45 0x7f8ca01added in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /xpcom/threads/ThrottledEventQueue.cpp:254:22
        #46 0x7f8ca01a8521 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /xpcom/threads/ThrottledEventQueue.cpp:81:15
        #47 0x7f8ca01ab65e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
        #48 0x7f8ca0183d89 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
        #49 0x7f8ca0182913 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
        #50 0x7f8ca0182b83 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
        #51 0x7f8ca01aef29 in operator() /xpcom/threads/TaskController.cpp:190:37
        #52 0x7f8ca01aef29 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #53 0x7f8ca01987cf in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
        #54 0x7f8ca019eddd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #55 0x7f8ca0d6e5e4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #56 0x7f8ca0c94a57 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #57 0x7f8ca0c94962 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #58 0x7f8ca0c94962 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #59 0x7f8ca4f429f8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #60 0x7f8ca7069bdb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:875:20
        #61 0x7f8ca0d6f52a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #62 0x7f8ca0c94a57 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #63 0x7f8ca0c94962 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #64 0x7f8ca0c94962 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #65 0x7f8ca70691fc in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:734:34
        #66 0x55f1d06d0110 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #67 0x55f1d06d0110 in main /browser/app/nsBrowserApp.cpp:338:18
        #68 0x7f8cb69de082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #69 0x55f1d06a5ebc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15ebc) (BuildId: 3af9c4ae42a6a2b3fcdd0eae8c0aa5c26f3fdfc3)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    ==48263==ABORTING
Attached file Testcase 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220720215202-16a4302fb1a4.

The bug appears to have been introduced in the following build range:




Start: 5537d628706e676bdb2b0f42f12be27d03705a5f (20220719213533)

End: e0cb69d5cb5acb07f911638d00381f1e2b0643b9 (20220719190236)

Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5537d628706e676bdb2b0f42f12be27d03705a5f&tochange=e0cb69d5cb5acb07f911638d00381f1e2b0643b9




Keywords: regression
Whiteboard: [bugmon:confirm][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker]
Regressed by: 1772345
Component: DOM: Core & HTML → Preferences: Backend

    
    

    
  
Set release status flags based on info from the regressing bug 1772345



          status-firefox102:
          --- → unaffected

          status-firefox103:
          --- → unaffected

          status-firefox104:
          --- → affected

          status-firefox-esr102:
          --- → unaffected

          status-firefox-esr91:
          --- → unaffected

    
    

    
  
:tjr, since you are the author of the regressor, bug 1772345, could you take a look?

For more information, please visit auto_nag documentation.


Flags: needinfo?(tom)

    
    

    
  
Patch in Bug 1780403


Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(tom)
Resolution: --- → DUPLICATE

    
    

    
  
No valid actions for resolution (DUPLICATE).

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: