Open Bug 1810096 Opened 2 years ago Updated 1 year ago

cfi-derived-cast: Invalid downcast in nsStringBundle

Categories

(Core :: Internationalization, defect, P2)

Product:
Core
Component:
Internationalization
Type:
defect

Tracking

()

People

(Reporter: lukas.bernhard, Unassigned)

References

(Blocks 1 open bug)

Details

Steps to reproduce:

When building with -fsanitize=cfi-derived-cast, the sanitizer detects some incorrect casting in nsStringBundleBase::Cast. The destructor of nsStringBundleService calls flushBundleCache, which in turn iterates over mBundleCache, downcasting all elements to nsStringBundleBase (in ::Cast). However, some of the downcasted objects are of type StringBundleProxy, which is not derived from nsStringBundleBase.

#0  0x00007f19dbcddaf1 in __GI___clock_nanosleep (clock_id=clock_id@entry=0, flags=flags@entry=0, 
    req=req@entry=0x7ffd78484520, rem=rem@entry=0x7ffd78484520)
    at ../sysdeps/unix/sysv/linux/clock_nanosleep.c:78
#1  0x00007f19dbce2827 in __GI___nanosleep (req=req@entry=0x7ffd78484520, 
    rem=rem@entry=0x7ffd78484520) at ../sysdeps/unix/sysv/linux/nanosleep.c:25
#2  0x00007f19dbce275e in __sleep (seconds=0) at ../sysdeps/posix/sleep.c:55
#3  0x00007f19d6d1b315 in common_crap_handler (signum=4, 
    aFirstFramePC=0x7f19d820613e <WasmTrapHandler(int, siginfo_t*, void*)+542>)
    at toolkit/xre/nsSigHandlers.cpp:96
#4  0x00007f19d6d1b463 in child_ah_crap_handler (signum=4)
    at toolkit/xre/nsSigHandlers.cpp:110
#5  0x00007f19d820613e in WasmTrapHandler (signum=4, info=0x7ffd78484730, context=0x7ffd78484600)
    at js/src/wasm/WasmSignalHandlers.cpp:788
#6  <signal handler called>
#7  0x00007f19ce28d4a1 in nsStringBundleBase::Cast (aBundle=0x7f19bc8842e0)
    at intl/strres/nsStringBundle.h:37
#8  0x00007f19ce28cd27 in nsStringBundleService::flushBundleCache (this=0x7f19bc8ab700, 
    ignoreShared=false) at intl/strres/nsStringBundle.cpp:797
#9  0x00007f19ce28cc38 in nsStringBundleService::~nsStringBundleService (this=0x7f19bc8ab700)
    at intl/strres/nsStringBundle.cpp:751
#10 0x00007f19ce28cea9 in nsStringBundleService::~nsStringBundleService (this=0x7f19bc8ab700)
    at intl/strres/nsStringBundle.cpp:749
#11 0x00007f19ce28ca42 in nsStringBundleService::Release (this=0x7f19bc8ab700)
    at intl/strres/nsStringBundle.cpp:746
#12 0x00007f19cfd54e47 in nsContentUtils::Shutdown ()
   Utils.cpp:1900
#13 0x00007f19d45f3907 in nsLayoutStatics::Shutdown () at layout/build/nsLayoutStatics.cpp:356
#14 0x00007f19cfde99f6 in nsLayoutStatics::Release ()
    at obj-downcast/dist/include/nsLayoutStatics.h:44
#15 0x00007f19d45f20ef in Shutdown () at /layout/build/nsLayoutModule.cpp:119
#16 0x00007f19d45f3819 in nsLayoutModuleDtor () at /layout/build/nsLayoutModule.cpp:237
#17 0x00007f19ce07963f in mozilla::xpcom::CallUnloadFuncs () at StaticComponents.cpp:9436
#18 0x00007f19ce0795b9 in mozilla::xpcom::StaticComponents::Shutdown () at StaticComponents.cpp:13106
#19 0x00007f19ce09612c in nsComponentManagerImpl::Shutdown (this=0x7f19bc86a430)
    at xpcom/components/nsComponentManager.cpp:553
Component: Untriaged → Internationalization
Product: Firefox → Core
Blocks: cfi

The severity field is not set for this bug.
:m_kato, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(m_kato)
You need to log in before you can comment on or make changes to this bug.