1830099 - Crash [@ IsAutoArray] with WebTransport

Status: RESOLVED FIXED

(Core :: DOM: Networking, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Found while fuzzing mozilla-central rev c1dc21363c17 (built with: --enable-address-sanitizer).

I do not currently have a reproducible testcase for this issue. Marking as security sensitive due to the unknown crash address.

[@ IsAutoArray]

    =================================================================
    ==199901==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8b00000004 (pc 0x7f8bdea46157 bp 0x7ffed32fe6d0 sp 0x7ffed32fe340 T0)
    ==199901==The signal is caused by a READ memory access.
        #0 0x7f8bdea46157 in IsAutoArray /builds/worker/workspace/obj-build/dist/include/nsTArray.h:546:43
        #1 0x7f8bdea46157 in IsAutoArrayRestorer /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:442:62
        #2 0x7f8bdea46157 in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::SwapArrayElements<nsTArrayInfallibleAllocator, nsTArrayInfallibleAllocator>(nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>&, unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:471:7
        #3 0x7f8be791dc7d in SwapElements<nsTArrayInfallibleAllocator> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1998:20
        #4 0x7f8be791dc7d in mozilla::dom::WebTransport::Cleanup(mozilla::dom::WebTransportError*, mozilla::dom::WebTransportCloseInfo const*, mozilla::ErrorResult&) /dom/webtransport/api/WebTransport.cpp:723:18
        #5 0x7f8be791f113 in mozilla::dom::WebTransport::RemoteClosed(bool, unsigned int const&, nsTSubstring<char> const&) /dom/webtransport/api/WebTransport.cpp:494:3
        #6 0x7f8be7939a2c in mozilla::dom::WebTransportChild::RecvRemoteClosed(bool const&, unsigned int const&, nsTSubstring<char> const&) /dom/webtransport/child/WebTransportChild.cpp:37:17
        #7 0x7f8be7954367 in mozilla::dom::PWebTransportChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebTransportChild.cpp:614:85
        #8 0x7f8bdf5bb68d in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1800:25
        #9 0x7f8bdf5b812b in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1725:9
        #10 0x7f8bdf5b923d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
        #11 0x7f8bdf5ba252 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
        #12 0x7f8bddb6ef8a in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:555:16
        #13 0x7f8bddb61b8a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:879:26
        #14 0x7f8bddb5ea87 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:702:15
        #15 0x7f8bddb5f36f in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:491:36
        #16 0x7f8bddb746b1 in operator() /xpcom/threads/TaskController.cpp:218:37
        #17 0x7f8bddb746b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #18 0x7f8bddba02cb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1239:16
        #19 0x7f8bddbadd64 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #20 0x7f8bdf5c4068 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #21 0x7f8bdf412ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #22 0x7f8bdf412ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #23 0x7f8bdf412ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #24 0x7f8be8299829 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #25 0x7f8bedea6c48 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
        #26 0x7f8bdf412ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #27 0x7f8bdf412ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #28 0x7f8bdf412ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #29 0x7f8bedea63c4 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
        #30 0x55787a5762cd in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #31 0x55787a5762cd in main /browser/app/nsBrowserApp.cpp:375:18
        #32 0x7f8bfc429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #33 0x7f8bfc429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #34 0x55787a49f938 in _start (/home/jkratzer/builds/m-c-20230425154313-asan-opt/firefox+0xfa938) (BuildId: f31e1396c4affebb88e3664275626659)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/nsTArray.h:546:43 in IsAutoArray
    ==199901==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Detailed Crash Information

Comment 2

[Randell Jesup [:jesup] (needinfo me)]

Possible duplicate of bug 1830076

Comment 3

[Randell Jesup [:jesup] (needinfo me)]

Should be fixed by bug 1830096