Closed Bug 1859976 Opened 2 years ago Closed 2 years ago

Assertion failure: nsIClipboard::IsClipboardTypeSupported(aWhichClipboard), at widget/gtk/nsClipboard.cpp:542

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
121 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox119 --- unaffected
firefox120 --- wontfix
firefox121 --- fixed

People

(Reporter: decoder, Assigned: decoder)

References

(Regression)

Details

(Keywords: assertion, regression, testcase)

Attachments

(3 files)

Detailed Crash Information
18.17 KB, text/plain
Details
Testcase
102 bytes, application/octet-stream
Details
Bug 1859976 - Handle unsupported clipboard type in GTK widget code. r?stransky
48 bytes, text/x-phabricator-request
Details | Review

In experimental IPC fuzzing, we found the following crash on mozilla-central revision 20231018-639c0da2250e (fuzzing-asan-nyx-opt build):

[Replay Mode] Reading data file...
[Replay Mode] Read data packet of size 143
INFO: Replaying IPC packet with payload:
  0x00 0x00 0x00 0x00 0x00 0x45 0x00 0xAB 0xAB 0xAB 0xAB 0xFF 0x00 0x09 0xC4 0x00 
  0x00 0x00 0x26 0x5F 0x47 0xC2 0xA3 0x00 0x00 0x00 0x00 0x00 0x68 0x00 0x00 0x00 
  0x00 0x00 0x2A 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 
  0x00 0x26 0x5F 0x47 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 
  0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 
  0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 0xE4 
Assertion failure: nsIClipboard::IsClipboardTypeSupported(aWhichClipboard), at /widget/gtk/nsClipboard.cpp:542
==3321564==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fc72d7f40cb bp 0x7ffd2fbfbf90 sp 0x7ffd2fbfbc60 T0)
    #0 0x7fc72d7f40cb in nsClipboard::GetNativeClipboardData(nsITransferable*, int) /widget/gtk/nsClipboard.cpp:541:3
    #1 0x7fc72be45ac5 in mozilla::dom::ContentParent::RecvGetClipboard(nsTArray<nsTString<char>>&&, int const&, mozilla::dom::IPCTransferableData*) /dom/ipc/ContentParent.cpp:3534:14
    #2 0x7fc72c2b7a1e in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:16669:81
    [...]

The attached testcase can only be reproduced using a special build to inject IPC messages.

I've looked into this and it looks harmless to me since aWhichClipBoard will later be fed into GetSelectionAtom that returns GDK_SELECTION_PRIMARY for any unknown clipboard type. I suggest we disable this diagnostic assert in IPC fuzzing.

Attached file Testcase
Assignee: nobody → choller
Status: NEW → ASSIGNED
Attachment #9359288 - Attachment description: Bug 1859976 - Disable clipboard assert for IPC fuzzing. r?stransky → Bug 1859976 - Handle unsupported clipboard type in GTK widget code. r?stransky
Pushed by choller@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ba626db6d16e Handle unsupported clipboard type in GTK widget code. r=stransky

https://hg.mozilla.org/mozilla-central/rev/ba626db6d16e

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox121: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: