Closed
Bug 1872834
Opened 10 months ago
Closed 10 months ago
Crash [@ mozilla::dom::FilePickerParent::RecvClose]
Categories
(Core :: DOM: Content Processes, defect)
Tracking
()
RESOLVED
FIXED
123 Branch
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox121 | --- | unaffected |
firefox122 | --- | wontfix |
firefox123 | --- | fixed |
People
(Reporter: decoder, Assigned: decoder)
References
(Regression)
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
In experimental IPC fuzzing, we found the following crash on mozilla-central revision 20231221-8b474eeffbe0 (fuzzing-asan-nyx-opt build):
=================================================================
==2016==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fffe45f709e bp 0x7ffffffeecb0 sp 0x7ffffffeecb0 T0)
==2016==The signal is caused by a READ memory access.
==2016==Hint: address points to the zero page.
#0 0x7fffe45f709e in mozilla::dom::FilePickerParent::RecvClose() dom/ipc/FilePickerParent.cpp:285:16
#1 0x7fffe4b260dc in mozilla::dom::PFilePickerParent::OnMessageReceived(IPC::Message const&) obj-build/ipc/ipdl/PFilePickerParent.cpp:320:84
#2 0x7fffe49938f1 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) obj-build/ipc/ipdl/PContentParent.cpp:6764:32
#3 0x7fffda221a96 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) ipc/glue/MessageChannel.cpp:1813:25
#4 0x7fffda21c336 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) ipc/glue/MessageChannel.cpp:1732:9
#5 0x7fffda21dccd in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) ipc/glue/MessageChannel.cpp:1525:3
#6 0x7fffda21f854 in mozilla::ipc::MessageChannel::MessageTask::Run() ipc/glue/MessageChannel.cpp:1623:14
#7 0x7fffd7de0b97 in mozilla::RunnableTask::Run() xpcom/threads/TaskController.cpp:557:16
#8 0x7fffd7dbfb78 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) xpcom/threads/TaskController.cpp:884:26
#9 0x7fffd7dbb950 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) xpcom/threads/TaskController.cpp:707:15
#10 0x7fffd7dbc1a8 in mozilla::TaskController::ProcessPendingMTTask(bool) xpcom/threads/TaskController.cpp:493:36
#11 0x7fffd7dec9cf in mozilla::TaskController::TaskController()::$_0::operator()() const xpcom/threads/TaskController.cpp:211:37
#12 0x7fffd7dec9cf in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() xpcom/threads/nsThreadUtils.h:548:5
#13 0x7fffd7e23461 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1199:16
#14 0x7fffd7e35706 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:480:10
#15 0x7fffda22bb56 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:85:21
#16 0x7fffd9fd33ff in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:370:10
#17 0x7fffd9fd33ff in MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:363:3
#18 0x7fffd9fd33ff in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:345:3
#19 0x7fffe5cc2cc5 in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:148:27
#20 0x7fffe5f566c8 in nsAppShell::Run() widget/gtk/nsAppShell.cpp:470:33
#21 0x7fffec229a7f in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:296:30
#22 0x7fffec665a39 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:5709:22
#23 0x7fffec6686fa in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:5918:8
#24 0x7fffec66a010 in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:5974:21
#25 0x555555702a48 in do_main(int, char**, char**) browser/app/nsBrowserApp.cpp:227:22
#26 0x555555702a48 in main browser/app/nsBrowserApp.cpp:445:16
#27 0x7fffd0f7e0b2 in ?? ??:0
The attached testcase can be reproduced using a special build to inject IPC messages.
This is a simple missing null check, patch coming up.
Assignee | ||
Comment 1•10 months ago
|
||
Assignee | ||
Comment 2•10 months ago
|
||
Assignee | ||
Comment 3•10 months ago
|
||
Updated•10 months ago
|
Assignee: nobody → choller
Status: NEW → ASSIGNED
Pushed by choller@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/036489e17b6c
Add missing null check to FilePickerParent::RecvClose. r=canadahonk
Comment 5•10 months ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch
Updated•10 months ago
|
status-firefox121:
--- → unaffected
status-firefox122:
--- → wontfix
status-firefox-esr115:
--- → unaffected
Regressed by: 1866517
You need to log in
before you can comment on or make changes to this bug.
Description
•