Closed
Bug 1873874
Opened 10 months ago
Closed 29 days ago
Crash [@ mozilla::net::Predictor::Action::OnCacheEntryAvailable] via IPC method `NeckoParent::RecvPredPredict`
Categories
(Core :: Networking, defect, P2)
Tracking
()
RESOLVED
FIXED
133 Branch
People
(Reporter: decoder, Assigned: omansfeld)
Details
(Keywords: crash, testcase, Whiteboard: [necko-triaged][necko-priority-next])
Crash Data
Attachments
(3 files)
In experimental IPC fuzzing, we found the following crash on mozilla-central revision 20240106-d6318b034527 (fuzzing-asan-nyx-opt build):
=================================================================
==2018==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fffd8632f02 bp 0x7ffffffe8450 sp 0x7ffffffe8260 T0)
==2018==The signal is caused by a READ memory access.
==2018==Hint: address points to the zero page.
#0 0x7fffd8632f02 in mozilla::net::Predictor::Action::OnCacheEntryAvailable(nsICacheEntry*, bool, nsresult) /netwerk/base/Predictor.cpp:183:15
#1 0x7fffd94e8ba5 in mozilla::net::CacheStorage::AsyncOpenURI(nsIURI*, nsTSubstring<char> const&, unsigned int, nsICacheEntryOpenCallback*) /netwerk/cache2/CacheStorage.cpp:0:16
#2 0x7fffd863bd2b in mozilla::net::Predictor::PredictNative(nsIURI*, nsIURI*, unsigned int, mozilla::OriginAttributes const&, nsINetworkPredictorVerifier*) /netwerk/base/Predictor.cpp:589:21
#3 0x7fffd9ee8af5 in mozilla::net::NeckoParent::RecvPredPredict(nsIURI*, nsIURI*, unsigned int const&, mozilla::OriginAttributes const&, bool const&) /netwerk/ipc/NeckoParent.cpp:583:14
#4 0x7fffda05cd6e in mozilla::net::PNeckoParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PNeckoParent.cpp:2193:79
[...]
The attached testcase can be reproduced using a special build to inject IPC messages.
The issue here is simply that an action is created with an empty mTargetURI. This is of course easy to fix, the question is rather where we should fix it. My recommendation would be to check aTargetURI and aSourceURI directly in RecvPredPredict.
|
Reporter | |
Comment 1•10 months ago
|
||
|
|
Reporter | |
Comment 2•10 months ago
|
||
|
||
Updated•10 months ago
|
Component: DOM: Content Processes → Networking
Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged][necko-priority-new]
|
||
Updated•10 months ago
|
Whiteboard: [necko-triaged][necko-priority-new] → [necko-triaged][necko-priority-next]
|
||
Updated•6 months ago
|
Points: --- → 1
|
Assignee | |
Comment 3•1 month ago
|
||
|
||
Updated•1 month ago
|
Assignee: nobody → omansfeld
Status: NEW → ASSIGNED
|
|
||
Updated•1 month ago
|
Attachment #9430091 -
Attachment description: Bug 1873874 - Added checks for empty URIs to RecvPredPredict and RecvPredLearn, r=#necko → Bug 1873874 - Fixed crash due to empty mTargetURI when calling Predictor::Action::OnCacheEntryAvailable, r=#necko
Pushed by kjang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0c8035cc5a84
Fixed crash due to empty mTargetURI when calling Predictor::Action::OnCacheEntryAvailable, r=necko-reviewers,kershaw
|
||
Comment 5•29 days ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 29 days ago
status-firefox133:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 133 Branch
|
||
Updated•27 days ago
|
status-firefox131:
--- → wontfix
status-firefox132:
--- → wontfix
status-firefox-esr128:
--- → wontfix
You need to log in
before you can comment on or make changes to this bug.
Description
•