1875119 - Crash [@ mozilla::net::SubstitutingURL::EnsureFile]

Status: RESOLVED FIXED

(Core :: Networking, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 7392664630b1 built with: --enable-address-sanitizer --enable-fuzzing.

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch
$ python -m fuzzfetch --build 7392664630b1 -a --fuzzing --target firefox gtest -n firefox
$ FUZZER=URIParser ./firefox/firefox testcase.bin

[@ mozilla::net::SubstitutingURL::EnsureFile]

    ==214==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f023e9e6594 bp 0x7fff43322f30 sp 0x7fff43322c40 T0)
    ==214==The signal is caused by a READ memory access.
    ==214==Hint: address points to the zero page.
    SCARINESS: 10 (null-deref)
        #0 0x7f023e9e6594 in mozilla::net::SubstitutingURL::EnsureFile() /netwerk/protocol/res/SubstitutingProtocolHandler.cpp:78:22
        #1 0x7f023da184a6 in mozilla::net::nsStandardURL::EqualsInternal(nsIURI*, mozilla::net::nsStandardURL::RefHandlingEnum, bool*) /netwerk/base/nsStandardURL.cpp:2498:10
        #2 0x7f0239b1716b in FuzzingRunURIParser(unsigned char const*, unsigned long) /netwerk/test/fuzz/TestURIFuzzing.cpp:201:18
        #3 0x565119f19b7b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:570:11
        #4 0x565119f19601 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:479:7
        #5 0x565119f1aa37 in fuzzer::Fuzzer::MutateAndTestOne() /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:717:19
        #6 0x565119f1b445 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:861:9
        #7 0x565119f0bdcb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /tools/fuzzing/libfuzzer/FuzzerDriver.cpp:864:14
        #8 0x7f024dfcf7ce in mozilla::FuzzerRunner::Run(int*, char***) /tools/fuzzing/interface/harness/FuzzerRunner.cpp:75:13
        #9 0x7f024dee5434 in XREMain::XRE_mainStartup(bool*) /toolkit/xre/nsAppRunner.cpp:4663:35
        #10 0x7f024def63f6 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5870:12
        #11 0x7f024def7701 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5938:21
        #12 0x565119d46d82 in do_main /browser/app/nsBrowserApp.cpp:227:22
        #13 0x565119d46d82 in main /browser/app/nsBrowserApp.cpp:445:16
        #14 0x7f0265364082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: e678fe54a5d2c2092f8e47eb0b33105e380f7340)
        #15 0x565119c6b448 in _start (/home/worker/firefox/firefox+0xdc448) (BuildId: 99ef5a5bc0a9c3ced2831ce0601b4b9e97147496)
    
    DEDUP_TOKEN: mozilla::net::SubstitutingURL::EnsureFile()
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /netwerk/protocol/res/SubstitutingProtocolHandler.cpp:78:22 in mozilla::net::SubstitutingURL::EnsureFile()
    
    Command: /home/worker/firefox/firefox -rss_limit_mb=3500 -use_value_profile=1 -timeout=5 -entropic=1 -dict=./tokens.dict ./corpora/ -handle_segv=0 -handle_bus=0 -handle_abrt=0 -handle_ill=0 -handle_fpe=0 -print_pcs=1
    
    ==214==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Detailed Crash Information

Comment 2

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 3

[Sunil Mayya]

Attachment: Bug 1875119 - add null check in SubstitutingURL::EnsureFile(). r=#necko

Comment 4

[Pulsebot]

Pushed by smayya@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e332995f3684
add null check in SubstitutingURL::EnsureFile(). r=necko-reviewers,valentin

Comment 5

[Natalia Csoregi [:nataliaCs]]

Backed out for causing failures on test_URIs.js

• backout: https://hg.mozilla.org/integration/autoland/rev/33b9373b06aa6cb0b31a1dc9f2fe0a369587a4f9
• push: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&revision=e332995f3684c9b3dbc6e4c1374e70f9f5ab59fe
• push where tier 1 failures appeared: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&revision=18f5823716e4c35d7c899d2ce4be7fcd66cab9d0&searchStr=xpcshell
• failure log: https://treeherder.mozilla.org/logviewer?job_id=444721024&repo=autoland&lineNumber=5106

[task 2024-01-26T12:34:31.755Z] 12:34:31     INFO -  TEST-START | netwerk/test/unit/test_URIs.js
[task 2024-01-26T12:34:33.075Z] 12:34:33  WARNING -  TEST-UNEXPECTED-FAIL | netwerk/test/unit/test_URIs.js | xpcshell return code: 0
[task 2024-01-26T12:34:33.075Z] 12:34:33     INFO -  TEST-INFO took 1320ms
[task 2024-01-26T12:34:33.075Z] 12:34:33     INFO -  >>>>>>>
[task 2024-01-26T12:34:33.076Z] 12:34:33     INFO -  (xpcshell/head.js) | test MAIN run_test pending (1)
[task 2024-01-26T12:34:33.076Z] 12:34:33     INFO -  (xpcshell/head.js) | test run_next_test 0 pending (2)
[task 2024-01-26T12:34:33.076Z] 12:34:33     INFO -  (xpcshell/head.js) | test MAIN run_test finished (2)
[task 2024-01-26T12:34:33.076Z] 12:34:33     INFO -  running event loop
[task 2024-01-26T12:34:33.076Z] 12:34:33     INFO -  netwerk/test/unit/test_URIs.js | Starting check_nested_mutations
[task 2024-01-26T12:34:33.077Z] 12:34:33     INFO -  (xpcshell/head.js) | test check_nested_mutations pending (2)
[task 2024-01-26T12:34:33.077Z] 12:34:33     INFO -  PID 1656 | TEST-INFO | Z:/task_170627010249872/build/tests/xpcshell/tests/netwerk/test/unit/test_URIs.js | [do_check_uri_eq : 356] (uri equals check: 'about:blank' == 'about:blank')

Comment 6

[Pulsebot]

Pushed by smayya@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ba449d0fa40b
add null check in SubstitutingURL::EnsureFile(). r=necko-reviewers,valentin

Comment 7

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/ba449d0fa40b