Closed
Bug 1904583
Opened 4 months ago
Closed 4 months ago
Hit MOZ_CRASH(nsStandardURL::SanityCheck failed) at /netwerk/base/nsStandardURL.cpp:298
Categories
(Core :: Networking, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1904582
People
(Reporter: jkratzer, Assigned: sekim)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [necko-triaged])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 653f0dc8442d built with: --enable-address-sanitizer --enable-fuzzing.
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch
$ python -m fuzzfetch --build 653f0dc8442d -a --fuzzing --target firefox gtest -n firefox
$ FUZZER=URIParser ./firefox/firefox testcase.bin
Hit MOZ_CRASH(nsStandardURL::SanityCheck failed) at /netwerk/base/nsStandardURL.cpp:298
==207==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x777d07dbef34 bp 0x7ffe76bdf070 sp 0x7ffe76bdef20 T0)
==207==The signal is caused by a WRITE memory access.
==207==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x777d07dbef34 in mozilla::net::nsStandardURL::SanityCheck() /netwerk/base/nsStandardURL.cpp:298:5
#1 0x777d07dcdb73 in mozilla::net::nsStandardURL::SetSpecWithEncoding(nsTSubstring<char> const&, mozilla::Encoding const*) /netwerk/base/nsStandardURL.cpp:1816:3
#2 0x777d07de13df in mozilla::net::nsStandardURL::Init(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*) /netwerk/base/nsStandardURL.cpp:3577:12
#3 0x777d07df0f5f in Init /netwerk/base/nsStandardURL.h:446:16
#4 0x777d07df0f5f in non-virtual thunk to mozilla::net::nsStandardURL::TemplatedMutator<mozilla::net::nsStandardURL>::Init(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*, nsIURIMutator**) /netwerk/base/nsStandardURL.h
#5 0x777d095f4258 in Apply<nsresult (nsIStandardURLMutator::*)(unsigned int, int, const nsTSubstring<char> &, const char *, nsIURI *, nsIURIMutator **), nsIStandardURL::(unnamed enum at /builds/worker/workspace/obj-build/dist/include/nsIStandardURL.h:35:3), int, nsTAutoStringN<char, 64UL> &, const char *&, std::nullptr_t, std::nullptr_t> /builds/worker/workspace/obj-build/dist/include/nsIURIMutator.h:592:15
#6 0x777d095f4258 in nsJARURI::CreateEntryURL(nsTSubstring<char> const&, char const*, nsIURL**) /modules/libjar/nsJARURI.cpp:85:8
#7 0x777d095f6594 in SetJAREntry /modules/libjar/nsJARURI.cpp:663:10
#8 0x777d095f6594 in nsJARURI::SetSpecWithBase(nsTSubstring<char> const&, nsIURI*) /modules/libjar/nsJARURI.cpp:322:10
#9 0x777d09608f4b in nsJARURI::Mutator::SetSpecBaseCharset(nsTSubstring<char> const&, nsIURI*, char const*) /modules/libjar/nsJARURI.h:134:17
#10 0x777d07d41ebf in NS_MutateURI& NS_MutateURI::Apply<nsresult (nsIJARURIMutator::*)(nsTSubstring<char> const&, nsIURI*, char const*), nsTSubstring<char> const&, nsIURI*&, char const*&>(nsresult (nsIJARURIMutator::*)(nsTSubstring<char> const&, nsIURI*, char const*), nsTSubstring<char> const&, nsIURI*&, char const*&) /builds/worker/workspace/obj-build/dist/include/nsIURIMutator.h:592:15
#11 0x777d07d02fbb in NS_NewURI(nsIURI**, nsTSubstring<char> const&, char const*, nsIURI*) /netwerk/base/nsNetUtil.cpp:1978:10
#12 0x777d03da217e in FuzzingRunURIParser(unsigned char const*, unsigned long) /netwerk/test/fuzz/TestURIFuzzing.cpp:65:17
#13 0x5e37ff1c927b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:570:11
#14 0x5e37ff1c8d01 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:479:7
#15 0x5e37ff1ca137 in fuzzer::Fuzzer::MutateAndTestOne() /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:717:19
#16 0x5e37ff1cab45 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:861:9
#17 0x5e37ff1bc16b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /tools/fuzzing/libfuzzer/FuzzerDriver.cpp:864:14
#18 0x777d1488422b in mozilla::FuzzerRunner::Run(int*, char***) /tools/fuzzing/interface/harness/FuzzerRunner.cpp:75:13
#19 0x777d147c61cc in XREMain::XRE_mainStartup(bool*) /toolkit/xre/nsAppRunner.cpp:4696:35
#20 0x777d147d22ff in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5971:12
#21 0x777d147d31e1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:6040:21
#22 0x5e37ff0220f7 in do_main /browser/app/nsBrowserApp.cpp:230:22
#23 0x5e37ff0220f7 in main /browser/app/nsBrowserApp.cpp:448:16
#24 0x777d2a2a7082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
#25 0x5e37fef49a98 in _start (/home/worker/firefox/firefox+0xd5a98) (BuildId: f6f4dd227a5426db521c2d5f9f507aeeee4c5daf)
DEDUP_TOKEN: mozilla::net::nsStandardURL::SanityCheck()
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /netwerk/base/nsStandardURL.cpp:298:5 in mozilla::net::nsStandardURL::SanityCheck()
Command: /home/worker/firefox/firefox -rss_limit_mb=3500 -use_value_profile=1 -timeout=5 -entropic=1 -dict=./tokens.dict ./corpora/ -handle_segv=0 -handle_bus=0 -handle_abrt=0 -handle_ill=0 -handle_fpe=0 -print_pcs=1
==207==ABORTING
|
Reporter | |
Comment 1•4 months ago
|
||
|
|
Reporter | |
Comment 2•4 months ago
|
||
|
||
Updated•4 months ago
|
Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged]
Could not reproduce this error, but the patch for Bug 1904582 may resolve this issue.
|
|
||
Comment 4•4 months ago
|
||
(In reply to Sean Kim from comment #3)
Could not reproduce this error, but the patch for Bug 1904582 may resolve this issue.
I think these two are the same.
You need to log in
before you can comment on or make changes to this bug.
Description
•