Open Bug 2013879 Opened 5 days ago Updated 2 days ago

Hit MOZ_CRASH(called `Result::unwrap()` on an `Err` value: RegExp(())) at /third_party/rust/urlpattern/src/matcher.rs:97

Categories

(Core :: Networking, defect, P2)

Product:
Core
Component:
Networking
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
ASSIGNED

People

(Reporter: jkratzer, Assigned: edgul)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [necko-triaged][necko-priority-queue])

Attachments

(3 files)

Detailed Crash Information
5.23 KB, text/plain
Details
Testcase
40 bytes, application/octet-stream
Details
Bug 2013879 - added fuzzing xpcshell-test for matcher unwrap crash r?#necko-reviewers
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev a9f1ed5516b9 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pipx install fuzzfetch
$ fuzzfetch --build a9f1ed5516b9 --asan --fuzzing  -n firefox --target firefox gtest
$ FUZZER=URLPattern ./firefox/firefox testcase.bin

Hit MOZ_CRASH(called `Result::unwrap()` on an `Err` value: RegExp(())) at /third_party/rust/urlpattern/src/matcher.rs:97

    =================================================================
    ==470==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fffe71c82e3 bp 0x7fffffffa070 sp 0x7fffffffa060 T0)
    ==470==The signal is caused by a WRITE memory access.
    ==470==Hint: address points to the zero page.
        #0 0x7fffe71c82e3 in MOZ_CrashSequence(void*, long) /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
        #1 0x7fffe71c82e3 in MOZ_Crash(char const*, int, char const*) /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:375:3
        #2 0x7fffe71c82e3 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #3 0x7fffe71c7dc0 in mozglue_static::panic_hook::h568fcecec6100e1d /mozglue/static/rust/lib.rs:99:9
        #4 0x7fffe71c6f15 in core::ops::function::Fn::call::h58d5c417aaf1e6ad /builds/worker/fetches/rust/library/core/src/ops/function.rs:80:5
        #5 0x7fffeb7151e4 in std::panicking::rust_panic_with_hook::hb6a926246a3acc54 (/home/worker/firefox/gtest/libxul.so+0x27ea31e4) (BuildId: 9124e552a2d3ac22c01dcf8fb1a370b63a0dd421)
        #6 0x7fffeb70c4b9 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::haab11a240686a18f std.53ef410fab06a69b-cgu.01
        #7 0x7fffeb70c2e8 in std::sys::backtrace::__rust_end_short_backtrace::h53ef5088042ca5e5 (/home/worker/firefox/gtest/libxul.so+0x27e9a2e8) (BuildId: 9124e552a2d3ac22c01dcf8fb1a370b63a0dd421)
        #8 0x7fffeb714c7c in __rustc::rust_begin_unwind (/home/worker/firefox/gtest/libxul.so+0x27ea2c7c) (BuildId: 9124e552a2d3ac22c01dcf8fb1a370b63a0dd421)
        #9 0x7fffeb79c23f in core::panicking::panic_fmt::h1aef4e0b7c131909 (/home/worker/firefox/gtest/libxul.so+0x27f2a23f) (BuildId: 9124e552a2d3ac22c01dcf8fb1a370b63a0dd421)
        #10 0x7fffeb78b335 in core::result::unwrap_failed::h1336ec037c5c972d (/home/worker/firefox/gtest/libxul.so+0x27f19335) (BuildId: 9124e552a2d3ac22c01dcf8fb1a370b63a0dd421)
        #11 0x7fffe1f1272a in core::result::Result$LT$T$C$E$GT$::unwrap::h5b6b380a39344338 /builds/worker/fetches/rust/library/core/src/result.rs:1167:23
        #12 0x7fffe1f1272a in urlpattern::matcher::Matcher$LT$R$GT$::matches::h013174895dccc885 /third_party/rust/urlpattern/src/matcher.rs:97:25
        #13 0x7fffe1f1272a in urlpattern::component::Component$LT$R$GT$::protocol_component_matches_special_scheme::hb6462db9f637a6bf /third_party/rust/urlpattern/src/component.rs:73:23
        #14 0x7fffe1f1272a in urlpattern::constructor_parser::ConstructorStringParser::compute_protocol_matches_special_scheme::h0d7cd8e6ff9c98a2 /third_party/rust/urlpattern/src/constructor_parser.rs:271:27
        #15 0x7fffe1f1272a in urlpattern::constructor_parser::parse_constructor_string::h84d1894185f3f208 /third_party/rust/urlpattern/src/constructor_parser.rs:376:18
        #16 0x7fffe1f1272a in urlpattern::UrlPatternInit::parse_constructor_string::h375fe051b33f0644 /third_party/rust/urlpattern/src/lib.rs:60:20
        #17 0x7fffe1f1272a in urlpattern_glue::helpers::init_from_string_and_base_url::h73cbf53f9373e857 /netwerk/base/urlpattern_glue/src/helpers.rs:46:13
        #18 0x7fffe1f1272a in urlp_parse_pattern_from_string /netwerk/base/urlpattern_glue/src/lib.rs:35:36
        #19 0x7fffdbd8e5cf in mozilla::dom::URLPattern::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::UTF8StringOrURLPatternInit const&, nsTSubstring<char> const&, mozilla::dom::URLPatternOptions const&, mozilla::ErrorResult&) /dom/urlpattern/URLPattern.cpp:135:16
        #20 0x7fffcdb12469 in FuzzingRunURLPattern(unsigned char const*, unsigned long) /dom/urlpattern/fuzztest/FuzzURLPattern.cpp:101:15
        #21 0x7fffce5eccc2 in afl_interface_raw(int (*)(unsigned char const*, unsigned long)) /tools/fuzzing/interface/FuzzingInterface.cpp:60:11
        #22 0x7fffdf30d5f2 in mozilla::FuzzerRunner::Run(int*, char***) /tools/fuzzing/interface/harness/FuzzerRunner.cpp:90:13
        #23 0x7fffdf21d4b0 in XREMain::XRE_mainStartup(bool*) /toolkit/xre/nsAppRunner.cpp:4817:35
        #24 0x7fffdf22b377 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:6152:12
        #25 0x7fffdf22c7e8 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:6250:21
        #26 0x5555557503fe in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:268:22
        #27 0x5555557503fe in main /browser/app/nsBrowserApp.cpp:532:16
        #28 0x7fffc3311d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 085164b7e9093b36e3be17226f0d94a35b818c55)
        #29 0x7fffc3311e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 085164b7e9093b36e3be17226f0d94a35b818c55)
        #30 0x555555669168 in _start (/home/worker/firefox/firefox+0x115168) (BuildId: 6ce5978479c4bc6ba4ff2fa2acea06b5745e95b6)
    
    ==470==Register values:
    rax = 0x0000000000000061  rbx = 0x0000000000000061  rcx = 0x0000000000000001  rdx = 0x0000000000000000  
    rdi = 0x00005555558dd590  rsi = 0x00007fffffffa018  rbp = 0x00007fffffffa070  rsp = 0x00007fffffffa060  
     r8 = 0x0000000000000000   r9 = 0xffffff0000000000  r10 = 0xefffffffffffffff  r11 = 0x4000000000000000  
    r12 = 0x00007bffbce41064  r13 = 0x00007bffbce412f4  r14 = 0x00007bffbce412f4  r15 = 0x0000000000000061  
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3 in MOZ_CrashSequence(void*, long)
    ==470==ABORTING
Attached file Testcase
Attachment #9541768 - Attachment filename: testcase.9e10b3134b74eeeb46113a4a405db7607534244f_JFeDHWS → testcase.bin

Ed, could you take a look?

Blocks: urlpattern
Severity: -- → S3
Flags: needinfo?(edgul)
Priority: -- → P2
Whiteboard: [necko-triaged][necko-priority-queue]

Something like this should fix (in the crate)

if regexp.is_err() {
    return None;
}

https://github.com/denoland/rust-urlpattern/blob/main/src/matcher.rs#L97

I'll try to write a test.

Note that this bug will be addressed in the crate, so next vendor in should fix

Assignee: nobody → edgul
Status: NEW → ASSIGNED
Flags: needinfo?(edgul)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: