740707 - cross_fuzz crash in mozilla::dom::Navigator::GetMozBattery

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Chris Peterson [:cpeterson]]

This bug was filed from the Socorro interface and is 
report bp-27e7d6fc-c8d9-4ca1-be95-f1be92120330 .
============================================================= 

STR:
1. Load http://lcamtuf.coredump.cx/cross_fuzz/
2. Run cross_fuzz_msie_randomized_seed.html test
3. Wait about 1-2 minutes

AR:
Easily reproducible crash in GetMozBattery(). I've test two different MacBook Pros and two different user profiles. I was able to reproduce this crash many times on Nightly 2012-03-29 and 2012-03-14.

https://crash-stats.mozilla.com/report/index/09a6e576-3824-4f2b-a2d3-e23312120329
https://crash-stats.mozilla.com/report/index/27e7d6fc-c8d9-4ca1-be95-f1be92120330
https://crash-stats.mozilla.com/report/index/dca52249-a269-4cd8-ace4-750012120330
https://crash-stats.mozilla.com/report/index/a2231a87-6696-4cc2-89b4-a34232120330
https://crash-stats.mozilla.com/report/index/09043995-5bee-43e6-b39d-f5cee2120330
https://crash-stats.mozilla.com/report/index/052e8251-354b-4104-9952-49ea72120330
https://crash-stats.mozilla.com/report/index/0e6cf481-9fc0-4a16-b758-194602120329
https://crash-stats.mozilla.com/report/index/66ebf1c3-78b6-4f0b-9a4b-fbe9a2120329
https://crash-stats.mozilla.com/report/index/d38a5d26-b011-4c42-84c0-27b922120330
https://crash-stats.mozilla.com/report/index/5ae59ce6-93ee-4535-aaea-cece92120330

Comment 1

[Mounir Lamouri (:mounir)]

I can't reproduce that on my Linux laptop. Is that Mac only?

Comment 2

[Chris Peterson [:cpeterson]]

I only have Mac test machines. I reproduced it on Mac OS X 10.6 and 10.7.

Comment 3

[Mounir Lamouri (:mounir)]

Attachment: Patch

Stupid mistake... sorry about that :(

Comment 4

[Justin Lebar (not reading bugmail)]

Comment on attachment 611104 [details] [diff] [review]
Patch

r=me

Comment 5

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/839c971b9022

Comment 6

[Jesse Ruderman]

I wonder why my fuzzer missed this bug. Is there a reduced testcase?

Comment 7

[Mounir Lamouri (:mounir)]

I haven't done one but maybe we can ask QA to do one?

Comment 8

[David Maciejak]

seems ff 13.0.2 is affected, please see Bug 767947

Comment 9

[Mounir Lamouri (:mounir)]

This has been fixed in Firefox 14, see the target milestone.

Comment 10

[David Maciejak]

yes i saw, but why not in 13.x ?

Comment 11

[Mounir Lamouri (:mounir)]

We could indeed have pushed that to Firefox 13 but it's now too late.

Comment 14

[Daniel Veditz [:dveditz]]

(In reply to David Maciejak from comment #10)
> yes i saw, but why not in 13.x ?

This is not an exploitable crash and is not a major stability problem since it's a new, little-used feature. There is no practical user benefit to the disruption of an out-of-cycle release.

Comment 15

[Simona Badau, Desktop QA]

Verified on Ubuntu 12.04, Mac OS X 10.6 and Mac OS X 10.7 that Firefox 14 beta 10 does not crash when using the STR from the Description. 

Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20100101 Firefox/14.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20100101 Firefox/14.0

Also, checked in Socorro and there are no crashes on Firefox 14.

Comment 17

[sachin shinde]

reduced testcase 

https://bugzilla.mozilla.org/attachment.cgi?id=639210