Crash when creating an EventSource in xpcshell
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox100 | --- | fixed |
People
(Reporter: jkratzer, Assigned: jkratzer)
References
(Blocks 1 open bug)
Details
Crash Data
Attachments
(1 file)
Testcase found while fuzzing mozilla-central rev b21fa00b5f33 (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch
$ python -m fuzzfetch --build b21fa00b5f33 --asan --fuzzing -n firefox
$ ./firefox/firefox -xpcshell -e "new EventSource('a')"
This is due to a missing null check in the EventSource constructor.
[@ get]
==2532==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000f0 (pc 0x7f30036f546b bp 0x7ffc35cd5dd0 sp 0x7ffc35cd5ba0 T0)
==2532==The signal is caused by a READ memory access.
==2532==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x7f30036f546b in get /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:851:48
#1 0x7f30036f546b in operator nsICookieJarSettings * /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:859:33
#2 0x7f30036f546b in CookieJarSettings /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:842:12
#3 0x7f30036f546b in mozilla::dom::EventSource::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::EventSourceInit const&, mozilla::ErrorResult&) /dom/base/EventSource.cpp:1989:40
#4 0x7f30051d786c in mozilla::dom::EventSource_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/EventSourceBinding.cpp:712:57
#5 0x7f300d18b8f5 in CallJSNative /js/src/vm/Interpreter.cpp:425:13
#6 0x7f300d18b8f5 in CallJSNativeConstructor /js/src/vm/Interpreter.cpp:441:8
#7 0x7f300d18b8f5 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /js/src/vm/Interpreter.cpp:636:10
#8 0x7f300d174f8f in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3299:16
#9 0x7f300d159de1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:394:13
#10 0x7f300d18cb63 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:767:13
#11 0x7f300d247732 in ExecuteInExtensibleLexicalEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<js::ExtensibleLexicalEnvironmentObject*>) /js/src/builtin/Eval.cpp:403:10
#12 0x7f300d247070 in js::ExecuteInFrameScriptEnvironment(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JSObject*>) /js/src/builtin/Eval.cpp:438:8
#13 0x7f300d66761a in EvalReturningScope(JSContext*, unsigned int, JS::Value*) /js/src/builtin/TestingFunctions.cpp:6040:10
#14 0x25f8133f57f8 (<unknown module>)
DEDUP_TOKEN: get
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:851:48 in get
Command: /home/worker/firefox/firefox -xpcshell -len_control=50 -rss_limit_mb=7000 -use_value_profile=1 -entropic=1 ./corpora/ -handle_segv=0 -handle_bus=0 -handle_abrt=0 -handle_ill=0 -handle_fpe=0 -print_pcs=1
==2532==ABORTING
Assignee | ||
Comment 1•2 years ago
|
||
Updated•2 years ago
|
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Comment 2•2 years ago
|
||
Hmm, but GetCurrentThreadWorkerPrivate(); should return non-null.
What does ./firefox/firefox -xpcshell -e "new EventSource('a')" do? How does that run anything in a worker?
Oh, I guess the issue is that we don't have a Window object.
Comment 3•2 years ago
|
||
The severity field is not set for this bug.
:edgar, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 4•2 years ago
|
||
This looks like a weird XPCShell issue, so I'm marking it S3.
Jason, is this patch ready to land? Thanks.
Updated•2 years ago
|
Assignee | ||
Comment 5•2 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #4)
This looks like a weird XPCShell issue, so I'm marking it S3.
Jason, is this patch ready to land? Thanks.
It is unless :smaug has any objections.
Pushed by amccreight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/58965c6ba2bf Ensure workerPrivate is not null, r=smaug
Comment 8•2 years ago
|
||
bugherder |
Description
•