INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction. The attached session.txt contains a trace of IPC messages which were sent and received during a session of visiting https://html5test.com *** Possible reproduction scenario: pip install git+https://github.com/mozillasecurity/fuzzfetch fuzzfetch -a --fuzzing -n firefox -o /tmp export FAULTY_PROBABILITY=50000 export FAULTY_LARGE_VALUES=1 export FAULTY_PARENT=1 export FAULTY_ENABLE_LOGGING=1 export FAULTY_PICKLE=1 export MOZ_IPC_MESSAGE_LOG=1 ==822==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4c4857dbcc bp 0x7f4c3ba43e10 sp 0x7f4c3ba43cc0 T17) ==822==The signal is caused by a READ memory access. ==822==Hint: address points to the zero page. #0 0x7f4c4857dbcb in DoOnDataAvailable /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1040:28 #1 0x7f4c4857dbcb in mozilla::net::HttpChannelChild::OnTransportAndData(nsresult const&, nsresult const&, unsigned long const&, unsigned int const&, nsTString<char> const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:966 #2 0x7f4c4878c716 in mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:93:12 #3 0x7f4c487962ee in MaybeFlushQueue /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:329:5 #4 0x7f4c487962ee in CompleteResume /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:306 #5 0x7f4c487962ee in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:161 #6 0x7f4c47b126a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14 #7 0x7f4c47b2dc40 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10 #8 0x7f4c489e616c in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:364:5 #9 0x7f4c489338c9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #10 0x7f4c489338c9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #11 0x7f4c489338c9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #12 0x7f4c47b0d309 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:423:11 #13 0x7f4c65b4747e in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5 #14 0x7f4c691a97fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb) #15 0x7f4c681d7b5e in clone /build/glibc-itYbWN/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1040:28 in DoOnDataAvailable Thread T17 (ImageIO) created by T0 (file:// Content) here: #0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 #1 0x7f4c65b441cf in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14 #2 0x7f4c65b43dbe in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12 #3 0x7f4c47b0f103 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:594:8 #4 0x7f4c47b181fa in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:471:22 #5 0x7f4c47b2bcb4 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:143:45 #6 0x7f4c4a5dfb9e in NS_NewNamedThread<8> /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.h:72:10 #7 0x7f4c4a5dfb9e in mozilla::image::DecodePool::DecodePool() /builds/worker/workspace/build/src/image/DecodePool.cpp:400 #8 0x7f4c4a5df050 in Singleton /builds/worker/workspace/build/src/image/DecodePool.cpp:339:22 #9 0x7f4c4a5df050 in mozilla::image::DecodePool::Initialize() /builds/worker/workspace/build/src/image/DecodePool.cpp:331 #10 0x7f4c4a6ec82f in mozilla::image::EnsureModuleInitialized() /builds/worker/workspace/build/src/image/build/nsImageModule.cpp:104:3 #11 0x7f4c47ac2c22 in Load /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:760:21 #12 0x7f4c47ac2c22 in nsFactoryEntry::GetFactory() /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1782 #13 0x7f4c47ac3a4a in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1080:41 #14 0x7f4c47ababbd in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1443:10 #15 0x7f4c47ac9a0c in CallGetService /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:67:43 #16 0x7f4c47ac9a0c in nsGetServiceByContractID::operator()(nsID const&, void**) const /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:280 #17 0x7f4c47982019 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:95:7 #18 0x7f4c4a370007 in nsCOMPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:577:5 #19 0x7f4c4a370007 in gfxPlatform::Init() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:840 #20 0x7f4c4a3715e9 in gfxPlatform::InitChild(mozilla::gfx::ContentDeviceData const&) /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:558:3 #21 0x7f4c4ef022c3 in InitGraphicsDeviceData /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1177:3 #22 0x7f4c4ef022c3 in mozilla::dom::ContentChild::RecvSetXPCOMProcessAttributes(mozilla::dom::XPCOMInitData const&, mozilla::dom::ipc::StructuredCloneData const&, nsTArray<LookAndFeelInt>&&, nsTArray<mozilla::dom::SystemFontListEntry>&&) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:590 #23 0x7f4c491cdd29 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:6933:20 #24 0x7f4c489dd47e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2133:25 #25 0x7f4c489da401 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2063:17 #26 0x7f4c489dbbfc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1909:5 #27 0x7f4c489dc258 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1942:15 #28 0x7f4c47b126a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14 #29 0x7f4c47b2dc40 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10 #30 0x7f4c489e4ffa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #31 0x7f4c489338c9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #32 0x7f4c489338c9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #33 0x7f4c489338c9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #34 0x7f4c4f6d406a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #35 0x7f4c53b95cfb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:892:22 #36 0x7f4c489338c9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #37 0x7f4c489338c9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #38 0x7f4c489338c9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #39 0x7f4c53b956da in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:718:34 #40 0x4f6f2c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #41 0x4f6f2c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 #42 0x7f4c680e41c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308 ==822==ABORTING

mListener is null in DoOnDataAvailable() but it wasn't in DoOnStartRequest() and mListener is nulled out only when diverting to parent. Other possibility is that DoOnStartRequest() wasn't called or that calling Cancel() in DoOnStartRequest() doesn't ensure that DoOnDataAvailable() isn't called. Honza, any idea here?

the session.txt log is mostly useless, there is no way to find out messages bound to a single object... that might tell us what's wrong what exactly can fuzzing with the settings in comment 0 do? at least roughly, so we can narrow a bit what could cause this crash. I think we get OnTransportAndData after someone called ReleaseListeners(). there are plenty of callers to this. w/o knowing the sequence (hence the above complain) it's hard to say what this could be. anyway, I think we are obviously missing a null check, since there is no guarantee this doesn't get called after cleanup.