commit e162f697ef55fe89d13cee6fa5aec49dd96dca9c
parent d42d760c2d8402a4e6b4939e780693707fc7fce7
Author: Andrew McCreight <continuation@gmail.com>
Date: Mon, 20 Oct 2025 13:59:35 +0000
Bug 1993568 - Test that STL hardening works when we expect it to. r=gsvelto
Right now, it is only enabled on non-Windows debug builds.
Differential Revision: https://phabricator.services.mozilla.com/D268236
Diffstat:
4 files changed, 48 insertions(+), 0 deletions(-)
diff --git a/toolkit/crashreporter/test/CrashTestUtils.sys.mjs b/toolkit/crashreporter/test/CrashTestUtils.sys.mjs
@@ -36,6 +36,7 @@ export var CrashTestUtils = {
CRASH_HEAP_CORRUPTION: 24,
CRASH_EXC_GUARD: 25,
CRASH_STACK_OVERFLOW: 26,
+ CRASH_STL_VECTOR_OOB: 27,
// Constants for dumpHasStream()
// From google_breakpad/common/minidump_format.h
diff --git a/toolkit/crashreporter/test/nsTestCrasher.cpp b/toolkit/crashreporter/test/nsTestCrasher.cpp
@@ -2,6 +2,7 @@
#include <stdio.h>
#include <map>
+#include <vector>
#include "nscore.h"
#include "mozilla/Unused.h"
@@ -113,6 +114,7 @@ const int16_t CRASH_EXC_GUARD = 25;
#ifndef XP_WIN
const int16_t CRASH_STACK_OVERFLOW = 26;
#endif
+const int16_t CRASH_STL_VECTOR_OOB = 27;
#if XP_WIN && HAVE_64BIT_BUILD && defined(_M_X64) && !defined(__MINGW32__)
@@ -318,6 +320,21 @@ extern "C" NS_EXPORT void Crash(int16_t how) {
break; // This should be unreachable
}
#endif // XP_WIN
+ case CRASH_STL_VECTOR_OOB: {
+ // Make a vector with a power-of-2 size, remove the last element, then
+ // access just past the new end of the vector. The idea here is that if
+ // hardening is not enabled then the out-of-bounds access likely won't
+ // crash, because most implementations probably won't shrink the
+ // underlying buffer.
+ std::vector<int32_t> v;
+ const size_t initSize = 8;
+ v.resize(initSize, 9);
+ v.pop_back();
+ // Out-of-bounds access.
+ printf("CRASH_STL_VECTOR_OOB: %d\n", v[initSize - 1]);
+ // This should be unreachable, if hardening is enabled.
+ break;
+ }
default:
break;
}
diff --git a/toolkit/crashreporter/test/unit/test_crash_stl.js b/toolkit/crashreporter/test/unit/test_crash_stl.js
@@ -0,0 +1,26 @@
+add_task(async function run_test() {
+ if (!("@mozilla.org/toolkit/crash-reporter;1" in Cc)) {
+ dump(
+ "INFO | test_crash_stl.js | Can't test crashreporter in a non-libxul build.\n"
+ );
+ return;
+ }
+
+ // Try crashing with an out of bounds std::vector access.
+ await do_crash(
+ function () {
+ crashType = CrashTestUtils.CRASH_STL_VECTOR_OOB;
+ crashReporter.annotateCrashReport("TestKey", "TestValue");
+ },
+ async function (mdump, extra, extraFile) {
+ runMinidumpAnalyzer(mdump);
+
+ // Refresh updated extra data
+ extra = await IOUtils.readJSON(extraFile.path);
+
+ Assert.equal(extra.TestKey, "TestValue");
+ },
+ // process will exit with a zero exit status
+ true
+ );
+});
diff --git a/toolkit/crashreporter/test/unit/xpcshell.toml b/toolkit/crashreporter/test/unit/xpcshell.toml
@@ -61,6 +61,10 @@ reason = "Test covering Linux-specific PSI (Pressure Stall Information) annotati
run-if = ["os == 'linux'"]
reason = "Still broken on macOS and not yet supported on Windows"
+["test_crash_stl.js"]
+run-if = ["os != 'win' && debug"]
+reason = "STL hardening is only enabled on non-Windows debug builds"
+
["test_crash_terminator.js"]
["test_crash_uncaught_exception.js"]
