Bug 1874800 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Tyson Smith [:tsmith]

on 2024-01-15 17:38:20 PST

Found while fuzzing m-c 20240114-39d188918af5 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:
```
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
```

stderr:
```
[Parent 367548, IPC I/O Parent] WARNING: Process 367730 may be hanging at shutdown; will wait for up to 8000ms: file /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/process_watcher_posix_sigchld.cc:184
[Parent 367548, IPC I/O Parent] WARNING: Process 367730 hanging at shutdown; attempting crash report (fatal error).: file /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/process_watcher_posix_sigchld.cc:207
UndefinedBehaviorSanitizer:DEADLYSIGNAL
```

```
==367730==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x03e800059bbc (pc 0x7fdbb3bfa117 bp 0x563e6e5b0748 sp 0x7fff3aa541d0 T367730)
    #0 0x7fdbb3bfa117 in __futex_abstimed_wait_common64 nptl/futex-internal.c:57:12
    #1 0x7fdbb3bfa117 in __futex_abstimed_wait_common nptl/futex-internal.c:87:9
    #2 0x7fdbb3bfa117 in __GI___futex_abstimed_wait_cancelable64 nptl/futex-internal.c:139:10
    #3 0x7fdbb3bfca40 in __pthread_cond_wait_common nptl/pthread_cond_wait.c:503:10
    #4 0x7fdbb3bfca40 in pthread_cond_wait nptl/pthread_cond_wait.c:627:10
    #5 0x563e6d7189fb in wait /builds/worker/checkouts/gecko/mozglue/misc/ConditionVariable_posix.cpp:106:11
    #6 0x563e6d7189fb in mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) /builds/worker/checkouts/gecko/mozglue/misc/ConditionVariable_posix.cpp:113:5
    #7 0x7fdb9ebdb5c7 in mozilla::OffTheBooksCondVar::Wait(mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>) /builds/worker/checkouts/gecko/xpcom/threads/BlockingResourceBase.cpp:534:20
    #8 0x7fdb9ebe5f34 in Wait /builds/worker/checkouts/gecko/xpcom/threads/BlockingResourceBase.cpp:514:21
    #9 0x7fdb9ebe5f34 in mozilla::TaskController::GetRunnableForMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:619:19
    #10 0x7fdb9ec0a545 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1134:38
    #11 0x7fdb9ec0f5d0 in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #12 0x7fdb9ec0f5d0 in SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:378:39)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
    #13 0x7fdb9ec0f5d0 in nsThreadManager::ShutdownNonMainThreads() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:377:3
    #14 0x7fdb9ec5026b in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:629:28
    #15 0x7fdba603598c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:660:16
    #16 0x563e6d6bb3b6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #17 0x563e6d6bb3b6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
    #18 0x7fdbb3b92d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #19 0x7fdbb3b92e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #20 0x563e6d6910e8 in _start (/home/worker/builds/m-c-20240114093125-fuzzing-debug/firefox-bin+0x590e8) (BuildId: 3c44943d507779f38c31adcf9a3c2a1d450f5497)
```

Revision 1 by

Tyson Smith [:tsmith]

on 2024-09-10 15:18:27 PDT

Found while fuzzing m-c 20240114-39d188918af5 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:
```
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid> --relaunch 1
```

stderr:
```
[Parent 367548, IPC I/O Parent] WARNING: Process 367730 may be hanging at shutdown; will wait for up to 8000ms: file /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/process_watcher_posix_sigchld.cc:184
[Parent 367548, IPC I/O Parent] WARNING: Process 367730 hanging at shutdown; attempting crash report (fatal error).: file /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/process_watcher_posix_sigchld.cc:207
UndefinedBehaviorSanitizer:DEADLYSIGNAL
```

```
==367730==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x03e800059bbc (pc 0x7fdbb3bfa117 bp 0x563e6e5b0748 sp 0x7fff3aa541d0 T367730)
    #0 0x7fdbb3bfa117 in __futex_abstimed_wait_common64 nptl/futex-internal.c:57:12
    #1 0x7fdbb3bfa117 in __futex_abstimed_wait_common nptl/futex-internal.c:87:9
    #2 0x7fdbb3bfa117 in __GI___futex_abstimed_wait_cancelable64 nptl/futex-internal.c:139:10
    #3 0x7fdbb3bfca40 in __pthread_cond_wait_common nptl/pthread_cond_wait.c:503:10
    #4 0x7fdbb3bfca40 in pthread_cond_wait nptl/pthread_cond_wait.c:627:10
    #5 0x563e6d7189fb in wait /builds/worker/checkouts/gecko/mozglue/misc/ConditionVariable_posix.cpp:106:11
    #6 0x563e6d7189fb in mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) /builds/worker/checkouts/gecko/mozglue/misc/ConditionVariable_posix.cpp:113:5
    #7 0x7fdb9ebdb5c7 in mozilla::OffTheBooksCondVar::Wait(mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>) /builds/worker/checkouts/gecko/xpcom/threads/BlockingResourceBase.cpp:534:20
    #8 0x7fdb9ebe5f34 in Wait /builds/worker/checkouts/gecko/xpcom/threads/BlockingResourceBase.cpp:514:21
    #9 0x7fdb9ebe5f34 in mozilla::TaskController::GetRunnableForMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:619:19
    #10 0x7fdb9ec0a545 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1134:38
    #11 0x7fdb9ec0f5d0 in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #12 0x7fdb9ec0f5d0 in SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:378:39)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
    #13 0x7fdb9ec0f5d0 in nsThreadManager::ShutdownNonMainThreads() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:377:3
    #14 0x7fdb9ec5026b in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:629:28
    #15 0x7fdba603598c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:660:16
    #16 0x563e6d6bb3b6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #17 0x563e6d6bb3b6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
    #18 0x7fdbb3b92d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #19 0x7fdbb3b92e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #20 0x563e6d6910e8 in _start (/home/worker/builds/m-c-20240114093125-fuzzing-debug/firefox-bin+0x590e8) (BuildId: 3c44943d507779f38c31adcf9a3c2a1d450f5497)
```

Back to Bug 1874800 Comment 0