1301430 - crash in (only on m-c asan): mozilla::dom::TabChild::RecvSwappedWithOtherRemoteLoader(mozilla::dom::IPCTabContext const&)

Status: RESOLVED DUPLICATE of bug 1294237

(Core :: DOM: Security, defect)

Description

[Kamil Jozwiak [:kjozwiak]]

It appears as bug#1294237 is occurring on the latest m-c asan build:

* firefox-51.0a1 (asan) CRASHES <---
* firefox-51.0a1 (regular) NO CRASH
* firefox-50.0a2 (asan) - NO CRASH
* firefox-50.0a2 (regular) - NO CRASH
* firefox-49.0 (asan) - NO CRASH
* firefox-49.0 (regular) - NO CRASH

I'm not sure if this is an actual issue, or an issue with the m-c asan build. I attempted to build asan myself on Ubuntu 16.04.1 LTS and couldn't reproduce the issue.. But whenever I download the latest version of m-c asan [1] [2], I run into this crash.

[1] https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/1470837316/
[2] https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.latest.firefox/gecko.v2.mozilla-central.latest.firefox.linux64-asan

STR:

* launch the latest version of m-c asan (used Ubuntu 16.04.1 LTS VM)
* create a new container via "File -> New Container Tab"
* load a website within the container tab and tear it off into it's own separate window

Every tab that's currently opened will crash and asan will produce the following stack:

ASAN:DEADLYSIGNAL
=================================================================
==7497==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbd5051ea17 bp 0x7ffe9486af40 sp 0x7ffe9486ac80 T0)
    #0 0x7fbd5051ea16 in mozilla::dom::TabChild::RecvSwappedWithOtherRemoteLoader(mozilla::dom::IPCTabContext const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/ipc/TabChild.cpp:2377:5
    #1 0x7fbd5051eaac in non-virtual thunk to mozilla::dom::TabChild::RecvSwappedWithOtherRemoteLoader(mozilla::dom::IPCTabContext const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/ipc/TabChild.cpp:2349:11
    #2 0x7fbd4b8da258 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:4845:20
    #3 0x7fbd4ba5bedc in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:7438:16
    #4 0x7fbd4b1385a7 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1662:14
    #5 0x7fbd4b1353e6 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1600:17
    #6 0x7fbd4b1231b7 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1567:5
    #7 0x7fbd4b152ad2 in applyImpl<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:729:12
    #8 0x7fbd4b152ad2 in apply<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:735
    #9 0x7fbd4b152ad2 in mozilla::detail::RunnableMethodImpl<bool (mozilla::ipc::MessageChannel::*)(), false, true>::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:764
    #10 0x7fbd4b1520bf in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:546:22
    #11 0x7fbd4b1520bf in mozilla::ipc::MessageChannel::DequeueTask::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:565
    #12 0x7fbd4a3a32d6 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:1058:7
    #13 0x7fbd4a42126c in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #14 0x7fbd4b13f90f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:96:21
    #15 0x7fbd4b0b4818 in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #16 0x7fbd4b0b4818 in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:225
    #17 0x7fbd4b0b4818 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:205
    #18 0x7fbd50bf678f in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156:3
    #19 0x7fbd52ca4c07 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:846:12
    #20 0x7fbd4b0b4818 in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #21 0x7fbd4b0b4818 in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:225
    #22 0x7fbd4b0b4818 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:205
    #23 0x7fbd52ca42a3 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:676:7
    #24 0x4dfb2b in content_process_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
    #25 0x4dfb2b in main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:357
    #26 0x7fbd6583c82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #27 0x41ba08 in _start (/home/kjozwiak/Downloads/firefox/firefox-bin+0x41ba08)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/ipc/TabChild.cpp:2377:5 in mozilla::dom::TabChild::RecvSwappedWithOtherRemoteLoader(mozilla::dom::IPCTabContext const&)
==7497==ABORTING

Comment 1

[Andrea Marchesini [:baku]]

Are you able to reproduce it in nightly? This seems old code...

Comment 2

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

(In reply to Kamil Jozwiak [:kjozwiak] from comment #0)
> But whenever I download the latest version of m-c asan
> [1] [2], I run into this crash.
> 
> [1]
> https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-
> linux64-asan/1470837316/

That shows last-modified times from August 10th, and 1470837316 is Unix time for Wed Aug 10 13:55:16 2016 (UTC).

> [2]
> https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.
> latest.firefox/gecko.v2.mozilla-central.latest.firefox.linux64-asan

The artifacts linked there show a build ID of 20160809064620 which would also be a month old.

This could be a duplicate of bug 1294237, but I wonder why that TC “latest” link goes to a month-old build.

Comment 3

[Kamil Jozwiak [:kjozwiak]]

> This could be a duplicate of bug 1294237, but I wonder why that TC “latest”
> link goes to a month-old build.

That's what I'm trying to figure out as well. For some reason, I can't find a reliable up to date source that has the latest m-c asan builds :/

Comment 4

[Kamil Jozwiak [:kjozwiak]]

As Jed mentioned in comment#2, I'm pretty sure this is a duplicate of bug#1294237. It looks like I was using asan builds that are a month old. Using the latest m-c source [1], I created an asan build and couldn't reproduce the crash.

Jed, should I create a new bug regarding the TC “latest” link pointing to an older asan build? Perhaps m-c asan builds are broken?

[1] changeset used: 938ce16be25f tip

Comment 5

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Yes, please file a bug against TaskCluster.  Even if it turns out to be just confusing UX or a bad link somewhere, they should know about it.

Comment 6

[Kamil Jozwiak [:kjozwiak]]

(In reply to Jed Davis [:jld] {⏰UTC-6} from comment #5)
> Yes, please file a bug against TaskCluster.  Even if it turns out to be just
> confusing UX or a bad link somewhere, they should know about it.

Thanks Jed, created bug#1301747.