1322307 - Stack overflow in UnbindFromTree

Status: RESOLVED DUPLICATE of bug 485941

(Core :: DOM: Core & HTML, defect, P3)

Description

[Brian Carpenter [:geeknik]]

Attachment: testcase.html

Triggered while fuzzing ASAN Nightly build 20161205143333. The attached testcase triggers the crash after 20-40 seconds, lots of available memory at the time of crash. Not sure if it is related to Bug 1321540.


###!!! [Child][MessageChannel] Error: (msgtype=0xE40003,name=PTexture::Msg_Destroy) Channel error: cannot send/recv
###!!! [Child][MessageChannel] Error: (msgtype=0xE40003,name=PTexture::Msg_Destroy) Channel error: cannot send/recv
###!!! [Child][MessageChannel] Error: (msgtype=0x3E0003,name=PCompositable::Msg_Destroy) Channel error: cannot send/recv
###!!! [Child][MessageChannel] Error: (msgtype=0xE40003,name=PTexture::Msg_Destroy) Channel error: cannot send/recv
###!!! [Child][MessageChannel] Error: (msgtype=0xE40003,name=PTexture::Msg_Destroy) Channel error: cannot send/recv
###!!! [Child][MessageChannel] Error: (msgtype=0x3E0003,name=PCompositable::Msg_Destroy) Channel error: cannot send/recv
ASAN:DEADLYSIGNAL
=================================================================
###!!! [Child][MessageChannel] Error: (msgtype=0x3E0003,name=PCompositable::Msg_Destroy) Channel error: cannot send/recv
###!!! [Child][MessageChannel] Error: (msgtype=0x3E0003,name=PCompositable::Msg_Destroy) Channel error: cannot send/recv
###!!! [Child][MessageChannel] Error: (msgtype=0xE40003,name=PTexture::Msg_Destroy) Channel error: cannot send/recv
###!!! [Child][MessageChannel] Error: (msgtype=0xE40003,name=PTexture::Msg_Destroy) Channel error: cannot send/recv
###!!! [Child][MessageChannel] Error: (msgtype=0x3E0003,name=PCompositable::Msg_Destroy) Channel error: cannot send/recv
Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=8.69231) ==33778==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f33e087f496 bp 0x7f33dccfc610 sp 0x7f33dccfc600 T2)
    #0 0x7f33e087f495 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2155:13
    #1 0x7f33e08846d3 in OnChannelError /home/worker/workspace/build/src/ipc/glue/MessageLink.cpp:367:5
    #2 0x7f33e08846d3 in non-virtual thunk to mozilla::ipc::ProcessLink::OnChannelError() /home/worker/workspace/build/src/ipc/glue/MessageLink.cpp:359
    #3 0x7f33e083982b in event_process_active_single_queue /home/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1350:4
    #4 0x7f33e083982b in event_process_active /home/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1420
    #5 0x7f33e083982b in event_base_loop /home/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1621
    #6 0x7f33e07f8b91 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/chromium/src/base/message_pump_libevent.cc:372:7
    #7 0x7f33e07f2ff8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #8 0x7f33e07f2ff8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
    #9 0x7f33e07f2ff8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
    #10 0x7f33e08131e1 in base::Thread::ThreadMain() /home/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:180:3
    #11 0x7f33e0813d3c in ThreadFunc(void*) /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:3
    #12 0x7f33fa3170a3 in start_thread /build/glibc-daoqzt/glibc-2.19/nptl/pthread_create.c:309
    #13 0x7f33f941e62c in clone /build/glibc-daoqzt/glibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2155:13 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink()
Thread T2 (Chrome_ChildThr) created by T0 (Web Content) here:
    #0 0x49a869 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:238:3
    #1 0x7f33e0812dfb in CreateThread /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:137:14
    #2 0x7f33e0812dfb in Create /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:148
    #3 0x7f33e0812dfb in base::Thread::StartWithOptions(base::Thread::Options const&) /home/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:98
    #4 0x7f33e0886957 in mozilla::ipc::ProcessChild::ProcessChild(int) /home/worker/workspace/build/src/ipc/glue/ProcessChild.cpp:24:5
    #5 0x7f33e8034309 in ContentProcess /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/ContentProcess.h:31:7
    #6 0x7f33e8034309 in XRE_InitChildProcess /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:660
    #7 0x4dfb5b in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:115:19
    #8 0x4dfb5b in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:438
    #9 0x7f33f9357b44 in __libc_start_main /build/glibc-daoqzt/glibc-2.19/csu/libc-start.c:287

==33778==ABORTING

real	0m23.348s
user	0m16.516s
sys	0m4.372s

Comment 1

[Andrew McCreight [:mccr8]]

Hmm, is there another SUMMARY in there? The signature doesn't really make any sense. It looks like maybe a process is intentionally crashing when the other process closed the pipe or something.

When I ran the test, I got this crash: bp-4fbede25-4f9a-4466-a895-7fb3b2161207

which does not have a useful stack. But the top frame is in DOM, which makes a little more sense. It also crashes almost immediately for me.

Comment 2

[Brian Carpenter [:geeknik]]

Attachment: 1322307-stack.txt

Running the same test case Firefox 50.0 (Build ID 20161104212021) on a Windows 10 machine triggers an immediate stack overflow in mozilla::dom::Element::UnbindFromTree:

(ff4.1108): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=5e3be520 ebx=00000000 ecx=256fab00 edx=00000001 esi=00000001 edi=256faab0
eip=5c718053 esp=00802ff4 ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
xul!mozilla::dom::Element::UnbindFromTree+0x3:
5c718053 53              push    ebx

!analyze shows the failure is in nsINode::doRemoveChildAt:

FAULTING_IP: 
xul!nsINode::doRemoveChildAt+6a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base\nsinode.cpp @ 1910]
5c805677 8d4df8          lea     ecx,[ebp-8]

BUCKET_ID:  STACK_OVERFLOW_xul!nsINode::doRemoveChildAt+6a
PRIMARY_PROBLEM_CLASS:  STACK_OVERFLOW_xul!nsINode::doRemoveChildAt+6a

Comment 3

[Brian Carpenter [:geeknik]]

Here is another crash report, from x64 Nightly on Windows 8 (Built from https://hg.mozilla.org/mozilla-central/rev/42086c06f756cda7fbc25a2e7c20a5711f7e5f26): 

https://crash-stats.mozilla.com/report/index/07646ba4-718f-477b-9156-37bda2161213

Comment 4

[Brian Carpenter [:geeknik]]

Despite my testing 45.9 on Windows 10 and not seeing the crash, it has been brought to my attention(1) that this does indeed crash 45.9 on Debian 8.8.

1. https://twitter.com/z00kov/status/864718718559031296

Comment 5

[Pascal Chevrel:pascalc]

Just tried the testcase and it still crashes the tab, here is my crash report:
https://crash-stats.mozilla.com/report/index/94d0f423-5394-418e-858b-ea7730180914

Andrew, should this bug be reprioritized since it's still crashing and we have STR? Thanks

Comment 6

[Andrew McCreight [:mccr8]]

(In reply to Pascal Chevrel:pascalc from comment #5)
> Andrew, should this bug be reprioritized since it's still crashing and we
> have STR? Thanks

Resource exhaustion crashes are difficult to fix and this one is rarely seen in the wild.

This is probably a dupe of bug 485941.