1445467 - IPC: Assertion failure: mValid [@mozilla::ipc::Endpoint]

Status: RESOLVED INCOMPLETE

(Core :: IPC, defect, P3)

Description

[Christoph Diehl [:posidron]]

The following crash occurs consistently on mozilla-central. Last tested revision is 20170805-933a04a91ce3.

INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction.

The attached session.txt contains a trace of IPC messages which were sent and received during a session of visiting  https://html5test.com

Possible reproduction scenario:

pip install git+https://github.com/mozillasecurity/fuzzfetch
fuzzfetch -a --fuzzing -n firefox -o /tmp

export FAULTY_PROBABILITY=50000
export FAULTY_LARGE_VALUES=1
export FAULTY_PARENT=1
export FAULTY_ENABLE_LOGGING=1
export FAULTY_PICKLE=1
export MOZ_IPC_MESSAGE_LOG=1



Assertion failure: mValid, at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:665


=================================================================
==12207==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fea9a45439e bp 0x7fea786f9e50 sp 0x7fea786f9d80 T42)
==12207==The signal is caused by a WRITE memory access.
==12207==Hint: address points to the zero page.
    #0 0x7fea9a45439d in reset /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:341:11
    #1 0x7fea9a45439d in ~UniquePtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:288
    #2 0x7fea9a45439d in mozilla::ipc::Endpoint<mozilla::ipc::PBackgroundParent>::Bind(mozilla::ipc::PBackgroundParent*) /builds/worker/workspace/build/src/ipc/glue/ProtocolUtils.h:679
    #3 0x7fea9a45372a in (anonymous namespace)::ParentImpl::ConnectActorRunnable::Run() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1293:17
    #4 0x7fea995ab9a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #5 0x7fea995c6f40 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #6 0x7fea9a47ee0c in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:364:5
    #7 0x7fea9a3cc539 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #8 0x7fea9a3cc539 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #9 0x7fea9a3cc539 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #10 0x7fea995a6609 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:423:11
    #11 0x7feab781647e in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #12 0x7feabae787fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
    #13 0x7feab9ea6b5e in clone /build/glibc-itYbWN/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:341:11 in reset
Thread T42 (IPDL Background) created by T0 here:
    #0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7feab78131cf in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7feab7812dbe in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7fea995a8403 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:594:8
    #4 0x7fea995b14fa in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:471:22
    #5 0x7fea995c4fb4 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:143:45
    #6 0x7fea9a4503d7 in NS_NewNamedThread<16> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:72:10
    #7 0x7fea9a4503d7 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1015
    #8 0x7fea9a42dbc0 in CreateActorForSameProcess /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:925:32
    #9 0x7fea9a42dbc0 in GetOrCreateForCurrentThread /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1479
    #10 0x7fea9a42dbc0 in mozilla::ipc::BackgroundChild::GetOrCreateForCurrentThread() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:721
    #11 0x7fea9f577a20 in mozilla::dom::ClientManager::ClientManager() /builds/worker/workspace/build/src/dom/clients/manager/ClientManager.cpp:37:35
    #12 0x7fea9f579dc0 in mozilla::dom::ClientManager::GetOrCreateForCurrentThread() /builds/worker/workspace/build/src/dom/clients/manager/ClientManager.cpp:188:14
    #13 0x7fea9f56e491 in mozilla::dom::ClientManager::CreateSource(mozilla::dom::ClientType, nsISerialEventTarget*, nsIPrincipal*) /builds/worker/workspace/build/src/dom/clients/manager/ClientManager.cpp:237:31
    #14 0x7feaa4d1d6e0 in nsDocShell::MaybeCreateInitialClientSource(nsIPrincipal*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:2845:5
    #15 0x7feaa4d5bbac in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7781:5
    #16 0x7feaa4dde8ac in nsWebShellWindow::Initialize(nsIXULWindow*, nsIXULWindow*, nsIURI*, int, int, bool, nsITabParent*, mozIDOMWindowProxy*, nsWidgetInitData&) /builds/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:238:21
    #17 0x7feaa4dd9111 in nsAppShellService::JustCreateTopWindow(nsIXULWindow*, nsIURI*, unsigned int, int, int, bool, nsITabParent*, mozIDOMWindowProxy*, nsWebShellWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:736:25
    #18 0x7feaa4dd8490 in nsAppShellService::CreateHiddenWindowHelper(bool) /builds/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:140:8
    #19 0x7feaa55c293b in nsAppStartup::CreateHiddenWindow() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:252:27
    #20 0x7feaa57d677f in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4592:22
    #21 0x7feaa57d940c in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4826:8
    #22 0x7feaa57da854 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4918:21
    #23 0x4f6d45 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #24 0x4f6d45 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #25 0x7feab9db31c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308

==12207==ABORTING

Comment 1

[Andrew McCreight [:mccr8]]

Christoph, is there a log for this? I didn't see one attached.

Comment 2

[Christoph Diehl [:posidron]]

Attachment: session.txt

Uh, thought it had one attached. It is now. Thanks!

Comment 3

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

[Faulty] pickle field {bool} of value: 1 changed to: 0
[time: 1520500041606278][2000->1673] [PContentChild] Sending  PContent::Msg_InitBackground

InitBackground contains only an Endpoint, so this boolean is probably the mValid field, which would explain the assertion failure.  This raises the question of whether mValid really needs to be sent.  It also explains this error:

[Parent 1673, Main Thread] WARNING: FileDescriptorSet destroyed with unconsumed descriptors: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/file_descriptor_set_posix.cc, line 22

because an invalid Endpoint is just the false boolean, so ParamTraits<Endpoint<_>>::Read never consumes the mTransport fd.


I don't think this is security-sensitive — the mValid check is a release assertion.

Comment 4

[Nika Layzell [:nika] (ni? for response)]

We have new IPC fuzzing now and aren't handling the old one. Let's handle this if we find this issue with the new IPC fuzzing approach, and close the bug for now.