Closed Bug 1445485 Opened 2 years ago Closed 2 years ago

IPC: Assertion failure: parentBuildID == childBuildID [@mozilla::ipc::CheckChildProcessBuildID]

Categories

(Core :: IPC, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED WONTFIX
Tracking Status
firefox61 --- affected

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Attachments

(1 file)

Attached file session.txt
Assertion failure: parentBuildID == childBuildID, at /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1046


==726==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4db4df1fa2 bp 0x7f4da618be40 sp 0x7f4da618bd00 T10)
==726==The signal is caused by a WRITE memory access.
==726==Hint: address points to the zero page.
    #0 0x7f4db4df1fa1 in mozilla::ipc::CheckChildProcessBuildID(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1046:5
    #1 0x7f4db4df0fb7 in mozilla::ipc::MessageChannel::MaybeInterceptSpecialIOMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1072:13
    #2 0x7f4db4df24ba in mozilla::ipc::MessageChannel::OnMessageReceivedFromLink(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1139:9
    #3 0x7f4db4e065cc in OnMessageReceived /builds/worker/workspace/build/src/ipc/glue/MessageLink.cpp:285:12
    #4 0x7f4db4e065cc in non-virtual thunk to mozilla::ipc::ProcessLink::OnMessageReceived(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageLink.cpp
    #5 0x7f4db4d83545 in IPC::Channel::ChannelImpl::ProcessIncomingMessages() /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:559:20
    #6 0x7f4db4d84bb6 in IPC::Channel::ChannelImpl::OnFileCanReadWithoutBlocking(int) /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:800:10
    #7 0x7f4db4da7a97 in event_persist_closure /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1580:9
    #8 0x7f4db4da7a97 in event_process_active_single_queue /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1639
    #9 0x7f4db4d9f995 in event_process_active /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c
    #10 0x7f4db4d9f995 in event_base_loop /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1961
    #11 0x7f4db4d5e0d3 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_libevent.cc:373:7
    #12 0x7f4db4d58329 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #13 0x7f4db4d58329 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #14 0x7f4db4d58329 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #15 0x7f4db4d7788f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #16 0x7f4db4d692fc in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #17 0x7f4dd3e386b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #18 0x7f4dd2ec13dc in clone /build/glibc-bfm8X4/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1046:5 in mozilla::ipc::CheckChildProcessBuildID(IPC::Message const&)
Thread T10 (Gecko_IOThread) created by T0 here:
    #0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f4db4d66c5f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
    #2 0x7f4db4d66c5f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7f4db4d7722f in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7f4db3fafb06 in NS_InitXPCOM2 /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:518:9
    #5 0x7f4dbf74384d in Initialize /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:1569:8
    #6 0x7f4dbf74384d in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4838
    #7 0x7f4dbf744ca4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4934:21
    #8 0x4f6d45 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #9 0x4f6d45 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #10 0x7f4dd2dda82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

==726==ABORTING
That assertion is for detecting when the child process is running a different version of the executable than the parent, which can happen in some edge cases around updates.  It's not security-sensitive as far as I know.  But I'm not sure why it's showing up here, because there I don't see anything in the log about the fuzzer changing that value.
Group: core-security → dom-core-security
MessageChannel::SendBuildID() is sent outside of IPDL, so I'm not surprised it didn't show up in the log. We could add some log message for it, I guess. I don't know how mutating a bool would happen when sending an nsCString, though.

It is also surprising that this isn't showing up as a release assert. I guess debug builds just don't indicate that. Maybe in a fuzzing build we want asserts to show up differently than release asserts in order to allow the fuzzer harness to be able to tell the difference.
Group: dom-core-security
Group: dom-core-security
Group: dom-core-security
See Also: → 1446099
This is working as intended.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.