1447425 - IPC: crash [@set / @mozilla::jsipc::WrapperOwner::fromRemoteObjectVariant]

Status: RESOLVED WORKSFORME

(Core :: JavaScript: GC, defect, P3)

Description

[Christoph Diehl [:posidron]]

Attachment: session.txt

==17224==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f64f6852449 bp 0x7ffc4645eeb0 sp 0x7ffc4645ebe0 T0)
==17224==The signal is caused by a WRITE memory access.
==17224==Hint: address points to the zero page.
    #0 0x7f64f6852448 in set /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h:988:13
    #1 0x7f64f6852448 in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h:993
    #2 0x7f64f6852448 in mozilla::jsipc::WrapperOwner::fromRemoteObjectVariant(JSContext*, mozilla::jsipc::RemoteObject const&) /builds/worker/workspace/build/src/js/ipc/WrapperOwner.cpp:1196
    #3 0x7f64f68512c5 in mozilla::jsipc::WrapperOwner::fromObjectVariant(JSContext*, mozilla::jsipc::ObjectVariant const&) /builds/worker/workspace/build/src/js/ipc/WrapperOwner.cpp:1175:16
    #4 0x7f64f6824c35 in mozilla::jsipc::JavaScriptShared::fromVariant(JSContext*, mozilla::jsipc::JSVariant const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:319:27
    #5 0x7f64f682878d in mozilla::jsipc::JavaScriptShared::Unwrap(JSContext*, nsTArray<mozilla::jsipc::CpowEntry> const&, JS::MutableHandle<JSObject*>) /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:730:14
    #6 0x7f64f68280fe in mozilla::jsipc::CrossProcessCpowHolder::~CrossProcessCpowHolder() /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:697:14
    #7 0x7f64fc5b8695 in mozilla::dom::TabParent::RecvAsyncMessage(nsTString<char16_t> const&, nsTArray<mozilla::jsipc::CpowEntry>&&, IPC::Principal const&, mozilla::dom::ClonedMessageData const&) /builds/worker/workspace/build/src/dom/ipc/TabParent.cpp:1722:1
    #8 0x7f64f6732b50 in mozilla::dom::PBrowserParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserParent.cpp:1794:20
    #9 0x7f64f61380a6 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:3319:28
    #10 0x7f64f5fa1e0e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25
    #11 0x7f64f5f9ed91 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17
    #12 0x7f64f5fa058c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5
    #13 0x7f64f5fa0be8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15
    #14 0x7f64f50cb9d8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
    #15 0x7f64f50e7d40 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #16 0x7f64f5fa998a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #17 0x7f64f5ef81a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #18 0x7f64f5ef81a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #19 0x7f64f5ef81a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #20 0x7f64fccb120a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #21 0x7f6500fc241b in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:290:30
    #22 0x7f65011ce8cc in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4766:22
    #23 0x7f65011d1a06 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4911:8
    #24 0x7f65011d2ec4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:5003:21
    #25 0x4f6d45 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #26 0x4f6d45 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #27 0x7f651572d1c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #28 0x4265bc in _start (/home/worker/firefox/firefox+0x4265bc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h:988:13 in set
==17224==ABORTING

Comment 1

[Jason Orendorff [:jorendorff]]

Paul, would you take a look? This seems Obviously Impossible.

Comment 2

[Paul Bone [:pbone]]

I'm sorry I'm busy at the moment, I should have set my PTO status.

Comment 3

[Jon Coppeard (:jonco)]

Agreed, it should be impossible to write to a nullptr by calling set() on a RootedObject that's on the stack.

posidron, how did you find this crash?  Is it reproducible?  Any more information we can get about this?

Comment 4

[Christoph Diehl [:posidron]]

Yes, it's reproducible and actually a soft fuzz-blocker. It was found by fuzzing IPC (see blocker bug).
Not at the moment but we are working on providing generated rr images to the devs very soon.

Comment 5

[Jon Coppeard (:jonco)]

Shifting ni back to posidron until there are STR / an rr image to work from.

Comment 6

[Andrei Purice]

Marking this as Resolved > Incomplete since the reporter's email has been deactivated and there's no way of asking for a repro.
If anyone can still reproduce this issue please re-open this issue or file a new one.

Comment 7

[Andrew McCreight [:mccr8]]

WrapperOwner was removed a few years ago.