Open Bug 1447425 Opened 2 years ago Updated Last year

IPC: crash [@set / @mozilla::jsipc::WrapperOwner::fromRemoteObjectVariant]

Categories

(Core :: JavaScript: GC, defect, P3, critical)

defect

Tracking

()

Tracking Status
firefox61 --- affected

People

(Reporter: posidron, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: crash)

Attachments

(1 file)

Attached file session.txt
==17224==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f64f6852449 bp 0x7ffc4645eeb0 sp 0x7ffc4645ebe0 T0)
==17224==The signal is caused by a WRITE memory access.
==17224==Hint: address points to the zero page.
    #0 0x7f64f6852448 in set /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h:988:13
    #1 0x7f64f6852448 in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h:993
    #2 0x7f64f6852448 in mozilla::jsipc::WrapperOwner::fromRemoteObjectVariant(JSContext*, mozilla::jsipc::RemoteObject const&) /builds/worker/workspace/build/src/js/ipc/WrapperOwner.cpp:1196
    #3 0x7f64f68512c5 in mozilla::jsipc::WrapperOwner::fromObjectVariant(JSContext*, mozilla::jsipc::ObjectVariant const&) /builds/worker/workspace/build/src/js/ipc/WrapperOwner.cpp:1175:16
    #4 0x7f64f6824c35 in mozilla::jsipc::JavaScriptShared::fromVariant(JSContext*, mozilla::jsipc::JSVariant const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:319:27
    #5 0x7f64f682878d in mozilla::jsipc::JavaScriptShared::Unwrap(JSContext*, nsTArray<mozilla::jsipc::CpowEntry> const&, JS::MutableHandle<JSObject*>) /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:730:14
    #6 0x7f64f68280fe in mozilla::jsipc::CrossProcessCpowHolder::~CrossProcessCpowHolder() /builds/worker/workspace/build/src/js/ipc/JavaScriptShared.cpp:697:14
    #7 0x7f64fc5b8695 in mozilla::dom::TabParent::RecvAsyncMessage(nsTString<char16_t> const&, nsTArray<mozilla::jsipc::CpowEntry>&&, IPC::Principal const&, mozilla::dom::ClonedMessageData const&) /builds/worker/workspace/build/src/dom/ipc/TabParent.cpp:1722:1
    #8 0x7f64f6732b50 in mozilla::dom::PBrowserParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserParent.cpp:1794:20
    #9 0x7f64f61380a6 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:3319:28
    #10 0x7f64f5fa1e0e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25
    #11 0x7f64f5f9ed91 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17
    #12 0x7f64f5fa058c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5
    #13 0x7f64f5fa0be8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15
    #14 0x7f64f50cb9d8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
    #15 0x7f64f50e7d40 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #16 0x7f64f5fa998a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #17 0x7f64f5ef81a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #18 0x7f64f5ef81a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #19 0x7f64f5ef81a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #20 0x7f64fccb120a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #21 0x7f6500fc241b in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:290:30
    #22 0x7f65011ce8cc in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4766:22
    #23 0x7f65011d1a06 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4911:8
    #24 0x7f65011d2ec4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:5003:21
    #25 0x4f6d45 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #26 0x4f6d45 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #27 0x7f651572d1c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #28 0x4265bc in _start (/home/worker/firefox/firefox+0x4265bc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h:988:13 in set
==17224==ABORTING
Paul, would you take a look? This seems Obviously Impossible.
Flags: needinfo?(pbone)
Component: JavaScript Engine → JavaScript: GC
I'm sorry I'm busy at the moment, I should have set my PTO status.
Flags: needinfo?(pbone) → needinfo?(jcoppeard)
Agreed, it should be impossible to write to a nullptr by calling set() on a RootedObject that's on the stack.

posidron, how did you find this crash?  Is it reproducible?  Any more information we can get about this?
Flags: needinfo?(jcoppeard) → needinfo?(cdiehl)
Yes, it's reproducible and actually a soft fuzz-blocker. It was found by fuzzing IPC (see blocker bug).
Not at the moment but we are working on providing generated rr images to the devs very soon.
Flags: needinfo?(cdiehl)
Flags: needinfo?(jcoppeard)
Shifting ni back to posidron until there are STR / an rr image to work from.
Flags: needinfo?(jcoppeard) → needinfo?(cdiehl)
Depends on: 1467468
Flags: needinfo?(cdiehl)
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.