Closed Bug 1528167 Opened 5 years ago Closed 5 years ago

Null pointer write in mozilla::ipc::IPDLParamTraits<mozilla::ipc::IPCRemoteStreamType>::Write

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1484524

People

(Reporter: hanno, Unassigned)

Details

I got a crash in an ASAN build, related to IPC/IPDL code. Unfortunately it's not reproducible, I only have a stack trace to offer:

=================================================================
==6988==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f2c5b4b70fd bp 0x7f2bc5bf0100 sp 0x7f2bc5beffa0 T140)
==6988==The signal is caused by a WRITE memory access.
==6988==Hint: address points to the zero page.
#0 0x7f2c5b4b70fc in mozilla::ipc::IPDLParamTraits<mozilla::ipc::IPCRemoteStreamType>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::ipc::IPCRemoteStreamType const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/InputStreamParams.cpp:950:17
#1 0x7f2c5b4bb348 in Write /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/InputStreamParams.cpp:1135:5
#2 0x7f2c5b4bb348 in void mozilla::ipc::WriteIPDLParam<mozilla::ipc::IPCRemoteStreamParams const&>(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::ipc::IPCRemoteStreamParams const&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/IPDLParamTraits.h:61
#3 0x7f2c5b4baf54 in mozilla::ipc::IPDLParamTraits<mozilla::ipc::InputStreamParams>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::ipc::InputStreamParams const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/InputStreamParams.cpp:2069:13
#4 0x7f2c5b4ac728 in Write /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/IPCStream.cpp:45:5
#5 0x7f2c5b4ac728 in void mozilla::ipc::WriteIPDLParam<mozilla::ipc::IPCStream const&>(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::ipc::IPCStream const&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/IPDLParamTraits.h:61
#6 0x7f2c5b4b49f4 in mozilla::ipc::IPDLParamTraits<mozilla::ipc::OptionalIPCStream>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::ipc::OptionalIPCStream const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/IPCStream.cpp:381:13
#7 0x7f2c5b469111 in mozilla::ipc::IPDLParamTraits<mozilla::dom::cache::CacheReadStream>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::cache::CacheReadStream const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/CacheTypes.cpp:184:5
#8 0x7f2c5b46a582 in mozilla::ipc::IPDLParamTraits<mozilla::dom::cache::CacheReadStreamOrVoid>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::cache::CacheReadStreamOrVoid const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/CacheTypes.cpp:548:13
#9 0x7f2c5b4714d5 in mozilla::ipc::IPDLParamTraits<mozilla::dom::cache::CacheResponse>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::cache::CacheResponse const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/CacheTypes.cpp:1416:5
#10 0x7f2c5b4cb91e in Write /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/CacheTypes.cpp:1960:5
#11 0x7f2c5b4cb91e in void mozilla::ipc::WriteIPDLParam<mozilla::dom::cache::CacheRequestResponse const&>(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::cache::CacheRequestResponse const&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/IPDLParamTraits.h:61
#12 0x7f2c5b4754c6 in WriteInternal<const nsTArray<mozilla::dom::cache::CacheRequestResponse> &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/IPDLParamTraits.h:145:9
#13 0x7f2c5b4754c6 in Write /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/IPDLParamTraits.h:78
#14 0x7f2c5b4754c6 in void mozilla::ipc::WriteIPDLParam<nsTArray<mozilla::dom::cache::CacheRequestResponse> const&>(IPC::Message*, mozilla::ipc::IProtocol*, nsTArray<mozilla::dom::cache::CacheRequestResponse> const&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/IPDLParamTraits.h:61
#15 0x7f2c5b47becd in Write /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/CacheTypes.cpp:2197:5
#16 0x7f2c5b47becd in void mozilla::ipc::WriteIPDLParam<mozilla::dom::cache::CachePutAllArgs const&>(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::cache::CachePutAllArgs const&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/IPDLParamTraits.h:61
#17 0x7f2c5b47bc1f in mozilla::ipc::IPDLParamTraits<mozilla::dom::cache::CacheOpArgs>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::cache::CacheOpArgs const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/CacheTypes.cpp:3621:13
#18 0x7f2c5bd36294 in mozilla::dom::cache::PCacheChild::SendPCacheOpConstructor(mozilla::dom::cache::PCacheOpChild*, mozilla::dom::cache::CacheOpArgs const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCacheChild.cpp:84:5
#19 0x7f2c6004d655 in ExecuteOp /builds/worker/workspace/build/src/dom/cache/CacheChild.cpp:56:3
#20 0x7f2c6004d655 in mozilla::dom::cache::Cache::ExecuteOp(mozilla::dom::cache::AutoChildOpArgs&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/cache/Cache.cpp:534
#21 0x7f2c60051948 in mozilla::dom::cache::Cache::Put(JSContext*, mozilla::dom::RequestOrUSVString const&, mozilla::dom::Response&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/cache/Cache.cpp:425:10
#22 0x7f2c5ed94e81 in put /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CacheBinding.cpp:915:45
#23 0x7f2c5ed94e81 in mozilla::dom::Cache_Binding::put_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::cache::Cache*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CacheBinding.cpp:931
#24 0x7f2c6000323a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3144:13
#25 0x7f2c66b79240 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#26 0x7f2c66b79240 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#27 0x7f2c66b61209 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:593:10
#28 0x7f2c66b61209 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3066
#29 0x7f2c66b43e68 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
#30 0x7f2c66b79be7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
#31 0x7f2c66b7b872 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#32 0x7f2c66cf8eff in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.h:98:10
#33 0x7f2c66cf8eff in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1653
#34 0x7f2c66b79240 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#35 0x7f2c66b79240 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#36 0x7f2c66b7b872 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#37 0x7f2c6771c8e6 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2623:10
#38 0x7f2c5e6617f6 in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PromiseBinding.cpp:26:8
#39 0x7f2c5a2d78c0 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:91:12
#40 0x7f2c5a2d78c0 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104
#41 0x7f2c5a2d78c0 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:235
#42 0x7f2c5a2b1f11 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:595:17
#43 0x7f2c5a2b2acf in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:437:3
#44 0x7f2c5a49d62f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1222:24
#45 0x7f2c5a4a2dc8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
#46 0x7f2c61e4ea71 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2683:7
#47 0x7f2c61e16b52 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:2289:25
#48 0x7f2c5a49cad6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
#49 0x7f2c5a4a2dc8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
#50 0x7f2c5b44c290 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:333:5
#51 0x7f2c5b392c8f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#52 0x7f2c5b392c8f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#53 0x7f2c5b392c8f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#54 0x7f2c5a496c8a in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:449:11
#55 0x7f2c7aef5666 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#56 0x7f2c7ab396da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#57 0x7f2c79b1788e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/InputStreamParams.cpp:950:17 in mozilla::ipc::IPDLParamTraits<mozilla::ipc::IPCRemoteStreamType>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::ipc::IPCRemoteStreamType const&)
Thread T140 (DOM Worker) created by T0 here:
#0 0x55b5d0ee726d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7f2c7aef2395 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
#2 0x7f2c7aef1f7e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
#3 0x7f2c5a498f89 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:655:8
#4 0x7f2c61e76b78 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/workspace/build/src/dom/workers/WorkerThread.cpp:93:7
#5 0x7f2c61dede37 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1426:14
#6 0x7f2c61dec445 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1291:19
#7 0x7f2c61e4943a in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2225:24
#8 0x7f2c623cd12e in mozilla::dom::ServiceWorkerPrivate::SpawnWorkerIfNeeded(mozilla::dom::ServiceWorkerPrivate::WakeUpReason, bool*, nsILoadGroup*) /builds/worker/workspace/build/src/dom/serviceworkers/ServiceWorkerPrivate.cpp:1755:20
#9 0x7f2c623cc094 in mozilla::dom::ServiceWorkerPrivate::CheckScriptEvaluation(mozilla::dom::LifeCycleEventCallback*) /builds/worker/workspace/build/src/dom/serviceworkers/ServiceWorkerPrivate.cpp:188:17
#10 0x7f2c62439405 in mozilla::dom::ServiceWorkerUpdateJob::ComparisonResult(nsresult, bool, mozilla::dom::serviceWorkerScriptCache::OnFailure, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, unsigned int) /builds/worker/workspace/build/src/dom/serviceworkers/ServiceWorkerUpdateJob.cpp:431:23
#11 0x7f2c6243f20e in mozilla::dom::serviceWorkerScriptCache::(anonymous namespace)::CompareManager::ResolvedCallback(JSContext*, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/dom/serviceworkers/ServiceWorkerScriptCache.cpp:1224:20
#12 0x7f2c61ed0aba in mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::ResolvedCallback(JSContext*, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/dom/promise/Promise.cpp:377:13
#13 0x7f2c61ed12d5 in mozilla::dom::NativeHandlerCallback(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/promise/Promise.cpp
#14 0x7f2c66b79240 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#15 0x7f2c66b79240 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#16 0x7f2c66b7b872 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#17 0x7f2c66cf8eff in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.h:98:10
#18 0x7f2c66cf8eff in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1653
#19 0x7f2c66b79240 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#20 0x7f2c66b79240 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#21 0x7f2c66b7b872 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#22 0x7f2c6771c8e6 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2623:10
#23 0x7f2c5e6617f6 in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PromiseBinding.cpp:26:8
#24 0x7f2c5a2d78c0 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:91:12
#25 0x7f2c5a2d78c0 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104
#26 0x7f2c5a2d78c0 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:235
#27 0x7f2c5a2b1f11 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:595:17
#28 0x7f2c5a2b2acf in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:437:3
#29 0x7f2c5beec94d in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:1256:28
#30 0x7f2c5a49d62f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1222:24
#31 0x7f2c5a4a2dc8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
#32 0x7f2c5b44b08a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#33 0x7f2c5b392c8f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#34 0x7f2c5b392c8f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#35 0x7f2c5b392c8f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#36 0x7f2c625fab39 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#37 0x7f2c6668c460 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:271:30
#38 0x7f2c668eb117 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4700:22
#39 0x7f2c668ed184 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4838:8
#40 0x7f2c668eecb0 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4922:21
#41 0x55b5d0f311ec in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:214:22
#42 0x55b5d0f311ec in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:293
#43 0x7f2c79a17b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

==6988==ABORTING

Looks to be a known crash-stats bug.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.