Closed Bug 1540378 Opened 5 years ago Closed 5 years ago

Perma (tier2) PID 21718 | SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h in get

Categories

(Core :: DOM: Web Authentication, defect, P1)

Product:
Core
Component:
DOM: Web Authentication
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: jcj)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: intermittent-failure, regression)

Attachments

(1 file)

Bug 1540378 - Web Authentication: Fix teardown during cycle collection
47 bytes, text/x-phabricator-request
Details | Review

#[markdown(off)]
Filed by: aciure [at] mozilla.com

https://treeherder.mozilla.org/logviewer.html#?job_id=237083071&repo=autoland

https://queue.taskcluster.net/v1/task/WvUH-ZlrT8ef4RBSh2GQow/runs/0/artifacts/public/logs/live_backing.log

[task 2019-03-30T04:59:38.108Z] 04:59:38 INFO - TEST-START | /webauthn/createcredential-badargs-challenge.https.html
[task 2019-03-30T04:59:38.115Z] 04:59:38 INFO - Closing window 8589934593
[task 2019-03-30T04:59:38.233Z] 04:59:38 INFO - PID 21718 | JavaScript warning: resource://gre/modules/PopupNotifications.jsm, line 1439: Array.forEach is deprecated; use Array.prototype.forEach instead
[task 2019-03-30T04:59:38.276Z] 04:59:38 INFO - PID 21718 | ###!!! [Parent][MessageChannel] Error: (msgtype=0xA10009,name=PWebAuthnTransaction::Msg_Abort) Closed channel: cannot send/recv
[task 2019-03-30T04:59:38.354Z] 04:59:38 INFO - PID 21718 | AddressSanitizer:DEADLYSIGNAL
[task 2019-03-30T04:59:38.354Z] 04:59:38 INFO - PID 21718 | =================================================================
[task 2019-03-30T04:59:38.354Z] 04:59:38 ERROR - PID 21718 | ==21887==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7efce0b009ec bp 0x7ffe593d66f0 sp 0x7ffe593d6500 T0)
[task 2019-03-30T04:59:38.355Z] 04:59:38 INFO - PID 21718 | ==21887==The signal is caused by a READ memory access.
[task 2019-03-30T04:59:38.355Z] 04:59:38 INFO - PID 21718 | ==21887==Hint: address points to the zero page.
[task 2019-03-30T04:59:39.256Z] 04:59:39 INFO - PID 21718 | #0 0x7efce0b009eb in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h
[task 2019-03-30T04:59:39.256Z] 04:59:39 INFO - PID 21718 | #1 0x7efce0b009eb in operator nsIGlobalObject * /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:280
[task 2019-03-30T04:59:39.257Z] 04:59:39 INFO - PID 21718 | #2 0x7efce0b009eb in MaybeSomething<nsresult &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Promise.h:245
[task 2019-03-30T04:59:39.258Z] 04:59:39 INFO - PID 21718 | #3 0x7efce0b009eb in MaybeReject /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Promise.h:94
[task 2019-03-30T04:59:39.259Z] 04:59:39 INFO - PID 21718 | #4 0x7efce0b009eb in mozilla::dom::WebAuthnManager::RejectTransaction(nsresult const&) /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManager.cpp:169
[task 2019-03-30T04:59:39.260Z] 04:59:39 INFO - PID 21718 | #5 0x7efce0b00d3d in mozilla::dom::WebAuthnManager::~WebAuthnManager() /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManager.cpp:193:5
[task 2019-03-30T04:59:39.261Z] 04:59:39 INFO - PID 21718 | #6 0x7efce0b0138d in mozilla::dom::WebAuthnManager::~WebAuthnManager() /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManager.cpp:189:37
[task 2019-03-30T04:59:39.269Z] 04:59:39 INFO - PID 21718 | #7 0x7efcd8d6dcf6 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2416:7
[task 2019-03-30T04:59:39.269Z] 04:59:39 INFO - PID 21718 | #8 0x7efcd8d6c9fe in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2607:3
[task 2019-03-30T04:59:39.270Z] 04:59:39 INFO - PID 21718 | #9 0x7efcd8d760d0 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3578:3
[task 2019-03-30T04:59:39.270Z] 04:59:39 INFO - PID 21718 | #10 0x7efcd8d75690 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3407:9
[task 2019-03-30T04:59:39.270Z] 04:59:39 INFO - PID 21718 | #11 0x7efcd8d75294 in nsCycleCollector::ShutdownCollect() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3351:10
[task 2019-03-30T04:59:39.271Z] 04:59:39 INFO - PID 21718 | #12 0x7efcd8d79c65 in Shutdown /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3639:5
[task 2019-03-30T04:59:39.271Z] 04:59:39 INFO - PID 21718 | #13 0x7efcd8d79c65 in nsCycleCollector_shutdown(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3993
[task 2019-03-30T04:59:39.274Z] 04:59:39 INFO - PID 21718 | #14 0x7efcd8f86ed8 in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:728:3
[task 2019-03-30T04:59:39.275Z] 04:59:39 INFO - PID 21718 | #15 0x7efce4e8be1c in XRE_TermEmbedding() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:222:3
[task 2019-03-30T04:59:39.292Z] 04:59:39 INFO - PID 21718 | #16 0x7efcd9f0fee2 in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/workspace/build/src/ipc/glue/ScopedXREEmbed.cpp:90:5
[task 2019-03-30T04:59:39.293Z] 04:59:39 INFO - PID 21718 | #17 0x7efce4e8c8bd in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:766:16
[task 2019-03-30T04:59:39.293Z] 04:59:39 INFO - PID 21718 | #18 0x556a6839e404 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
[task 2019-03-30T04:59:39.294Z] 04:59:39 INFO - PID 21718 | #19 0x556a6839e404 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
[task 2019-03-30T04:59:39.331Z] 04:59:39 INFO - PID 21718 | JavaScript warning: resource:///actors/PageStyleChild.jsm, line 30: Array.slice is deprecated; use Array.prototype.slice instead
[task 2019-03-30T04:59:39.331Z] 04:59:39 INFO - PID 21718 | JavaScript warning: resource:///actors/PageStyleChild.jsm, line 31: Array.map is deprecated; use Array.prototype.map instead
[task 2019-03-30T04:59:39.361Z] 04:59:39 INFO - PID 21718 | #20 0x7efcf926d82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
[task 2019-03-30T04:59:39.361Z] 04:59:39 INFO - PID 21718 | #21 0x556a682c3ad8 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x2aad8)
[task 2019-03-30T04:59:39.361Z] 04:59:39 INFO - PID 21718 | AddressSanitizer can not provide additional info.
[task 2019-03-30T04:59:39.361Z] 04:59:39 INFO - PID 21718 | SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h in get
[task 2019-03-30T04:59:39.361Z] 04:59:39 INFO - PID 21718 | ==21887==ABORTING
[task 2019-03-30T04:59:39.383Z] 04:59:39 INFO - .....
[task 2019-03-30T04:59:39.383Z] 04:59:39 INFO - TEST-OK | /webauthn/createcredential-badargs-challenge.https.html | took 1276ms

Summary: Intermittent PID 21718 | SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h in get → Perma (tier2) PID 21718 | SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h in get
Component: Layout → DOM: Security
Flags: needinfo?(jjones)

On it.

Assignee: nobody → jjones
Status: NEW → ASSIGNED
Component: DOM: Security → DOM: Web Authentication
Flags: needinfo?(jjones)
Priority: P5 → P1

Pretty sure this is the same as Bug 1540346, but I won't dupe that one until I know for sure.

See Also: → 1540346

Pretty sure this is a cycle collection bug that has been disguised for a long time due to how we handled visibility events and their interactions with tab closures.

Bug 1448408 ("Don't listen to visibility events") changed that, which I believe has brought these to the surface. I have a potential patch being tested on ASAN try builds right now: https://treeherder.mozilla.org/#/jobs?repo=try&revision=2cccd36b67d1ddbac53a2faa62795371799bc357

See Also: → 1540658
Depends on: 1448408

I think all of these are the same issue. Try run with a potential fix is running and looks promising on Linux: https://treeherder.mozilla.org/#/jobs?repo=try&revision=2cccd36b67d1ddbac53a2faa62795371799bc357

See Also: → 1540359, 1540376, 1540377

In Bug 1448408 ("Don't listen to visibility events"), it became possible to
close a tab without a visibility event to cause transactions to cancel. This
is a longstanding bug that was covered up by the visibility events. This patch
updates the cycle collection code to ensure that transactions get cleared out
safely, and we don't proceed to RejectTransaction (and subsequent code) on
already-cycle-collected objects.

See Also: 1540377
See Also: 1540658
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d28545793e92
Web Authentication: Fix teardown during cycle collection r=keeler,mccr8

https://hg.mozilla.org/mozilla-central/rev/d28545793e92

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
See Also: 1540938
Flags: needinfo?(btara)
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: