1542160 - Null pointer / crash in operator() / std::_Function_handler<void (mozilla::ipc::Endpoint<mozilla::ipc::PBackgroundParent>&&), [...]

Status: RESOLVED WONTFIX

(Core :: IPC, defect)

Description

[Hanno Boeck]

I observed a null pointer crash in ASAN builds.
Unfortunately it's not reproducible. I saw the same crash a couple of times.

Stack trace:
==28606==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fe55a9b4c4c bp 0x7ffc2b645850 sp 0x7ffc2b645850 T0)
==28606==The signal is caused by a WRITE memory access.
==28606==Hint: address points to the zero page.
#0 0x7fe55a9b4c4b in operator() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1494:13
#1 0x7fe55a9b4c4b in std::_Function_handler<void (mozilla::ipc::Endpoint<mozilla::ipc::PBackgroundParent>&&), (anonymous namespace)::ChildImpl::GetOrCreateForCurrentThread(nsIEventTarget*)::$_6>::_M_invoke(std::_Any_data const&, mozilla::ipc::Endpoint<mozilla::ipc::PBackgroundParent>&&) /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/functional:1731
#2 0x7fe55a9b4534 in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/functional:2127:14
#3 0x7fe55a9b4534 in (anonymous namespace)::ChildImpl::SendInitBackgroundRunnable::Run() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1774
#4 0x7fe559a16929 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#5 0x7fe559a1ca18 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#6 0x7fe55a9ee54a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#7 0x7fe55a92118f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#8 0x7fe55a92118f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#9 0x7fe55a92118f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#10 0x7fe561ca13a9 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#11 0x7fe56589316f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:924:20
#12 0x7fe55a92118f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#13 0x7fe55a92118f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#14 0x7fe55a92118f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#15 0x7fe565892b0e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:762:34
#16 0x564405ec9404 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#17 0x564405ec9404 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#18 0x7fe57426d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#19 0x564405deead8 in _start (/root/firefox/firefox+0x2aad8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1494:13 in operator()
==28606==ABORTING

Comment 1

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

This is a MOZ_CRASH:

          if (!content->SendInitBackground(std::move(aParent))) {
            MOZ_CRASH("Failed to create top level actor!");
          }

Did the parent process also crash, and/or was this during shutdown?

Comment 2

[Hanno Boeck]

(In reply to Jed Davis [:jld] ⟨⏰|UTC-6⟩ ⟦he/him⟧ from comment #1)

Did the parent process also crash, and/or was this during shutdown?

I can't say for sure, but it's very well possible that this was during shutdown.

(It's part of an automated experiment where I just collect the stack traces afterwards.)

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:jld, could you have a look please?

Comment 4

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

This was probably fallout from a parent process crash, in which case it doesn't matter (and normally isn't reported, because the parent process is dead).