Open Bug 1585774 Opened 1 year ago Updated 1 year ago

MOZ_Crash [@ mozilla::dom::PWebAuthnTransactionChild::OnMessageReceived]

Categories

(Core :: DOM: Web Authentication, defect, P3)

defect

Tracking

()

Tracking Status
firefox-esr68 --- ?
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- wontfix
firefox72 --- fix-optional

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase)

Attachments

(3 files)

Attached file harness.html

Testcase found while fuzzing mozilla-central rev cb9bbf38fa45. Testcase must be served via a local webserver in order to reproduce. Furthermore, use harness.html as the starting point which loads part1.html and part2.html.

==107019==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fcb73737b12 bp 0x7ffdb290d6b0 sp 0x7ffdb290d5a0 T0)
==107019==The signal is caused by a WRITE memory access.
==107019==Hint: address points to the zero page.
    #0 0x7fcb73737b11 in MOZ_Crash /src/obj-firefox/dist/include/mozilla/Assertions.h:313:3
    #1 0x7fcb73737b11 in mozilla::ipc::BackgroundChildImpl::ProcessingError(mozilla::ipc::HasResultCodes::Result, char const*) /src/ipc/glue/BackgroundChildImpl.cpp:157
    #2 0x7fcb737e9374 in mozilla::ipc::IPCResult::Fail(mozilla::NotNull<mozilla::ipc::IProtocol*>, char const*, char const*) /src/ipc/glue/ProtocolUtils.cpp:64:39
    #3 0x7fcb74497078 in mozilla::dom::PWebAuthnTransactionChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PWebAuthnTransactionChild.cpp:337:68
    #4 0x7fcb73f57a6f in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5759:32
    #5 0x7fcb737d9246 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2185:25
    #6 0x7fcb737d3e9d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2109:9
    #7 0x7fcb737d64c7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1954:3
    #8 0x7fcb737d7357 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:1985:13
    #9 0x7fcb725c03f6 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1225:14
    #10 0x7fcb725c62f8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #11 0x7fcb737e262f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:88:21
    #12 0x7fcb736df2f2 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #13 0x7fcb736df2f2 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #14 0x7fcb736df2f2 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #15 0x7fcb7baebbd9 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
    #16 0x7fcb7f9dd7af in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #17 0x7fcb736df2f2 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #18 0x7fcb736df2f2 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #19 0x7fcb736df2f2 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #20 0x7fcb7f9dd056 in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #21 0x5621442c6dda in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #22 0x5621442c6dda in main /src/browser/app/nsBrowserApp.cpp:272
    #23 0x7fcb940b5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #24 0x5621441e83fc in _start (/home/worker/builds/m-c-20190911215306-fuzzing-asan-opt/firefox+0x453fc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/obj-firefox/dist/include/mozilla/Assertions.h:313:3 in MOZ_Crash
==107019==ABORTING
Flags: in-testsuite?
Attached file part_1.html
Attached file part_2.html
Component: DOM: Web Crypto → DOM: Web Authentication
Priority: -- → P2

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

Testcase bisects to the following range:

Start: 1e7c6202d94f27e9b14450dc8710f32e7df31572 (20190329224421)
End: d42c60ccf0d05a8b1e6098c1ab62d26e6edd2267 (20190330093204)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1e7c6202d94f27e9b14450dc8710f32e7df31572&tochange=d42c60ccf0d05a8b1e6098c1ab62d26e6edd2267

While regressed by Bug 1448408, this state machine error was always a problem. Now it just isn't solved by aborting on context switch.

Regressed by: 1448408

JC, we were looking at this in the regression triage meeting today and wondering what next steps are. Can you update flags or comment here to update things?

Flags: needinfo?(jjones)

Next steps are: rewrite WebAuthn's UI. Re-listening to visibility events won't fix this everywhere (we have to ignore them on Windows w/ Hello enabled), and eventual CTAP2 support requires a new UX anyway.

This would be the first thing I'd work on when I work on WebAuthn again, but I realize P2 makes it appear like that might happen in the next cycle, which it won't. Moving to P3.

Flags: needinfo?(jjones)
Priority: P2 → P3
You need to log in before you can comment on or make changes to this bug.