Closed Bug 1601473 Opened 5 years ago Closed 4 years ago

crash in [@ mozilla::SharedPrefMap::SharedPrefMap]

Categories

(Core :: Preferences: Backend, defect, P3)

Product:
Core
Component:
Preferences: Backend
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox72 --- affected
firefox73 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Attachments

(3 files)

log-20191229-781f53bf9c78.txt
3.02 KB, text/plain
Details
log-20191222-d2a4d549f995.txt
3.05 KB, text/plain
Details
log-20191215-7e6a4e221495.txt
2.96 KB, text/plain
Details

We only seem to be seeing this on our coverage builds (linux64-ccov-fuzzing-opt built with GCC). It seems to be happening randomly and does not appear to be reproducable but it does happen fairly frequently.

This is the latest instance we have seen from m-c 20191201-251480204d10[1]. The first record I have of the fuzzers hitting it is from m-c 20191006-3fa65bda1e50.

[1] https://firefox-ci-tc.services.mozilla.com/tasks/index/gecko.v2.mozilla-central.revision.251480204d10c4bf3731fa625e07624c3cd52b0d.firefox/linux64-ccov-fuzzing-opt

rax = 0x000055f839c151c0   rdx = 0x00007fdd2ea02ab0
rcx = 0x00007fdd1a7e3bf0   rbx = 0x00007fdd2d222e80
rsi = 0x00000000ffffffff   rdi = 0x0000000000000020
rbp = 0x00007fff52b87a00   rsp = 0x00007fff52b879e0
r8 = 0x000000000000000f    r9 = 0x0000000000000000
r10 = 0x0000000000000002   r11 = 0x0000000000000246
r12 = 0x00007fff52b87abc   r13 = 0x0000000000032417
r14 = 0x00007fff52b89fd8   r15 = 0x00007fff52b89feb
rip = 0x00007fdd134f91ba
OS|Linux|0.0.0 Linux 4.19.34-coreos #1 SMP Mon Apr 22 20:32:34 -00 2019 x86_64
CPU|amd64|family 6 model 85 stepping 7|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::SharedPrefMap::SharedPrefMap(mozilla::ipc::FileDescriptor const&, unsigned long)|hg:hg.mozilla.org/mozilla-central:modules/libpref/SharedPrefMap.cpp:251480204d10c4bf3731fa625e07624c3cd52b0d|28|0x11
0|1|libxul.so|mozilla::Preferences::InitSnapshot(mozilla::ipc::FileDescriptor const&, unsigned long)|hg:hg.mozilla.org/mozilla-central:modules/libpref/Preferences.cpp:251480204d10c4bf3731fa625e07624c3cd52b0d|3649|0x24
0|2|libxul.so|mozilla::ipc::SharedPreferenceDeserializer::DeserializeFromSharedMemory(char*, char*, char*, char*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/ProcessUtils_common.cpp:251480204d10c4bf3731fa625e07624c3cd52b0d|179|0x5
0|3|libxul.so|mozilla::gfx::GPUProcessImpl::Init(int, char**)|hg:hg.mozilla.org/mozilla-central:gfx/ipc/GPUProcessImpl.cpp:251480204d10c4bf3731fa625e07624c3cd52b0d|71|0x12
0|4|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:251480204d10c4bf3731fa625e07624c3cd52b0d|739|0x16
0|5|libxul.so|mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/Bootstrap.cpp:251480204d10c4bf3731fa625e07624c3cd52b0d|67|0x5
0|6|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:251480204d10c4bf3731fa625e07624c3cd52b0d|56|0x13
0|7|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:251480204d10c4bf3731fa625e07624c3cd52b0d|272|0x11
0|8|libc-2.27.so||||0x21b97
0|9|firefox-bin|_GLOBAL__sub_D_00100_1_stdc__compat.cpp|||0x10
0|10|firefox-bin|_GLOBAL__sub_I_00100_0_stdc__compat.cpp|||0x14
0|11|ld-2.27.so||||0x10733
0|12|libdl-2.27.so||||0x202d80
0|13|libpthread-2.27.so||||0x219bb0
0|14|firefox-bin|_GLOBAL__sub_I_00100_0_stdc__compat.cpp|||0x14
0|15|firefox-bin|_start|||0x29

Any chance you have a log from the build in bug 1600735 comment 5? I can't seem to get symbols for this one.

The priority flag is not set for this bug.
:njn, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(n.nethercote)
Flags: needinfo?(n.nethercote)
Priority: -- → P3

(In reply to :dmajor from comment #1)

Any chance you have a log from the build in bug 1600735 comment 5? I can't seem to get symbols for this one.

Unfortunately no I don't see any. Here are logs from the latest coverage runs.

These failures are somewhat different, they look like a crash in the strcmp within SharedPrefMap::Find. njn might be the best person to look if you're ok with waiting until he gets back.

The fuzzers have not reported this since summer 2020 and a lot has changed since then. Closing for now.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: