1608827 - Assertion failure: ok (Failed to serialize nsIInputStream), at /builds/worker/workspace/build/src/ipc/glue/IPCStreamUtils.cpp:535

Status: NEW

(Core :: DOM: Navigation, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 7295ca89e880.

Assertion failure: ok (Failed to serialize nsIInputStream), at /builds/worker/workspace/build/src/ipc/glue/IPCStreamUtils.cpp:535

==17396==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f58241da837 bp 0x7ffd4fd137d0 sp 0x7ffd4fd136e0 T0)
==17396==The signal is caused by a WRITE memory access.
==17396==Hint: address points to the zero page.
    #0 0x7f58241da836 in mozilla::ipc::IPDLParamTraits<nsIInputStream*>::Write(IPC::Message*, mozilla::ipc::IProtocol*, nsIInputStream*) /builds/worker/workspace/build/src/ipc/glue/IPCStreamUtils.cpp:535:3
    #1 0x7f58242a0580 in mozilla::ipc::IPDLParamTraits<mozilla::dom::DocShellLoadStateInit>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::DocShellLoadStateInit const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/DOMTypes.cpp:2171:5
    #2 0x7f582a990e1d in mozilla::ipc::IPDLParamTraits<nsDocShellLoadState*>::Write(IPC::Message*, mozilla::ipc::IProtocol*, nsDocShellLoadState*) /builds/worker/workspace/build/src/dom/ipc/DocShellMessageUtils.cpp:17:3
    #3 0x7f5824fe1b42 in mozilla::dom::PWindowGlobalChild::SendLoadURI(mozilla::dom::BrowsingContext*, nsDocShellLoadState*, bool const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PWindowGlobalChild.cpp:89:5
    #4 0x7f582e1d18d3 in mozilla::dom::BrowsingContext::LoadURI(mozilla::dom::BrowsingContext*, nsDocShellLoadState*, bool) /builds/worker/workspace/build/src/docshell/base/BrowsingContext.cpp:925:12
    #5 0x7f5826fdda66 in mozilla::dom::LocationBase::SetURI(nsIURI*, nsIPrincipal&, mozilla::ErrorResult&, bool) /builds/worker/workspace/build/src/dom/base/LocationBase.cpp:153:23
    #6 0x7f5826fe59d8 in mozilla::dom::LocationBase::SetHrefWithBase(nsTSubstring<char16_t> const&, nsIURI*, nsIPrincipal&, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/LocationBase.cpp:215:5
    #7 0x7f5826fe3874 in mozilla::dom::LocationBase::DoSetHref(nsTSubstring<char16_t> const&, nsIPrincipal&, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/LocationBase.cpp:170:3
    #8 0x7f58275f1c01 in mozilla::dom::Location_Binding::replace(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/LocationBinding.cpp:1053:28
    #9 0x7f5828aaf809 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::CrossOriginThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3151:13
    #10 0x7f582eecd35d in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:452:13
    #11 0x7f582eecd35d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:544:12
    #12 0x7f582eecf19a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:608:10
    #13 0x7f582eeb5469 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:612:10
    #14 0x7f582eeb5469 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3042:16
    #15 0x7f582ee97534 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #16 0x7f582eecd455 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:580:13
    #17 0x7f582eecf19a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:608:10
    #18 0x7f582eecf476 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:625:8
    #19 0x7f582f066812 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2786:10
    #20 0x7f58286c7000 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #21 0x7f582915b2ab in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #22 0x7f582915ace4 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1065:43
    #23 0x7f582915c346 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1263:17
    #24 0x7f582914a01f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:356:17
    #25 0x7f5829148571 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:558:16
    #26 0x7f582914d02b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1056:11
    #27 0x7f5829152019 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #28 0x7f58271b275e in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1119:17
    #29 0x7f5826c22c47 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4094:28
    #30 0x7f5826c22983 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4064:10
    #31 0x7f5826ee7175 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7182:3
    #32 0x7f5826fb2704 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1164:12
    #33 0x7f5826fb2704 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1170:12
    #34 0x7f5826fb2704 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1216:13
    #35 0x7f5822fd45d7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1248:14
    #36 0x7f5822fdeddc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #37 0x7f582420d81f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
    #38 0x7f58241072a7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #39 0x7f58241072a7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #40 0x7f58241072a7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #41 0x7f582b158988 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #42 0x7f582ea4ee6f in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:272:30
    #43 0x7f582ec6174b in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4594:22
    #44 0x7f582ec636a2 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4731:8
    #45 0x7f582ec64be3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4812:21
    #46 0x55c725e1181f in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:217:22
    #47 0x55c725e1181f in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:339:16
    #48 0x7f5845864b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/ipc/glue/IPCStreamUtils.cpp:535:3 in mozilla::ipc::IPDLParamTraits<nsIInputStream*>::Write(IPC::Message*, mozilla::ipc::IProtocol*, nsIInputStream*)
==17396==ABORTING

Comment 1

[Andrew McCreight [:mccr8]]

This is what a crash looks like on release (I accidentally opened the page): bp-3fcb8c3e-ed0b-4035-8eac-66ada0200113

Comment 2

[Andrew McCreight [:mccr8]]

I don't know what is going wrong here, but I'll note that in my crash in comment one, we're in a nested event loop in a sync XHR.

Comment 3

[Marcia Knous [:marcia]]

Spotted another signature in nightly that has the same moz crash reason as this one: https://bit.ly/2FLq6lB. Not sure if it is the same issue as this one.

Comment 4

[Bob Clary [:bc] (inactive)]

Using the attached testcase Bughunter found

• opt

Thread 0 (crashed)
 0  libxul.so!mozilla::dom::BrowsingContext::LoadURI(mozilla::dom::BrowsingContext*, nsDocShellLoadState*, bool) [BrowsingContext.cpp:2ee6c4c250523ed74cc95c155abc0fd802113d2e : 914 + 0x11]
 1  libxul.so!mozilla::dom::ContentChild::RecvLoadURI(mozilla::dom::BrowsingContext*, nsDocShellLoadState*, bool) [ContentChild.cpp:2ee6c4c250523ed74cc95c155abc0fd802113d2e : 4179 + 0xa]
 2  libxul.so!mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) [PContentChild.cpp: : 12680 + 0x1d]

• debug

Assertion failure: aAccessor, at /builds/worker/workspace/build/src/docshell/base/BrowsingContext.cpp:914
#01: mozilla::dom::ContentChild::RecvLoadURI(mozilla::dom::BrowsingContext*, nsDocShellLoadState*, bool) [dom/ipc/ContentChild.cpp:0]
#02: mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) [s3:gecko-generated-sources:15ef15b5be6870c7e288748f5fd8048a852db3fc5baacca8effcb02db2e79774cd7815bf68250a5b84613442bcfc688f36c5e6ca2270d31141633c81bf77b3e5/ipc/ipdl/PContentChild.cpp::12714]
#03: mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) [ipc/glue/MessageChannel.cpp:2213]

Comment 5

[Peter Van der Beken [:peterv]]

Bug 1589123 added the call to LoadURI with a null aAccessor (https://searchfox.org/mozilla-central/rev/68b2e0fd4323261a229233ec2ab8606228979141/dom/ipc/ContentChild.cpp#4180). Matt, that seems like the wrong thing to do?

Comment 6

[Matt Woodrow (:mattwoodrow)]

The crash that was initially reported seems to be happening within location.replace, all the other comments (and what I can reproduce locally) are for an earlier crash in RecvLoadURI within the xhr send.

I'm not sure what changed, and maybe the initial issue still exists too.

The reason we don't pass an accessor in this case is because we're coming from RecvLoadURI, which means that we think we've sent the request to the process that owns the docshell. Given that the check for mDocShell is earlier within BrowsingContext::LoadURI, I guess that is not true.

This seems like it could maybe be racy in general, and we should figure out if we want to discard the load, or bounce it back up to the parent to try again.

This particular case is a bit confusing though. It seems like we're triggering a link click on the current document, and then the xhr send spins a nested event loop which receives a load request (the link click?) and crashes because we didn't have a docshell.

I'd expect the link click load to not send the load up to the parent, because the docshell must be in process. Given the crash, it seems like BrowsingContext::mDocShell is nullptr, despite it actually existing. That causes us to send the link load to the parent, get it sent back again (since the parent thinks we own the docshell), and then crash.

kmag, any ideas on how this could happen?

Comment 7

[Matt Woodrow (:mattwoodrow)]

Oh, the crashing load is the location.replace (which is navigating the newly created iframe).

I think this is calling BrowsingContext::LoadURI on the iframe too early, before we set mDocShell.

Thanks to the link click, we also refresh the outer document, and then spin the event loop for the xhr, and we don't ever get to set the docshell before the load request comes back.

Comment 8

[Matt Woodrow (:mattwoodrow)]

Looks like nsGenericHTMLFrameElement can create a frameloader and browsing context without a docshell (like if someone queries contentWindow).

If that happens, and then we unbind/destroy the frame element, what marks the BrowsingContext as discarded?

Comment 9

[Matt Woodrow (:mattwoodrow)]

Making nsFrameLoader::DestroyDocShell explicitly call Detach() on mBrowsingContext if there isn't a docshell makes this intermittently work. The test keeps reloading itself until it fails though, which takes around 5 times for me.

It seems like other times we don't tear down the frame element in time, and don't call nsFrameLoader::Destroy.

I think there's a second issue where BrowsingContext::LoadURI assumes that all in-process BrowsingContexts have mDocShell, and if we don't have one, then we must need to send the load up to the parent.

This bug is a case where we don't have an mDocShell just because the frameloader hasn't created it yet, but we are in-process, and want to handle the load locally.

Comment 10

[Kris Maglione [:kmag]]

Bug 1582832 should fix the attach and detach issues you're seeing, I think.

Comment 11

[BugBot [:suhaib / :marco/ :calixte]]

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

The bug is linked to a topcrash signature, which matches the following criterion:

• Top 10 AArch64 and ARM crashes on beta

:edgar, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Comment 13

[Andrew McCreight [:mccr8]]

The recent Android crashes look like they could be related to the Navigation API.

Comment 14

[Andrew McCreight [:mccr8]]

Also the crash is different so I guess I should file a new bug.

Comment 15

[Andrew McCreight [:mccr8]]

Oh, great, we already have bug 1992580 on file for the Android crash.

Comment 16

[BugBot [:suhaib / :marco/ :calixte]]

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.