Closed Bug 1624009 Opened 4 years ago Closed 4 years ago

AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h in mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::ThenValue<mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_2, mozilla::dom:

Categories

(Core :: WebVR, defect)

Product:
Core
Component:
WebVR
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox74 --- wontfix
firefox75 --- wontfix
firefox76 --- verified

People

(Reporter: jkratzer, Assigned: thomasmo)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files, 1 obsolete file)

testcase.html
721 bytes, text/html
Details
Bug 1624009 - AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h in mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::ThenValue<mozilla::dom::Navigator::GetVRDisplays(mozilla...
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html (obsolete) —

Testcase found while fuzzing mozilla-central rev 32d6a3f1f83c (built with --enable-address-sanitizer).

Testcase produces the following assertion on debug builds:
Hit MOZ_CRASH(Failed to make IPC call to IsWindowSupportingWebVR) at /builds/worker/checkouts/gecko/dom/base/Navigator.cpp:1508

=================================================================
==12191==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f397b73275d bp 0x7fff10597fe0 sp 0x7fff10597fd0 T0)
==12191==The signal is caused by a WRITE memory access.
==12191==Hint: address points to the zero page.
    #0 0x7f397b73275c in mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::ThenValue<mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_2, mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_3>::DoResolveOrRejectInternal(mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h
    #1 0x7f3978f61551 in mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:403:21
    #2 0x7f39785438ce in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
    #3 0x7f397854e35c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #4 0x7f39795bde6a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #5 0x7f39794eafe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #6 0x7f39794eafe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #7 0x7f39794eafe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #8 0x7f397f5e0ff8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #9 0x7f3982d87cb6 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20
    #10 0x7f39794eafe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #11 0x7f39794eafe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #12 0x7f39794eafe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #13 0x7f3982d8736a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
    #14 0x56478ebe020f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #15 0x56478ebe020f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #16 0x7f3998bf2b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x56478eb35bbc in _start (/home/user/builds/mc-asan/firefox+0x9ebbc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h in mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::ThenValue<mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_2, mozilla::dom::Navigator::GetVRDisplays(mozilla::ErrorResult&)::$_3>::DoResolveOrRejectInternal(mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue&)
==12191==ABORTING
Flags: in-testsuite?
Attached file testcase.html

The previously attached testcase may require a few attempts in order to reproduce. This testcase should be more reliable.

Attachment #9134806 - Attachment is obsolete: true
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200323162134-b3fb938012ba.
The bug appears to have been introduced in the following build range:
> Start: 6e19f038ae4d339067830ba7b30ffe1fdffb77e4 (20191106212054)
> End: 96b58f95ed7333672e6dba134d091015328d299b (20191106215426)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6e19f038ae4d339067830ba7b30ffe1fdffb77e4&tochange=96b58f95ed7333672e6dba134d091015328d299b

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Regressed by: 1589913
Has Regression Range: --- → yes

:thomasmo, it looks like this is a regression caused by Bug 1589913. Any thought?

Flags: needinfo?(thomasmo)

It seems like it could be caused by it, but it's not obvious to me.
Assigning to myself for now and will start investigating

Assignee: nobody → thomasmo

...::ErrorResult&)::$_2, mozilla::dom:

This change fixes a failfast where an outstanding permissions dialog can cause an IPC call to fail while determining whether to enumerate VR displays. This change now rejects the promise in that case.

Flags: needinfo?(thomasmo)
Bugmon Analysis:
Pushed by tmoore@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/96eedd640ac4
AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h in mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, true>::ThenValue<mozilla::dom::Navigator::GetVRDisplays(mozilla... r=daoshengmu,kip,smaug

https://hg.mozilla.org/mozilla-central/rev/96eedd640ac4

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox76: fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
Flags: qe-verify+
Status: RESOLVED → VERIFIED
status-firefox76: fixedverified
Keywords: bugmon
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200423145559-03626342f6e6.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: