Closed Bug 1648572 Opened 5 years ago Closed 1 year ago

Hit MOZ_CRASH(OOM) at /builds/worker/checkouts/gecko/xpcom/base/nsDebugImpl.cpp:611

Categories

(Core :: DOM: Device Interfaces, defect, P2)

Product:
Core
Component:
DOM: Device Interfaces
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
110 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- wontfix
firefox79 --- wontfix
firefox108 --- wontfix
firefox109 --- wontfix
firefox110 --- wontfix
firefox116 --- wontfix
firefox117 --- wontfix
firefox118 --- fixed

People

(Reporter: jkratzer, Assigned: cmartin)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(3 files, 1 obsolete file)

testcase.html
350 bytes, text/html
Details
prefs.js
8.61 KB, text/plain
Details
Bug 1648572 - Restrain test gamepad dimensions to avoid OOM errors
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central db74cdf9afe7 (built with --enable-debug).

rax = 0x00007fbcecf91b53   rdx = 0x0000000000000000
rcx = 0x000055cc99901a58   rbx = 0x000055cc9be7d2a8
rsi = 0x00007fbcff37b8b0   rdi = 0x00007fbcff37a680
rbp = 0x00007ffcaf2234c0   rsp = 0x00007ffcaf2234c0
r8 = 0x00007fbcff37b8b0    r9 = 0x00007fbd004e1780
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x00000000fffffffd   r13 = 0x000055cc9be7d240
r14 = 0x000055cc9be7d2a8   r15 = 0x0000000000000008
rip = 0x00007fbce54428b5
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|NS_ABORT_OOM(unsigned long)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsDebugImpl.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|611|0x16
0|1|libxul.so|nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long)|hg:hg.mozilla.org/mozilla-central:xpcom/ds/nsTArray-inl.h:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|154|0x8
0|2|libxul.so|mozilla::dom::Gamepad::Gamepad(nsISupports*, nsTSubstring<char16_t> const&, int, unsigned int, mozilla::dom::GamepadMappingType, mozilla::dom::GamepadHand, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int)|hg:hg.mozilla.org/mozilla-central:dom/gamepad/Gamepad.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|54|0x37
0|3|libxul.so|mozilla::dom::GamepadManager::AddGamepad(unsigned int, nsTSubstring<char16_t> const&, mozilla::dom::GamepadMappingType, mozilla::dom::GamepadHand, mozilla::dom::GamepadServiceType, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int)|hg:hg.mozilla.org/mozilla-central:dom/gamepad/GamepadManager.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|230|0x41
0|4|libxul.so|mozilla::dom::GamepadManager::Update(mozilla::dom::GamepadChangeEvent const&)|hg:hg.mozilla.org/mozilla-central:dom/gamepad/GamepadManager.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|465|0x25
0|5|libxul.so|mozilla::dom::(anonymous namespace)::GamepadUpdateRunnable::Run()|hg:hg.mozilla.org/mozilla-central:dom/gamepad/ipc/GamepadEventChannelChild.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|21|0x17
0|6|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|1234|0xe
0|7|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|501|0xc
0|8|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|87|0x7
0|9|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|315|0x17
0|10|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|290|0x8
0|11|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|137|0xd
0|12|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|913|0xe
0|13|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|237|0x5
0|14|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|315|0x17
0|15|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|290|0x8
0|16|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|744|0x5
0|17|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|56|0x11
0|18|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|303|0x20
0|19|libc.so.6||||0x21b97
0|20|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:db74cdf9afe797ced554aaf7e79b9bdc3e86f719|253|0x17
Flags: in-testsuite?
Attached file prefs.js
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200625161839-324d5257f6f7. Failed to bisect testcase (Start build crashes!): > Start: 70e7c3ef6cae2266147c38ad250692ffe84aec26 (20190627093448) > End: 52994209c733bb661741233c0d7fb7f91bfa4880 (20200625032232) > BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

I can work on that in 2020 Q3.

Priority: -- → P2
Assignee: nobody → dmu
Blocks: 1643833

It indeed will cause OOM because 103029415, 4294967293, 206161005, 4294967293, 1082616057 are not the numbers that making sense to set when creating a gamepad. We will not set this kinds of amounts to our button, axis, and so on. I would prefer to do some check in our GamepadServiceTest.

Attachment #9167413 - Attachment description: Bug 1648572 - Giving limited numbers for its parameter when adding a gamepad in tests. → Bug 1648572 - Giving constraints on GamepadTestService parameters to avoid OOM.
Assignee: dmu → cmartin

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:cmartin, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(cmartin)

This patch needs to be slightly revised. Will likely have time to get to it in the next couple of weeks.

Flags: needinfo?(cmartin)
Severity: normal → S3

Testcase crashes using the initial build (mozilla-central 20211225092802-95ced5795758) but not with tip (mozilla-central 20221223212957-abd20d4e1d24.)

The bug appears to have been fixed in the following build range:

Start: 516d1e04fe91d8c56d50fb41ffb92f27e4965f9a (20221213184420)
End: 5d94fded02d5748f214bc2f2494f6dc39d17af4e (20221213184459)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=516d1e04fe91d8c56d50fb41ffb92f27e4965f9a&tochange=5d94fded02d5748f214bc2f2494f6dc39d17af4e

cmartin, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(cmartin)
Keywords: bugmon

Confirmed -- The issue was very likely fixed by that changeset

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(cmartin)
Resolution: --- → FIXED
Assignee: cmartin → continuation
status-firefox108: --- → wontfix
status-firefox109: --- → fixed
status-firefox110: --- → fixed
status-firefox79: affectedwontfix
status-firefox-esr102: --- → fixed
Depends on: 1805269
Target Milestone: --- → 110 Branch
Attachment #9159436 - Attachment mime type: application/x-javascript → text/plain

My patch isn't really a fix, I just broke fuzzing involving the fake gamepad test service. Is it still important that it be tested? I can put together a patch that will disable this bypass in fuzzing builds. If it isn't important, maybe it would be good to talk to the fuzzing people about not bothering to flip dom.gamepad.test.enable to true.

Flags: needinfo?(cmartin)

Hmm -- Perhaps it would be best to continue fuzzing it then... This may subtly remind me that someday I should probably used a ranged type for those arrays. Upon reflection, I guess even for these testing APIs it's probably still wise to not have memory safety issues.

Flags: needinfo?(cmartin)
Flags: needinfo?(continuation)

I put a patch in bug 1809697 to make fuzz testing of the gamepad test service work again, thereby breaking this test case again. I'll reopen this bug when it lands.

status-firefox109: fixedwontfix
Flags: needinfo?(continuation)
See Also: → 1809697
Assignee: continuation → nobody
Status: RESOLVED → REOPENED
status-firefox110: fixedaffected
Resolution: FIXED → ---
Attachment #9167413 - Attachment is obsolete: true
Assignee: nobody → cmartin
Pushed by cmartin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/812c0a897eae Restrain test gamepad dimensions to avoid OOM errors r=handyman

https://hg.mozilla.org/mozilla-central/rev/812c0a897eae

Status: REOPENED → RESOLVED
Closed: 2 years ago1 year ago
status-firefox118: --- → fixed
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: