Closed Bug 1683124 Opened 3 years ago Closed 2 years ago

Crash [@ mozilla::ipc::ProcessLink::SendMessage | @ nsAlertsService::ShowPersistentNotification]

Categories

(Core :: DOM: Push Subscriptions, defect, P3)

Product:
Core
Component:
DOM: Push Subscriptions
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
107 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox86 --- wontfix
firefox105 --- wontfix
firefox106 --- wontfix
firefox107 --- fixed

People

(Reporter: bugmon, Assigned: nika)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.zip
711 bytes, application/zip
Details
Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev 2ab4142f19bc (built with --enable-debug). Testcase must be served via HTTP.

Hit MOZ_CRASH(IPC message size is too large) at /builds/worker/checkouts/gecko/ipc/glue/MessageLink.cpp:143

    #0 0x7f34f6734959 in mozilla::ipc::ProcessLink::SendMessage(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageLink.cpp:143:5
    #1 0x7f34f6722f25 in mozilla::ipc::MessageChannel::SendMessageToLink(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:982:10
    #2 0x7f34f6721b9b in mozilla::ipc::MessageChannel::Send(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:973:3
    #3 0x7f34f673d513 in mozilla::ipc::IProtocol::ChannelSend(IPC::Message*) /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:508:22
    #4 0x7f34f689db67 in mozilla::dom::PContentChild::SendShowAlert(nsIAlertNotification*) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:3495:21
    #5 0x7f34fb9bef3a in nsAlertsService::ShowPersistentNotification(nsTSubstring<char16_t> const&, nsIAlertNotification*, nsIObserver*) /builds/worker/checkouts/gecko/toolkit/components/alerts/nsAlertsService.cpp:215:10
    #6 0x7f34f9b1648a in mozilla::dom::Notification::ShowInternal() /builds/worker/checkouts/gecko/dom/notification/Notification.cpp:1417:19
    #7 0x7f34f9b15766 in mozilla::dom::NotificationTask::Run() /builds/worker/checkouts/gecko/dom/notification/Notification.cpp:658:12
    #8 0x7f34f5e3eb4c in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
    #9 0x7f34f5e3a071 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15
    #10 0x7f34f5e13a3f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:459:16
    #11 0x7f34f5e1203a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:739:26
    #12 0x7f34f5e110e4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:598:15
    #13 0x7f34f5e11297 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:382:36
    #14 0x7f34f5e17359 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:126:37
    #15 0x7f34f5e17359 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #16 0x7f34f5e288d5 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
    #17 0x7f34f5e2e98a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #18 0x7f34f6735e44 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
    #19 0x7f34f66a2363 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #20 0x7f34f66a227d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #21 0x7f34f66a227d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #22 0x7f34fa41a108 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #23 0x7f34fbc20783 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #24 0x7f34f6736d79 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #25 0x7f34f66a2363 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #26 0x7f34f66a227d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #27 0x7f34f66a227d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #28 0x7f34fbc20368 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #29 0x55e813bade07 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #30 0x55e813bade07 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18
    #31 0x7f350b1370b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201217092748-2ab4142f19bc.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 5e8b48c8cd93ae318b2963de1b3c1db0710c0242 (20191219095006)
End: 2ab4142f19bc58009e0c0306fc336df5f636457d (20201217092748)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Severity: -- → S3
Priority: -- → P3
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirm]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220120100401-3ddab45ce6bd.
Unable to bisect testcase (failed to find build near 2ab4142f19bc)

Whiteboard: [bugmon:bisected,confirm] → [bugmon:bisected,confirmed]

So the testcase tries to send a >100MB of image data through a notification. The IPC limit is set to 256MB but there might be some bloating here due to serializing?

We might want to add some check before getting to the IPC send, maybe.

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20211009082533-4b74bccdf4dc) but not with tip (mozilla-central 20221007213810-30bdee9799a0.)

The bug appears to have been fixed in the following build range:

Start: 51d328a38b9bc72b8ed3dd83573b1d9535cb941c (20220928191316)
End: 880ab66f959e23b4b48f4b5187023444a38ca8fb (20220928192922)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=51d328a38b9bc72b8ed3dd83573b1d9535cb941c&tochange=880ab66f959e23b4b48f4b5187023444a38ca8fb

bugmon, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(bugmon)
Keywords: bugmon

This appears to have been fixed by bug 1783242.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(bugmon)
Resolution: --- → FIXED
Assignee: nobody → nika
status-firefox105: --- → wontfix
status-firefox106: --- → wontfix
status-firefox107: --- → fixed
status-firefox86: affectedwontfix
status-firefox-esr102: --- → wontfix
Depends on: 1783242
Target Milestone: --- → 107 Branch
QA Whiteboard: [qa-107b-p2]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: