1699721 - Assertion failure: bc->IsInProcess(), at /builds/worker/checkouts/gecko/dom/ipc/WindowGlobalChild.cpp:128

Status: RESOLVED FIXED

(Core :: DOM: Content Processes, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Found while fuzzing mozilla-central rev 9ad67cd4d216 (built with --enable-address-sanitizer --enable-fuzzing).

A pernosco session for this issue can be found at:
https://pernos.co/debug/7XVI2Ju150wRVcCePD9hnQ/index.html

Assertion failure: bc->IsInProcess(), at /builds/worker/checkouts/gecko/dom/ipc/WindowGlobalChild.cpp:128

==16436==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7febecafec1a bp 0x7ffda13a8430 sp 0x7ffda13a8180 T0)
==16436==The signal is caused by a WRITE memory access.
==16436==Hint: address points to the zero page.
    #0 0x7febecafec1a in mozilla::dom::WindowGlobalChild::Create(nsGlobalWindowInner*) /gecko/dom/ipc/WindowGlobalChild.cpp:128:5
    #1 0x7febe8b41771 in nsGlobalWindowInner::InitDocumentDependentState(JSContext*) /gecko/dom/base/nsGlobalWindowInner.cpp:1747:26
    #2 0x7febe8b89c66 in nsGlobalWindowOuter::SetNewDocument(mozilla::dom::Document*, nsISupports*, bool, mozilla::dom::WindowGlobalChild*) /gecko/dom/base/nsGlobalWindowOuter.cpp:2410:23
    #3 0x7febed8ded1a in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::dom::WindowGlobalChild*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /gecko/layout/base/nsDocumentViewer.cpp:916:22
    #4 0x7febed8de2ca in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::dom::WindowGlobalChild*) /gecko/layout/base/nsDocumentViewer.cpp:700:10
    #5 0x7febf0337b26 in nsDocShell::SetupNewViewer(nsIContentViewer*, mozilla::dom::WindowGlobalChild*) /gecko/docshell/base/nsDocShell.cpp:8283:7
    #6 0x7febf0336bbc in nsDocShell::Embed(nsIContentViewer*, mozilla::dom::WindowGlobalChild*, bool, bool) /gecko/docshell/base/nsDocShell.cpp:5794:17
    #7 0x7febf02fd9ab in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /gecko/docshell/base/nsDocShell.cpp:8095:3
    #8 0x7febf02fb784 in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /gecko/docshell/base/nsDSURIContentListener.cpp:178:20
    #9 0x7febe7a8d6df in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /gecko/uriloader/base/nsURILoader.cpp:597:18
    #10 0x7febe7a8ae70 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /gecko/uriloader/base/nsURILoader.cpp:276:9
    #11 0x7febe7a89d93 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /gecko/uriloader/base/nsURILoader.cpp:154:8
    #12 0x7febe64e78b6 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /gecko/netwerk/protocol/http/HttpChannelChild.cpp:593:20
    #13 0x7febe64e66e2 in mozilla::net::HttpChannelChild::OnStartRequest(mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::HttpChannelOnStartRequestArgs const&) /gecko/netwerk/protocol/http/HttpChannelChild.cpp:524:3
    #14 0x7febe67dc72b in mozilla::net::ChannelEventQueue::FlushQueue() /gecko/netwerk/ipc/ChannelEventQueue.cpp:90:12
    #15 0x7febe682b3a7 in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /gecko/netwerk/ipc/ChannelEventQueue.cpp:148:17
    #16 0x7febe58bc2f6 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:472:16
    #17 0x7febe58b8eb3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:760:26
    #18 0x7febe58b6d87 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:611:15
    #19 0x7febe58b71dd in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:395:36
    #20 0x7febe58c3931 in operator() /gecko/xpcom/threads/TaskController.cpp:133:37
    #21 0x7febe58c3931 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #22 0x7febe58dec84 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1158:16
    #23 0x7febe58e97fc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #24 0x7febe6b100df in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #25 0x7febe6a198f1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #26 0x7febe6a198f1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #27 0x7febe6a198f1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #28 0x7febed2f5397 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #29 0x7febf0dd32cf in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:901:20
    #30 0x7febe6a198f1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #31 0x7febe6a198f1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #32 0x7febe6a198f1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #33 0x7febf0dd2a5f in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #34 0x55b89f541b2d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #35 0x55b89f541f51 in main /gecko/browser/app/nsBrowserApp.cpp:309:18
    #36 0x7fec05b900b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #37 0x55b89f4954c9 in _start (/home/worker/builds/m-c-20210314094531-fuzzing-asan-opt/firefox+0x5a4c9)

Comment 1

[Chris Peterson [:cpeterson]]

needinfo'ing Nika because this might be a regression from a recent change she made in bug 1675820.

Comment 2

[Nika Layzell [:nika] (ni? for response)]

I've done some investigation based on the pernosco trace and determined this is caused by multiple chained process switches while spinning a nested event loop in the unload event of the previous document. Not quite sure how we're going to fix this yet, but will self-assign to look into it.

Comment 3

[Nika Layzell [:nika] (ni? for response)]

Attachment: Bug 1699721 - Part 1: Fully remove LegacyCheckOnlyOwningProcess,

This is necessary as in part 2 the InFlightProcessId value will no longer be
tracked, so any remaining code which depends on it needs to be removed.

Comment 4

[Nika Layzell [:nika] (ni? for response)]

Attachment: Bug 1699721 - Part 2: Track BrowserParent lifecycles during process switches,

This patch contains a large number of changes around the process switching
mechanism in order to avoid issues which are caused by a mismatched
understanding of the state of the process switch between processes in the
presence of nested event loops.

This includes:

1. The "InFlightProcessId" value is no longer recorded. All remaining uses
   were removed in part 1, and the new mechanism tracks this information in
   a better way.
2. The current BrowserParent instance is now tracked on
   CanonicalBrowsingContext, meaning that logic which needs to work with this
   information can now access it without depending on the current
   WindowGlobalParent instance.
3. When doing a process switch, the previous host process for the
   BrowsingContext is tracked until the process switch is completed, allowing
   for future attempts to switch into that process to be delayed until the
   previous unload event has finished running.
4. The process switch logic was refactored to simplify some of the
   error-handling logic, and share more code between different cases.

Comment 5

[Nika Layzell [:nika] (ni? for response)]

Attachment: Bug 1699721 - Part 3: Add test for switching back into unloading process,

This was somewhat convoluted to get to both reliably reproduce and not timeout
after the fixes were applied. The test can't run without Fission, as it
requires a process switch to occur on the navigation to/from
http://example.com.

Without part 2 of this patch stack, this test will crash after the process
switch.

Comment 6

[Pulsebot]

Pushed by nlayzell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ef06d9764cf1
Part 1: Fully remove LegacyCheckOnlyOwningProcess, r=kmag
https://hg.mozilla.org/integration/autoland/rev/d6f212c67002
Part 2: Track BrowserParent lifecycles during process switches, r=kmag
https://hg.mozilla.org/integration/autoland/rev/ed3feb801017
Part 3: Add test for switching back into unloading process, r=kmag

Comment 7

[Andreea Pavel [:apavel]]

Backed out for failing test_bug1699721.html

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&selectedTaskRun=TMQmvzbER5WTA3yGxUO75w.0&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel&revision=ed3feb80101797a1813d09387e17c6b3f3a266bf

Failure log: https://treeherder.mozilla.org/logviewer?job_id=335050080&repo=autoland&lineNumber=1928

Backout: https://hg.mozilla.org/integration/autoland/rev/5716af4f41fe648551b36f4db84304e66890fed9

Comment 8

[Pulsebot]

Pushed by nlayzell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2b3a6042d48e
Part 1: Fully remove LegacyCheckOnlyOwningProcess, r=kmag
https://hg.mozilla.org/integration/autoland/rev/e1fd1fa67a65
Part 2: Track BrowserParent lifecycles during process switches, r=kmag
https://hg.mozilla.org/integration/autoland/rev/5969838fee53
Part 3: Add test for switching back into unloading process, r=kmag

Comment 9

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/2b3a6042d48e
https://hg.mozilla.org/mozilla-central/rev/e1fd1fa67a65
https://hg.mozilla.org/mozilla-central/rev/5969838fee53