Assertion failure: false (Should not receive non-decodable data), at /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSActorManager.cpp:180
Categories
(Core :: DOM: Content Processes, defect, P3)
Tracking
()
People
(Reporter: geeknik, Unassigned)
References
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Whilst testing Firefox Nightly ASAN Build ID 20210607094749, we encountered this assertion failure and tab crash. We were running the tests at https://v8.github.io/test262/website/default.html#
when this happened. Everything on this profile is default other than editing the ASAN email address and enabling Avif, JpegXL, WebGL and WebGPU.
Assertion failure: false (Should not receive non-decodable data), at /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSActorManager.cpp:180
#01: ???[/home/geeknik/firefox/libxul.so +0xe5a1318]
#02: ???[/home/geeknik/firefox/libxul.so +0xe573634]
#03: ???[/home/geeknik/firefox/libxul.so +0x7c8846a]
#04: ???[/home/geeknik/firefox/libxul.so +0x75eb066]
#05: ???[/home/geeknik/firefox/libxul.so +0x73b8c4d]
#06: ???[/home/geeknik/firefox/libxul.so +0x73b51ca]
#07: ???[/home/geeknik/firefox/libxul.so +0x73b6e5b]
#08: ???[/home/geeknik/firefox/libxul.so +0x73b7522]
#09: ???[/home/geeknik/firefox/libxul.so +0x60df031]
#10: ???[/home/geeknik/firefox/libxul.so +0x609f7a3]
#11: ???[/home/geeknik/firefox/libxul.so +0x609c329]
#12: ???[/home/geeknik/firefox/libxul.so +0x609ca18]
#13: ???[/home/geeknik/firefox/libxul.so +0x60e6942]
#14: ???[/home/geeknik/firefox/libxul.so +0x60befb2]
#15: ???[/home/geeknik/firefox/libxul.so +0x60ccd72]
#16: ???[/home/geeknik/firefox/libxul.so +0x73c0508]
#17: ???[/home/geeknik/firefox/libxul.so +0x72c5e23]
#18: ???[/home/geeknik/firefox/libxul.so +0xeeda36b]
#19: ???[/home/geeknik/firefox/libxul.so +0x1374e850]
#20: ???[/home/geeknik/firefox/libxul.so +0x72c5e23]
#21: ???[/home/geeknik/firefox/libxul.so +0x1374e0b7]
#22: ???[/home/geeknik/firefox/firefox-bin +0x15aac2]
#23: __libc_start_main[/lib64/libc.so.6 +0x27b75]
#24: ???[/home/geeknik/firefox/firefox-bin +0xab319]
#25: ??? (???:???)
AddressSanitizer:DEADLYSIGNAL
The ASAN log file shows this stack trace:
==1038463==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4899de134c bp 0x7ffc4f8a0130 sp 0x7ffc4f89fca0 T0)
==1038463==The signal is caused by a WRITE memory access.
==1038463==Hint: address points to the zero page.
#0 0x7f4899de134c in mozilla::dom::JSActorManager::ReceiveRawMessage(mozilla::dom::JSActorMessageMeta const&, mozilla::Maybe<mozilla::dom::ipc::StructuredCloneData>&&, mozilla::Maybe<mozilla::dom::ipc::StructuredCloneData>&&) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSActorManager.cpp:180:7
#1 0x7f4899db3633 in mozilla::dom::WindowGlobalChild::RecvRawMessage(mozilla::dom::JSActorMessageMeta const&, mozilla::Maybe<mozilla::dom::ClonedMessageData> const&, mozilla::Maybe<mozilla::dom::ClonedMessageData> const&) /builds/worker/checkouts/gecko/dom/ipc/WindowGlobalChild.cpp:592:3
#2 0x7f48934c8469 in mozilla::dom::PWindowGlobalChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWindowGlobalChild.cpp:1413:61
#3 0x7f4892e2b065 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8292:32
#4 0x7f4892bf8c4c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2155:25
#5 0x7f4892bf51c9 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2079:9
#6 0x7f4892bf6e5a in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1924:3
#7 0x7f4892bf7521 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1955:13
#8 0x7f489191f030 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:483:16
#9 0x7f48918df7a2 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:786:26
#10 0x7f48918dc328 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:622:15
#11 0x7f48918dca17 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:406:36
#12 0x7f4891926941 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:139:37
#13 0x7f4891926941 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
#14 0x7f48918fefb1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#15 0x7f489190cd71 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#16 0x7f4892c00507 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#17 0x7f4892b05e22 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#18 0x7f4892b05e22 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#19 0x7f4892b05e22 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#20 0x7f489a71a36a in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#21 0x7f489ef8e84f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20
#22 0x7f4892b05e22 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#23 0x7f4892b05e22 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#24 0x7f4892b05e22 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#25 0x7f489ef8e0b6 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#26 0x5647147e0ac1 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#27 0x5647147e0ac1 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:313:18
#28 0x7f48a9346b74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
#29 0x564714731318 in _start (/home/geeknik/firefox/firefox-bin+0xab318)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSActorManager.cpp:180:7 in mozilla::dom::JSActorManager::ReceiveRawMessage(mozilla::dom::JSActorMessageMeta const&, mozilla::Maybe<mozilla::dom::ipc::StructuredCloneData>&&, mozilla::Maybe<mozilla::dom::ipc::StructuredCloneData>&&)
==1038463==ABORTING
Reporter | ||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 1•3 years ago
|
||
We assert after we've caught the unexpected error, and after we return and drop the message. Does not seem to be abusable, especially since we don't trust the child anyway.
Comment 2•3 years ago
|
||
Nika says this assertion failure happens in the wild, usually after an JS heap OOM.
Brian, is there a specific test262 test case that triggers this assertion failure for you?
Reporter | ||
Comment 3•3 years ago
|
||
This is rather intermittent, we haven't been able to pin it down to a particular test.
Comment hidden (Intermittent Failures Robot) |
Updated•3 years ago
|
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Updated•6 months ago
|
Description
•