Closed Bug 1728129 Opened 3 years ago Closed 3 years ago

Crash [@ mozilla::ipc::PBackgroundChild::SendPEndpointForReportConstructor]

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jkratzer, Assigned: edgar)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Testcase
407 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev 2374a282fbbb (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 2374a282fbbb --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --no-harness --repeat 10

[@ mozilla::ipc::PBackgroundChild::SendPEndpointForReportConstructor]

    =================================================================
    ==960417==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdf577ded01 bp 0x7ffc2dfcd050 sp 0x7ffc2dfcd030 T0)
    ==960417==The signal is caused by a READ memory access.
    ==960417==Hint: address points to the zero page.
        #0 0x7fdf577ded01 in mozilla::ipc::PBackgroundChild::SendPEndpointForReportConstructor(nsTString<char16_t> const&, mozilla::ipc::PrincipalInfo const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:4995:46
        #1 0x7fdf5db27a55 in mozilla::dom::ReportDeliver::Record(nsPIDOMWindowInner*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::ReportBody*) /dom/reporting/ReportDeliver.cpp:273:19
        #2 0x7fdf5db36541 in mozilla::dom::ReportingUtils::Report(nsIGlobalObject*, nsAtom*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::ReportBody*) /dom/reporting/ReportingUtils.cpp:43:3
        #3 0x7fdf5b29ebdd in ReportDeprecation /dom/bindings/BindingUtils.cpp:4147:3
        #4 0x7fdf5b29ebdd in MaybeReportDeprecation /dom/bindings/BindingUtils.cpp:4243:3
        #5 0x7fdf5b29ebdd in mozilla::dom::DeprecationWarning(mozilla::dom::GlobalObject const&, mozilla::dom::DeprecatedOperations) /dom/bindings/BindingUtils.cpp:4263:3
        #6 0x7fdf5b29dceb in mozilla::dom::DeprecationWarning(JSContext*, JSObject*, mozilla::dom::DeprecatedOperations) /dom/bindings/BindingUtils.cpp:4257:3
        #7 0x7fdf5ae637ff in mozRequestFullScreen /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:4520:3
        #8 0x7fdf5ae637ff in mozilla::dom::Element_Binding::mozRequestFullScreen_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:4536:13
        #9 0x7fdf5b2810aa in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3300:13
        #10 0x7fdf627aa642 in CallJSNative /js/src/vm/Interpreter.cpp:401:13
        #11 0x7fdf627aa642 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:488:12
        #12 0x7fdf62791d7b in CallFromStack /js/src/vm/Interpreter.cpp:552:10
        #13 0x7fdf62791d7b in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3253:16
        #14 0x7fdf6277bbac in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:370:13
        #15 0x7fdf627aa77b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:520:13
        #16 0x7fdf627ac37b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:565:8
        #17 0x7fdf62a5f5a5 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #18 0x7fdf5affda29 in mozilla::dom::BlobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Blob*, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/HTMLCanvasElementBinding.cpp:102:8
        #19 0x7fdf5b48c3a3 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/HTMLCanvasElementBinding.h:178:12
        #20 0x7fdf5b48c3a3 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::BlobCallback&, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&)::EncodeCallback::ReceiveBlobImpl(already_AddRefed<mozilla::dom::BlobImpl>) /dom/canvas/CanvasRenderingContextHelper.cpp:52:17
        #21 0x7fdf5960c95d in mozilla::dom::EncodingCompleteEvent::Run() /dom/base/ImageEncoder.cpp
        #22 0x7fdf55ddea72 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:502:16
        #23 0x7fdf55da9e53 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:805:26
        #24 0x7fdf55da7358 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:641:15
        #25 0x7fdf55da7a6d in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:425:36
        #26 0x7fdf55de8af4 in operator() /xpcom/threads/TaskController.cpp:138:37
        #27 0x7fdf55de8af4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /xpcom/threads/nsThreadUtils.h:532:5
        #28 0x7fdf55dc52e7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1148:16
        #29 0x7fdf55dc34c4 in NS_ProcessNextEvent /xpcom/threads/nsThreadUtils.cpp:466:10
        #30 0x7fdf55dc34c4 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /xpcom/threads/nsThread.cpp:840:22)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:93:25
        #31 0x7fdf55dc34c4 in nsThread::Shutdown() /xpcom/threads/nsThread.cpp:840:3
        #32 0x7fdf55dd4f12 in nsThreadPool::Shutdown() /xpcom/threads/nsThreadPool.cpp:402:17
        #33 0x7fdf55dd508c in non-virtual thunk to nsThreadPool::Shutdown() /xpcom/threads/nsThreadPool.cpp
        #34 0x7fdf55dca048 in BackgroundEventTarget::FinishShutdown() /xpcom/threads/nsThreadManager.cpp:191:10
        #35 0x7fdf55dfeffd in operator() /xpcom/threads/nsThreadManager.cpp:380:29
        #36 0x7fdf55dfeffd in InvokeMethod<(lambda at /xpcom/threads/nsThreadManager.cpp:379:76), void ((lambda at /xpcom/threads/nsThreadManager.cpp:379:76)::*)() const, const mozilla::MozPromise<CopyableTArray<bool>, bool, false>::ResolveOrRejectValue &> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:637:12
        #37 0x7fdf55dfeffd in InvokeCallbackMethod<false, (lambda at /xpcom/threads/nsThreadManager.cpp:379:76), void ((lambda at /xpcom/threads/nsThreadManager.cpp:379:76)::*)() const, const mozilla::MozPromise<CopyableTArray<bool>, bool, false>::ResolveOrRejectValue &, RefPtr<mozilla::MozPromise<CopyableTArray<bool>, bool, false>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:661:5
        #38 0x7fdf55dfeffd in mozilla::MozPromise<CopyableTArray<bool>, bool, false>::ThenValue<nsThreadManager::Shutdown()::$_6>::DoResolveOrRejectInternal(mozilla::MozPromise<CopyableTArray<bool>, bool, false>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:914:7
        #39 0x7fdf55df9fd2 in mozilla::MozPromise<CopyableTArray<bool>, bool, false>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:487:21
        #40 0x7fdf55ddea72 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:502:16
        #41 0x7fdf55da9e53 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:805:26
        #42 0x7fdf55da7358 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:641:15
        #43 0x7fdf55da7a6d in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:425:36
        #44 0x7fdf55de8af4 in operator() /xpcom/threads/TaskController.cpp:138:37
        #45 0x7fdf55de8af4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /xpcom/threads/nsThreadUtils.h:532:5
        #46 0x7fdf55dc52e7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1148:16
        #47 0x7fdf55dcc205 in NS_ProcessNextEvent /xpcom/threads/nsThreadUtils.cpp:466:10
        #48 0x7fdf55dcc205 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /xpcom/threads/nsThreadManager.cpp:389:24)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:93:25
        #49 0x7fdf55dcc205 in nsThreadManager::Shutdown() /xpcom/threads/nsThreadManager.cpp:389:3
        #50 0x7fdf55e39669 in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:655:28
        #51 0x7fdf624c807c in XRE_TermEmbedding() /toolkit/xre/nsEmbedFunctions.cpp:218:3
        #52 0x7fdf57286c84 in mozilla::ipc::ScopedXREEmbed::Stop() /ipc/glue/ScopedXREEmbed.cpp:90:5
        #53 0x7fdf624c88b6 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:753:16
        #54 0x55be503db18d in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #55 0x55be503db5bd in main /browser/app/nsBrowserApp.cpp:327:18
        #56 0x7fdf77c3f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #57 0x55be5032c829 in _start (/home/jkratzer/builds/mc-asan/firefox+0x5b829)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:4995:46 in mozilla::ipc::PBackgroundChild::SendPEndpointForReportConstructor(nsTString<char16_t> const&, mozilla::ipc::PrincipalInfo const&)
    ==960417==ABORTING
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210829215733-e7459f43c367.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 37b3648fa3157dd18909434197358397bafb4cdc (20200831034000)
End: 2374a282fbbb201d2bc1fd39c7dcbf0dab568bb5 (20210821212131)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Depends on: domino
Blocks: domino
No longer depends on: domino
Component: DOM: Security → DOM: Core & HTML

Perhaps we need a null-check for actorChild https://searchfox.org/mozilla-central/source/dom/reporting/ReportDeliver.cpp#274 ?

Flags: needinfo?(echen)

yeah, perhaps, but I still would like to try to reproduce this to understand whether it is expected to be not able to create a BackgroundChild.

Assignee: nobody → echen
Flags: needinfo?(echen)

Changing severity to S3 because the crash rate is low.

Severity: -- → S3
Priority: -- → P3

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210821212131-2374a282fbbb) but not with tip (mozilla-central 20211217212339-2c242fa34cb6.)
The bug appears to have been fixed in the following build range:

Start: b78709bc0d0cd7bb20145f7cc18226c0e4189036 (20211214034638)
End: 4243f988e94aa79dbdaa230ce86681b0a70eeebb (20211214094205)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=b78709bc0d0cd7bb20145f7cc18226c0e4189036&tochange=4243f988e94aa79dbdaa230ce86681b0a70eeebb
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Close per comment #6, not sure if there are other cases would try to access a null actorChild, but we could always file a new bug or reopen this one if any.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

:edgar, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(echen)

Sorry, have no idea.

Flags: needinfo?(echen)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: