Assertion failure: false (MOZ_ASSERT_UNREACHABLE: nsIBrowser::GetProcessSwitchBehavior shouldn't fail), at /netwerk/ipc/DocumentLoadListener.cpp:1521
Categories
(Core :: Networking, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox-esr91 | --- | unaffected |
firefox93 | --- | unaffected |
firefox94 | --- | wontfix |
firefox95 | --- | fixed |
People
(Reporter: jkratzer, Assigned: annyG)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed][necko-triaged])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 29d6504debf5 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 29d6504debf5 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: nsIBrowser::GetProcessSwitchBehavior shouldn't fail), at /netwerk/ipc/DocumentLoadListener.cpp:1521
==2022180==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3fa506acfb bp 0x7ffe18da92c0 sp 0x7ffe18da9130 T2022180)
==2022180==The signal is caused by a WRITE memory access.
==2022180==Hint: address points to the zero page.
#0 0x7f3fa506acfb in ContextCanProcessSwitch /netwerk/ipc/DocumentLoadListener.cpp:1520:5
#1 0x7f3fa506acfb in mozilla::net::DocumentLoadListener::MaybeTriggerProcessSwitch(bool*) /netwerk/ipc/DocumentLoadListener.cpp:1587:8
#2 0x7f3fa507090e in mozilla::net::DocumentLoadListener::OnStartRequest(nsIRequest*) /netwerk/ipc/DocumentLoadListener.cpp:2178:8
#3 0x7f3fa4ed8a72 in mozilla::net::ParentChannelListener::OnStartRequest(nsIRequest*) /netwerk/protocol/http/ParentChannelListener.cpp:88:25
#4 0x7f3fa5b95fc8 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /uriloader/base/nsURILoader.cpp:166:34
#5 0x7f3fa508c342 in mozilla::net::ParentProcessDocumentOpenInfo::OnDocumentStartRequest(nsIRequest*) /netwerk/ipc/DocumentLoadListener.cpp:288:39
#6 0x7f3fa4f37dcb in mozilla::net::nsHttpChannel::CallOnStartRequest() /netwerk/protocol/http/nsHttpChannel.cpp:1602:27
#7 0x7f3fa4f419e1 in mozilla::net::nsHttpChannel::ContinueProcessNormal(nsresult) /netwerk/protocol/http/nsHttpChannel.cpp:2580:8
#8 0x7f3fa4f3d05b in mozilla::net::nsHttpChannel::ContinueProcessResponse3(nsresult) /netwerk/protocol/http/nsHttpChannel.cpp
#9 0x7f3fa4f3caae in mozilla::net::nsHttpChannel::ContinueProcessResponse2(nsresult) /netwerk/protocol/http/nsHttpChannel.cpp:2181:10
#10 0x7f3fa4f3c59a in mozilla::net::nsHttpChannel::ContinueProcessResponse1() /netwerk/protocol/http/nsHttpChannel.cpp:2154:10
#11 0x7f3fa4f3bc45 in mozilla::net::nsHttpChannel::ProcessResponse() /netwerk/protocol/http/nsHttpChannel.cpp:2062:10
#12 0x7f3fa4f5fc82 in mozilla::net::nsHttpChannel::OnStartRequest(nsIRequest*) /netwerk/protocol/http/nsHttpChannel.cpp:6843:31
#13 0x7f3fa497d479 in nsInputStreamPump::OnStateStart() /netwerk/base/nsInputStreamPump.cpp:465:21
#14 0x7f3fa497d0f7 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /netwerk/base/nsInputStreamPump.cpp:374:21
#15 0x7f3fa497df4c in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /netwerk/base/nsInputStreamPump.cpp
#16 0x7f3fa4772a48 in nsInputStreamReadyEvent::Run() /xpcom/io/nsStreamUtils.cpp:94:20
#17 0x7f3fa47d9dfe in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:478:16
#18 0x7f3fa47b50af in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:781:26
#19 0x7f3fa47b3d18 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:617:15
#20 0x7f3fa47b3f93 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:401:36
#21 0x7f3fa47dd3b9 in operator() /xpcom/threads/TaskController.cpp:129:37
#22 0x7f3fa47dd3b9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#23 0x7f3fa47c88af in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1148:16
#24 0x7f3fa47cefd2 in NS_ProcessNextEvent /xpcom/threads/nsThreadUtils.cpp:466:10
#25 0x7f3fa47cefd2 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /xpcom/threads/nsThreadManager.cpp:714:36)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:93:25
#26 0x7f3fa47cefd2 in nsThreadManager::SpinEventLoopUntilInternal(nsTSubstring<char> const&, nsINestedEventLoopCondition*, mozilla::ShutdownPhase) /xpcom/threads/nsThreadManager.cpp:714:8
#27 0x7f3fa47fd335 in NS_InvokeByIndex /xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#28 0x7f3fa5a8a522 in Invoke /js/xpconnect/src/XPCWrappedNative.cpp:1631:10
#29 0x7f3fa5a8a522 in CallMethodHelper::Call() /js/xpconnect/src/XPCWrappedNative.cpp:1184:19
#30 0x7f3fa5a8a0f7 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /js/xpconnect/src/XPCWrappedNative.cpp:1130:23
#31 0x7f3fa5a8bdae in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /js/xpconnect/src/XPCWrappedNativeJSOps.cpp:921:10
#32 0x2b5d9fb1092e (<unknown module>)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /netwerk/ipc/DocumentLoadListener.cpp:1520:5 in ContextCanProcessSwitch
==2022180==ABORTING
Reporter | ||
Comment 1•3 years ago
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210920102201-29d6504debf5.
The bug appears to have been introduced in the following build range:
Start: 098fba7bbdb315116d016087dbfaa6d14505d5f8 (20210913213314)
End: 07cc0233e34734d618bb9eb4b26fb2e0ca68bdd9 (20210913235219)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=098fba7bbdb315116d016087dbfaa6d14505d5f8&tochange=07cc0233e34734d618bb9eb4b26fb2e0ca68bdd9
Comment 3•3 years ago
|
||
May I ask you to take look? You re the most familier with process switch code.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Comment 4•3 years ago
|
||
Assertion failure because GetProcessSwitchBehavior()
failed, which calls into JS and should only fail on OOM or other fatal errors:
Nika recommends we try to move the processSwitchBehavior()
logic from JS to C++ to make it more reliable:
Comment 5•3 years ago
|
||
Changing severity to S2 because of waiting to see more analysis how important this is.
Comment 6•3 years ago
|
||
:annyG, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Comment 7•3 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210920102201-29d6504debf5) but not with tip (mozilla-central 20211008214224-798c43651cb1.)
The bug appears to have been fixed in the following build range:
Start: cc37b1400a58429d7d98556f6f64cd9fd2d73724 (20211004215121)
End: 92641110e5c9cc095140f25cb4c79e5a15a72a64 (20211006040904)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cc37b1400a58429d7d98556f6f64cd9fd2d73724&tochange=92641110e5c9cc095140f25cb4c79e5a15a72a64
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Assignee | ||
Comment 8•3 years ago
|
||
Updated•3 years ago
|
Comment 10•3 years ago
|
||
bugherder |
Assignee | ||
Comment 11•3 years ago
|
||
It was hard to determine what caused this regression and what subsequently fixed it. I have now moved the function altogether from javascript into c++ so that we can't have the call to that function fail anymore.
Updated•3 years ago
|
Description
•