Closed Bug 1731613 Opened 2 months ago Closed 1 month ago

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: nsIBrowser::GetProcessSwitchBehavior shouldn't fail), at /netwerk/ipc/DocumentLoadListener.cpp:1521

Categories

(Core :: Networking, defect, P2)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
95 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- unaffected
firefox93 --- unaffected
firefox94 --- wontfix
firefox95 --- fixed

People

(Reporter: jkratzer, Assigned: annyG)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed][necko-triaged])

Attachments

(2 files)

Testcase found while fuzzing mozilla-central rev 29d6504debf5 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 29d6504debf5 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: nsIBrowser::GetProcessSwitchBehavior shouldn't fail), at /netwerk/ipc/DocumentLoadListener.cpp:1521

    ==2022180==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3fa506acfb bp 0x7ffe18da92c0 sp 0x7ffe18da9130 T2022180)
    ==2022180==The signal is caused by a WRITE memory access.
    ==2022180==Hint: address points to the zero page.
        #0 0x7f3fa506acfb in ContextCanProcessSwitch /netwerk/ipc/DocumentLoadListener.cpp:1520:5
        #1 0x7f3fa506acfb in mozilla::net::DocumentLoadListener::MaybeTriggerProcessSwitch(bool*) /netwerk/ipc/DocumentLoadListener.cpp:1587:8
        #2 0x7f3fa507090e in mozilla::net::DocumentLoadListener::OnStartRequest(nsIRequest*) /netwerk/ipc/DocumentLoadListener.cpp:2178:8
        #3 0x7f3fa4ed8a72 in mozilla::net::ParentChannelListener::OnStartRequest(nsIRequest*) /netwerk/protocol/http/ParentChannelListener.cpp:88:25
        #4 0x7f3fa5b95fc8 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /uriloader/base/nsURILoader.cpp:166:34
        #5 0x7f3fa508c342 in mozilla::net::ParentProcessDocumentOpenInfo::OnDocumentStartRequest(nsIRequest*) /netwerk/ipc/DocumentLoadListener.cpp:288:39
        #6 0x7f3fa4f37dcb in mozilla::net::nsHttpChannel::CallOnStartRequest() /netwerk/protocol/http/nsHttpChannel.cpp:1602:27
        #7 0x7f3fa4f419e1 in mozilla::net::nsHttpChannel::ContinueProcessNormal(nsresult) /netwerk/protocol/http/nsHttpChannel.cpp:2580:8
        #8 0x7f3fa4f3d05b in mozilla::net::nsHttpChannel::ContinueProcessResponse3(nsresult) /netwerk/protocol/http/nsHttpChannel.cpp
        #9 0x7f3fa4f3caae in mozilla::net::nsHttpChannel::ContinueProcessResponse2(nsresult) /netwerk/protocol/http/nsHttpChannel.cpp:2181:10
        #10 0x7f3fa4f3c59a in mozilla::net::nsHttpChannel::ContinueProcessResponse1() /netwerk/protocol/http/nsHttpChannel.cpp:2154:10
        #11 0x7f3fa4f3bc45 in mozilla::net::nsHttpChannel::ProcessResponse() /netwerk/protocol/http/nsHttpChannel.cpp:2062:10
        #12 0x7f3fa4f5fc82 in mozilla::net::nsHttpChannel::OnStartRequest(nsIRequest*) /netwerk/protocol/http/nsHttpChannel.cpp:6843:31
        #13 0x7f3fa497d479 in nsInputStreamPump::OnStateStart() /netwerk/base/nsInputStreamPump.cpp:465:21
        #14 0x7f3fa497d0f7 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /netwerk/base/nsInputStreamPump.cpp:374:21
        #15 0x7f3fa497df4c in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /netwerk/base/nsInputStreamPump.cpp
        #16 0x7f3fa4772a48 in nsInputStreamReadyEvent::Run() /xpcom/io/nsStreamUtils.cpp:94:20
        #17 0x7f3fa47d9dfe in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:478:16
        #18 0x7f3fa47b50af in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:781:26
        #19 0x7f3fa47b3d18 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:617:15
        #20 0x7f3fa47b3f93 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:401:36
        #21 0x7f3fa47dd3b9 in operator() /xpcom/threads/TaskController.cpp:129:37
        #22 0x7f3fa47dd3b9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #23 0x7f3fa47c88af in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1148:16
        #24 0x7f3fa47cefd2 in NS_ProcessNextEvent /xpcom/threads/nsThreadUtils.cpp:466:10
        #25 0x7f3fa47cefd2 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /xpcom/threads/nsThreadManager.cpp:714:36)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:93:25
        #26 0x7f3fa47cefd2 in nsThreadManager::SpinEventLoopUntilInternal(nsTSubstring<char> const&, nsINestedEventLoopCondition*, mozilla::ShutdownPhase) /xpcom/threads/nsThreadManager.cpp:714:8
        #27 0x7f3fa47fd335 in NS_InvokeByIndex /xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
        #28 0x7f3fa5a8a522 in Invoke /js/xpconnect/src/XPCWrappedNative.cpp:1631:10
        #29 0x7f3fa5a8a522 in CallMethodHelper::Call() /js/xpconnect/src/XPCWrappedNative.cpp:1184:19
        #30 0x7f3fa5a8a0f7 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /js/xpconnect/src/XPCWrappedNative.cpp:1130:23
        #31 0x7f3fa5a8bdae in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /js/xpconnect/src/XPCWrappedNativeJSOps.cpp:921:10
        #32 0x2b5d9fb1092e  (<unknown module>)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /netwerk/ipc/DocumentLoadListener.cpp:1520:5 in ContextCanProcessSwitch
    ==2022180==ABORTING
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210920102201-29d6504debf5.
The bug appears to have been introduced in the following build range:

Start: 098fba7bbdb315116d016087dbfaa6d14505d5f8 (20210913213314)
End: 07cc0233e34734d618bb9eb4b26fb2e0ca68bdd9 (20210913235219)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=098fba7bbdb315116d016087dbfaa6d14505d5f8&tochange=07cc0233e34734d618bb9eb4b26fb2e0ca68bdd9

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

May I ask you to take look? You re the most familier with process switch code.

Flags: needinfo?(agakhokidze)
Assignee: nobody → agakhokidze
Flags: needinfo?(agakhokidze)
Status: NEW → ASSIGNED

Assertion failure because GetProcessSwitchBehavior() failed, which calls into JS and should only fail on OOM or other fatal errors:

https://searchfox.org/mozilla-central/rev/25002b534963ad95ff0c1a3dd0f906ba023ddc8e/netwerk/ipc/DocumentLoadListener.cpp#1518-1525

Nika recommends we try to move the processSwitchBehavior() logic from JS to C++ to make it more reliable:

https://searchfox.org/mozilla-central/rev/25002b534963ad95ff0c1a3dd0f906ba023ddc8e/toolkit/content/widgets/browser-custom-element.js#1806-1823

Changing severity to S2 because of waiting to see more analysis how important this is.

Severity: -- → S2
Priority: -- → P2
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][necko-triaged]

:annyG, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(agakhokidze)

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210920102201-29d6504debf5) but not with tip (mozilla-central 20211008214224-798c43651cb1.)
The bug appears to have been fixed in the following build range:

Start: cc37b1400a58429d7d98556f6f64cd9fd2d73724 (20211004215121)
End: 92641110e5c9cc095140f25cb4c79e5a15a72a64 (20211006040904)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cc37b1400a58429d7d98556f6f64cd9fd2d73724&tochange=92641110e5c9cc095140f25cb4c79e5a15a72a64
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Attachment #9246666 - Attachment description: WIP: Bug 1731613 - Move GetProcessSwitchBehavior method to C++, r=nika! → Bug 1731613 - Move GetProcessSwitchBehavior method to C++, r=nika!
Pushed by agakhokidze@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f45c40a6b0ad
Move GetProcessSwitchBehavior method to C++, r=nika
Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch

It was hard to determine what caused this regression and what subsequently fixed it. I have now moved the function altogether from javascript into c++ so that we can't have the call to that function fail anymore.

Flags: needinfo?(agakhokidze)
You need to log in before you can comment on or make changes to this bug.