Crash [@ get]
Categories
(Core :: DOM: Web Payments, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox94 | --- | fixed |
People
(Reporter: jkratzer, Assigned: jstutte)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [bugmon:confirm])
Crash Data
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev c8c5ee96321f (built with: --enable-address-sanitizer --enable-fuzzing).
The attached testcase is not fully reduced. It can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build c8c5ee96321f --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
[@ get]
=================================================================
==18220==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f2c859cab42 bp 0x7ffc5a835850 sp 0x7ffc5a835600 T0)
==18220==The signal is caused by a READ memory access.
==18220==Hint: address points to the zero page.
#0 0x7f2c859cab42 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
#1 0x7f2c859cab42 in operator nsIGlobalObject * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:299:12
#2 0x7f2c859cab42 in void mozilla::dom::Promise::MaybeSomething<nsresult&>(nsresult&, void (mozilla::dom::Promise::*)(JSContext*, JS::Handle<JS::Value>)) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:323:25
#3 0x7f2c8d1f7892 in MaybeReject /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:102:5
#4 0x7f2c8d1f7892 in mozilla::dom::PaymentRequest::RespondAbortPayment(bool) /gecko/dom/payments/PaymentRequest.cpp:886:20
#5 0x7f2c8d20642e in mozilla::dom::PaymentRequestManager::RespondPayment(mozilla::dom::PaymentRequest*, mozilla::dom::IPCPaymentActionResponse const&) /gecko/dom/payments/PaymentRequestManager.cpp:691:17
#6 0x7f2c8d21b3ff in mozilla::dom::PaymentRequestChild::RecvRespondPayment(mozilla::dom::IPCPaymentActionResponse const&) /gecko/dom/payments/ipc/PaymentRequestChild.cpp:40:26
#7 0x7f2c87431dba in mozilla::dom::PPaymentRequestChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PPaymentRequestChild.cpp:157:63
#8 0x7f2c87000ea4 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8366:32
#9 0x7f2c86d641ca in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2051:25
#10 0x7f2c86d61198 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:1978:9
#11 0x7f2c86d629b2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1826:3
#12 0x7f2c86d6337b in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1857:13
#13 0x7f2c85b4c902 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:502:16
#14 0x7f2c85b193f4 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:805:26
#15 0x7f2c85b16c48 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:641:15
#16 0x7f2c85b1735d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:425:36
#17 0x7f2c85b56941 in operator() /gecko/xpcom/threads/TaskController.cpp:135:37
#18 0x7f2c85b56941 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:532:5
#19 0x7f2c85b33d87 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1148:16
#20 0x7f2c85b3ea5c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:466:10
#21 0x7f2c86d6cb9f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#22 0x7f2c86c578c1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#23 0x7f2c86c578c1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#24 0x7f2c86c578c1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#25 0x7f2c8d50ef17 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#26 0x7f2c916f5f4f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
#27 0x7f2c86c578c1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#28 0x7f2c86c578c1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#29 0x7f2c86c578c1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#30 0x7f2c916f5928 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
#31 0x55fe9357605d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#32 0x55fe9357648d in main /gecko/browser/app/nsBrowserApp.cpp:327:18
#33 0x7f2ca68de0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#34 0x55fe934c76f9 in _start (/home/worker/builds/m-c-20210806033613-fuzzing-asan-opt/firefox+0x5b6f9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
==18220==ABORTING
Reporter | ||
Comment 1•3 years ago
|
||
Reporter | ||
Comment 2•3 years ago
|
||
A pernosco seesion for this issue has been uploaded to the following URL:
https://pernos.co/debug/x4DRFD_Zu0eXDgeg6Dfi2A/index.html
Assignee | ||
Comment 3•3 years ago
|
||
Thanks for the pernosco session! I put some notes there.
Basically we:
- create a new promise in
PaymentRequest::Abort
- receive 4 times a
PaymentRequest::NotifyOwnerDocumentActivityChanged
and the fourth time we find ourselves in!InFullyActiveDocument()
state which makes us reject and null outmAbortPromise
- receive then the (probably now obsolete)
PaymentRequest::RespondAbortPayment
where weMOZ_ASSERT(mAbortPromise);
but then access it unguarded in opt builds.
I assume, like in PaymentRequest::NotifyOwnerDocumentActivityChanged
we should check mAbortPromise before rejecting it rather than asserting.
Assignee | ||
Comment 4•3 years ago
|
||
Updated•3 years ago
|
Comment 5•3 years ago
|
||
Bugmon Analysis
Unable to reproduce bug 1731706 using build mozilla-central 20210806033613-c8c5ee96321f. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Pushed by jstutte@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8c51e486379d Explicitely check mAbortPromise and mState during PaymentRequest::RespondAbortPayment r=edenchuang
Comment 7•3 years ago
|
||
bugherder |
Comment 8•2 years ago
|
||
:jstutte, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Comment 9•2 years ago
|
||
Sorry, wrong needinfo because of a bug in the bot.
Description
•