1752377 - src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:350:43: runtime error: reference binding to null pointer of type 'mozilla::dom::WorkerPrivate'

Status: NEW

(Core :: DOM: Workers, defect, P3)

Description

[Tyson Smith [:tsmith]]

This was found by enabling the null check in UBSan. This issue is trigger at launch. This type of issue can create inconsistencies across platforms, architectures and optimization levels.

Found with m-c 20220127-4dfa6c06a936.

To enable this check add the following to your mozconfig:

ac_add_options --enable-undefined-sanitizer="null"

src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:350:43: runtime error: reference binding to null pointer of type 'mozilla::dom::WorkerPrivate'
    #0 0x7f10502203e0 in mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate>::operator*() const src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:350:36
    #1 0x7f10502203e0 in void mozilla::detail::CheckedUnsafePtrBase<mozilla::dom::WorkerPrivate, (mozilla::CheckingSupport)1>::Set<mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate> >(mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate> const&) src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:163:16
    #2 0x7f1050220750 in void mozilla::detail::CheckedUnsafePtrBase<mozilla::dom::WorkerPrivate, (mozilla::CheckingSupport)1>::Replace<mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate> >(mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate> const&) src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:147:5
    #3 0x7f1050220675 in mozilla::detail::CheckedUnsafePtrBase<mozilla::dom::WorkerPrivate, (mozilla::CheckingSupport)1>::operator=(mozilla::detail::CheckedUnsafePtrBase<mozilla::dom::WorkerPrivate, (mozilla::CheckingSupport)1> const&) src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:124:7
    #4 0x7f105021cb7a in mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate>::operator=(mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate>&&) src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:339:7
    #5 0x7f105021cb7a in mozilla::dom::AutoSyncLoopHolder::Run() src/objdir-ff-ubsan/dist/include/mozilla/dom/WorkerPrivate.h:1473:20
    #6 0x7f1051e83cbb in mozilla::dom::(anonymous namespace)::LoadAllScripts(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder> >, nsTArray<mozilla::dom::(anonymous namespace)::ScriptLoadInfo>, bool, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&) src/dom/workers/ScriptLoader.cpp:2367:12
    #7 0x7f1051e83197 in mozilla::dom::workerinternals::LoadMainScript(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder> >, nsTSubstring<char16_t> const&, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&) src/dom/workers/ScriptLoader.cpp:2481:3
    #8 0x7f1051f03e39 in mozilla::dom::(anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) src/dom/workers/WorkerPrivate.cpp:376:5
    #9 0x7f1051ef3211 in mozilla::dom::WorkerRunnable::Run() src/dom/workers/WorkerRunnable.cpp:377:12
    #10 0x7f1049b7c967 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1189:16
    #11 0x7f1049b863fe in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
    #12 0x7f1051edb18d in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) src/dom/workers/WorkerPrivate.cpp:3114:7
    #13 0x7f1051e97606 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() src/dom/workers/RuntimeService.cpp:2167:42
    #14 0x7f1049b7c967 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1189:16
    #15 0x7f1049b863fe in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
    #16 0x7f104b170789 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20
    #17 0x7f104afca7d5 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
    #18 0x7f104afca7d5 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:324:3
    #19 0x7f104afca7d5 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #20 0x7f1049b75431 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:391:10
    #21 0x7f1075f1d499 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #22 0x7f1075b536da in start_thread /build/glibc-S9d2JN/glibc-2.27/nptl/pthread_create.c:463
    #23 0x7f1074b3171e in __clone /build/glibc-S9d2JN/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Andrew Sutherland [:asuth] (he/him)]

It seems like our implementation of CheckedUnsafePtr is operating in reference-space for type U in various spots like Replace/Set where we probably should be operating in terms of pointers to avoid binding a reference to a nullptr.

(Edit: note/disclaimer: It's possible that maybe U already integrates a pointer somehow and I've missed that in my cursory scan. This is particularly a spot where I will likely apply the effort to seeing if I can make searchfox more directly tell me the template instantiations rather than spending the effort getting in the template headspace!)

Comment 2

[Jens Stutte [:jstutte]]

asuth, feel free to correct my triage rating here.

Comment 3

[Tyson Smith [:tsmith]]

Please let me know if a Pernosco session would be helpful here.

Comment 4

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/hb9Ng0vKPUi6alT9LekBDw/index.html

Comment 5

[Jens Stutte [:jstutte]]

(In reply to Tyson Smith [:tsmith] from comment #4)

A Pernosco session is available here: https://pernos.co/debug/hb9Ng0vKPUi6alT9LekBDw/index.html

Hi Eden, that might be of interest for you?