Open Bug 1752377 Opened 2 years ago Updated 2 years ago

src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:350:43: runtime error: reference binding to null pointer of type 'mozilla::dom::WorkerPrivate'

Categories

(Core :: DOM: Workers, defect, P3)

defect

Tracking

()

Tracking Status
firefox-esr102 --- affected
firefox98 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- wontfix
firefox104 --- wontfix
firefox105 --- affected
firefox106 --- affected

People

(Reporter: tsmith, Assigned: edenchuang)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined)

This was found by enabling the null check in UBSan. This issue is trigger at launch. This type of issue can create inconsistencies across platforms, architectures and optimization levels.

Found with m-c 20220127-4dfa6c06a936.

To enable this check add the following to your mozconfig:

ac_add_options --enable-undefined-sanitizer="null"
src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:350:43: runtime error: reference binding to null pointer of type 'mozilla::dom::WorkerPrivate'
    #0 0x7f10502203e0 in mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate>::operator*() const src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:350:36
    #1 0x7f10502203e0 in void mozilla::detail::CheckedUnsafePtrBase<mozilla::dom::WorkerPrivate, (mozilla::CheckingSupport)1>::Set<mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate> >(mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate> const&) src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:163:16
    #2 0x7f1050220750 in void mozilla::detail::CheckedUnsafePtrBase<mozilla::dom::WorkerPrivate, (mozilla::CheckingSupport)1>::Replace<mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate> >(mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate> const&) src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:147:5
    #3 0x7f1050220675 in mozilla::detail::CheckedUnsafePtrBase<mozilla::dom::WorkerPrivate, (mozilla::CheckingSupport)1>::operator=(mozilla::detail::CheckedUnsafePtrBase<mozilla::dom::WorkerPrivate, (mozilla::CheckingSupport)1> const&) src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:124:7
    #4 0x7f105021cb7a in mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate>::operator=(mozilla::CheckedUnsafePtr<mozilla::dom::WorkerPrivate>&&) src/objdir-ff-ubsan/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:339:7
    #5 0x7f105021cb7a in mozilla::dom::AutoSyncLoopHolder::Run() src/objdir-ff-ubsan/dist/include/mozilla/dom/WorkerPrivate.h:1473:20
    #6 0x7f1051e83cbb in mozilla::dom::(anonymous namespace)::LoadAllScripts(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder> >, nsTArray<mozilla::dom::(anonymous namespace)::ScriptLoadInfo>, bool, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&) src/dom/workers/ScriptLoader.cpp:2367:12
    #7 0x7f1051e83197 in mozilla::dom::workerinternals::LoadMainScript(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder> >, nsTSubstring<char16_t> const&, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&) src/dom/workers/ScriptLoader.cpp:2481:3
    #8 0x7f1051f03e39 in mozilla::dom::(anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) src/dom/workers/WorkerPrivate.cpp:376:5
    #9 0x7f1051ef3211 in mozilla::dom::WorkerRunnable::Run() src/dom/workers/WorkerRunnable.cpp:377:12
    #10 0x7f1049b7c967 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1189:16
    #11 0x7f1049b863fe in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
    #12 0x7f1051edb18d in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) src/dom/workers/WorkerPrivate.cpp:3114:7
    #13 0x7f1051e97606 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() src/dom/workers/RuntimeService.cpp:2167:42
    #14 0x7f1049b7c967 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1189:16
    #15 0x7f1049b863fe in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
    #16 0x7f104b170789 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20
    #17 0x7f104afca7d5 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
    #18 0x7f104afca7d5 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:324:3
    #19 0x7f104afca7d5 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #20 0x7f1049b75431 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:391:10
    #21 0x7f1075f1d499 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #22 0x7f1075b536da in start_thread /build/glibc-S9d2JN/glibc-2.27/nptl/pthread_create.c:463
    #23 0x7f1074b3171e in __clone /build/glibc-S9d2JN/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

It seems like our implementation of CheckedUnsafePtr is operating in reference-space for type U in various spots like Replace/Set where we probably should be operating in terms of pointers to avoid binding a reference to a nullptr.

(Edit: note/disclaimer: It's possible that maybe U already integrates a pointer somehow and I've missed that in my cursory scan. This is particularly a spot where I will likely apply the effort to seeing if I can make searchfox more directly tell me the template instantiations rather than spending the effort getting in the template headspace!)

asuth, feel free to correct my triage rating here.

Severity: -- → S3
Flags: needinfo?(bugmail)
Priority: -- → P3
Flags: needinfo?(bugmail)

Please let me know if a Pernosco session would be helpful here.

A Pernosco session is available here: https://pernos.co/debug/hb9Ng0vKPUi6alT9LekBDw/index.html

(In reply to Tyson Smith [:tsmith] from comment #4)

A Pernosco session is available here: https://pernos.co/debug/hb9Ng0vKPUi6alT9LekBDw/index.html

Hi Eden, that might be of interest for you?

Flags: needinfo?(bugmail) → needinfo?(echuang)
Assignee: nobody → echuang
Depends on: 1789399
Flags: needinfo?(echuang)
You need to log in before you can comment on or make changes to this bug.