Closed Bug 1766469 Opened 2 years ago Closed 2 years ago

Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:825

Categories

(Core :: DOM: Device Interfaces, defect)

Product:
Core
Component:
DOM: Device Interfaces
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox99 --- disabled
firefox100 --- disabled
firefox101 --- disabled
firefox102 --- verified

People

(Reporter: jkratzer, Assigned: gsvelto)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Testcase
221 bytes, text/plain
Details
Bug 1766469 - Handle empty data fields when creating MIDIMessageEvent objects r=padenot
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 31346aa577d3 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 31346aa577d3 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:825

    =================================================================
    ==392414==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f45acb2b991 bp 0x7fffaa9e8110 sp 0x7fffaa9e8020 T0)
    ==392414==The signal is caused by a WRITE memory access.
    ==392414==Hint: address points to the zero page.
        #0 0x7f45acb2b991 in operator* /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:825:3
        #1 0x7f45acb2b991 in Value /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingDeclarations.h:185:35
        #2 0x7f45acb2b991 in mozilla::dom::MIDIMessageEvent::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::MIDIMessageEventInit const&, mozilla::ErrorResult&) /dom/midi/MIDIMessageEvent.cpp:75:40
        #3 0x7f45a9628ed2 in mozilla::dom::MIDIMessageEvent_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/MIDIMessageEventBinding.cpp:383:62
        #4 0x7f45b4c02f95 in CallJSNative /js/src/vm/Interpreter.cpp:420:13
        #5 0x7f45b4c02f95 in CallJSNativeConstructor /js/src/vm/Interpreter.cpp:436:8
        #6 0x7f45b4c02f95 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /js/src/vm/Interpreter.cpp:652:10
        #7 0x7f45b4bed75c in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3304:16
        #8 0x7f45b4bd20a1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
        #9 0x7f45b4c007af in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:539:13
        #10 0x7f45b4c0233a in InternalCall /js/src/vm/Interpreter.cpp:574:10
        #11 0x7f45b4c0233a in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:605:8
        #12 0x7f45b334c92d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #13 0x7f45aa873289 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #14 0x7f45ab5fbed4 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #15 0x7f45ab5fb990 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1310:43
        #16 0x7f45ab5fcfbf in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1507:17
        #17 0x7f45ab5eafee in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
        #18 0x7f45ab5e9861 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
        #19 0x7f45ab5eda53 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1119:11
        #20 0x7f45ae709582 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1084:7
        #21 0x7f45b20eda73 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6462:20
        #22 0x7f45b20ecd37 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5851:7
        #23 0x7f45b20eec2f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
        #24 0x7f45a79103e0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1377:3
        #25 0x7f45a790ede4 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:975:14
        #26 0x7f45a790b732 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:794:9
        #27 0x7f45a790d7a1 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:677:5
        #28 0x7f45b212860b in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13859:23
        #29 0x7f45a604771e in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:614:22
        #30 0x7f45a604a154 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:518:10
        #31 0x7f45a8d31fd4 in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11664:18
        #32 0x7f45a8cdee30 in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11602:9
        #33 0x7f45a8d09e29 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8137:3
        #34 0x7f45a8dfd57d in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
        #35 0x7f45a8dfd57d in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
        #36 0x7f45a8dfd57d in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
        #37 0x7f45a5cac4cf in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
        #38 0x7f45a5cf87a2 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
        #39 0x7f45a5cbf4c5 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:780:26
        #40 0x7f45a5cbc678 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:612:15
        #41 0x7f45a5cbcda0 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
        #42 0x7f45a5d04d31 in operator() /xpcom/threads/TaskController.cpp:124:37
        #43 0x7f45a5d04d31 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #44 0x7f45a5cdf5b7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
        #45 0x7f45a5ce92cc in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #46 0x7f45a73d25df in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #47 0x7f45a724d611 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #48 0x7f45a724d611 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #49 0x7f45a724d611 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #50 0x7f45ae064557 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #51 0x7f45b2ef7aaf in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
        #52 0x7f45a724d611 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #53 0x7f45a724d611 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #54 0x7f45a724d611 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #55 0x7f45b2ef6c5b in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:729:34
        #56 0x55a0972b1bad in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #57 0x55a0972b1fe0 in main /browser/app/nsBrowserApp.cpp:327:18
        #58 0x7f45cb7f10b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #59 0x55a0971f1ff9 in _start (/home/jkratzer/builds/mc-asan/firefox+0x5eff9) (BuildId: d3078da1ffa6f7917d102c581d2bd387bb560edc)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:825:3 in operator*
    ==392414==ABORTING
Attached file Testcase 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220426094609-31346aa577d3.

The bug appears to have been introduced in the following build range:




Start: ca774a5b6b7b6874f91abb76a422582d37169a57 (20220221213946)

End: b4acd0ef33a25d9e46eb367b67f4eceba9836f3b (20220221215008)

Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ca774a5b6b7b6874f91abb76a422582d37169a57&tochange=b4acd0ef33a25d9e46eb367b67f4eceba9836f3b




Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
got a crash : https://crash-stats.mozilla.org/report/index/971473a0-87ce-45fd-8816-907280220427


Crash Signature: [@ mozilla::dom::MIDIMessageEvent::Constructor ]
Keywords: crash
Component: DOM: Core & HTML → DOM: Device Interfaces

    
    

    
  
Gabriele, can you take a look? Thanks.


Flags: needinfo?(gsvelto)

    
    

    
  
Set release status flags based on info from the regressing bug 1765894



          status-firefox100:
          --- → unaffected

          status-firefox101:
          --- → affected

          status-firefox99:
          --- → unaffected

          status-firefox-esr91:
          --- → unaffected

    
    

    
  
I had noticed the inconsistency in the spec and in Chrome's implementation so I didn't really know what to do with it :(


Has Regression Range: --- → yes

    
    

    
  
Set release status flags based on info from the regressing bug 1765894



          status-firefox102:
          --- → affected

    
  
Blocks: 1748641

    
    

    
  
I'm trying to fix bug 1769009 before I get to this one, hopefully both should be fixed by next week.



    
  
Assignee: nobody → gsvelto
Status: NEW → ASSIGNED
Flags: needinfo?(gsvelto)

    
    

    
  
I'm going to match Chrome's behavior here and generate an empty message. I first thought about throwing but it's likely that the existing codebase relies on Chrome's behavior of silently accepting these empty messages.



    
    

    
  
There's something that I was wondering though. Chrome's test check that if you don't populate data is null, that would require changing the webidl but I'm reluctant do it, I'd rather have an empty array instead. Paul WDYT?


Flags: needinfo?(padenot)

    
    

    
  


  
This change matches Chrome's behavior of not throwing in cases when the

data field is null. However contrary to Chrome we populate the object

with an empty array instead of a null reference.



    
    

    
  
Pushed by gsvelto@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/52649d6014b8
Handle empty data fields when creating MIDIMessageEvent objects r=padenot
Blocks: 1770131

    
    

    
  
Pushed by nfay@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4d2390d6d742
Fix lint failure in test_midi_message_event.html r=fix CLOSED TREE

    
    

    
  
Backed out for causing mochitest failures on test_midi_message_event.html


Backout link


Push with failures


Failure log


Flags: needinfo?(gsvelto)

    
    

    
  
Silly mistake, I forgot to remove the old async test function and replace it with add_task().


Flags: needinfo?(gsvelto)

    
    

    
  
Pushed by gsvelto@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/aaaed875acb3
Handle empty data fields when creating MIDIMessageEvent objects r=padenot
Flags: needinfo?(padenot)

    
    

    
  
Pushed by gsvelto@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b602dc09f1de
Handle empty data fields when creating MIDIMessageEvent objects r=padenot

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/b602dc09f1de


Status: ASSIGNED → RESOLVED
Closed: 2 years ago

          status-firefox102:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch

    
    

    
  
Bugmon Analysis

Verified bug as fixed on rev mozilla-central 20220520153703-1d31a0098979.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox102:
          fixedverified
Keywords: bugmon

    
  
Flags: needinfo?(gsvelto)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: