Closed
Bug 1775499
Opened 3 years ago
Closed 2 years ago
Crash [@ nsContentUtils::StructuredClone]
Categories
(Core :: Performance, defect, P3)
Tracking
()
VERIFIED
FIXED
105 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox-esr102 | --- | fixed |
| firefox101 | --- | unaffected |
| firefox102 | --- | unaffected |
| firefox103 | --- | wontfix |
| firefox104 | --- | wontfix |
| firefox105 | --- | verified |
People
(Reporter: jkratzer, Assigned: mcomella)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(3 files)
|
3.84 KB,
application/octet-stream
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr102+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr102+
|
Details | Review |
Testcase found while fuzzing mozilla-central rev 0242545b34ca (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 0242545b34ca --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
[@ nsContentUtils::StructuredClone]
==1084857==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3240ecddbb bp 0x7f32363d18d0 sp 0x7f32363d17e0 T1085011)
==1084857==The signal is caused by a READ memory access.
==1084857==Hint: address points to the zero page.
#0 0x7f3240ecddbb in nsContentUtils::StructuredClone(JSContext*, nsIGlobalObject*, JS::Handle<JS::Value>, mozilla::dom::StructuredSerializeOptions const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /dom/base/nsContentUtils.cpp:9994:16
#1 0x7f324419c727 in mozilla::dom::Performance::Measure(JSContext*, nsTSubstring<char16_t> const&, mozilla::dom::StringOrPerformanceMeasureOptions const&, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::ErrorResult&) /dom/performance/Performance.cpp:598:5
#2 0x7f324192d912 in mozilla::dom::Performance_Binding::measure(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/PerformanceBinding.cpp:1353:85
#3 0x7f32426f3b3c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3272:13
#4 0x7f3247b9cb70 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:421:13
#5 0x7f3247b9c37a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:508:12
#6 0x7f3247b93796 in CallFromStack /js/src/vm/Interpreter.cpp:579:10
#7 0x7f3247b93796 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3325:16
#8 0x7f3247b8a952 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:390:13
#9 0x7f3247b9c276 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:540:13
#10 0x7f3247b9d8a8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:606:8
#11 0x7f32468544a1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#12 0x7f3242411633 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:266:37
#13 0x7f3242c7eab9 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#14 0x7f3242c7dc93 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /dom/events/JSEventHandler.cpp:201:12
#15 0x7f3242c5ee0e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1316:22
#16 0x7f3242c5fa9d in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1507:17
#17 0x7f3242c54984 in HandleEvent /dom/events/EventListenerManager.h:395:5
#18 0x7f3242c54984 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
#19 0x7f3242c53ed2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
#20 0x7f3242c56771 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1119:11
#21 0x7f3242c59216 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
#22 0x7f3242c30d9b in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/events/DOMEventTargetHelper.cpp:180:17
#23 0x7f3242c66502 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /dom/events/EventTarget.cpp:180:13
#24 0x7f3243f6e065 in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /dom/workers/MessageEventRunnable.cpp:105:12
#25 0x7f3243fafd53 in mozilla::dom::WorkerRunnable::Run() /dom/workers/WorkerRunnable.cpp:377:12
#26 0x7f323f74d037 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
#27 0x7f323f75357d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#28 0x7f3243f9ea74 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3167:7
#29 0x7f3243f8805b in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2043:42
#30 0x7f323f74d037 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
#31 0x7f323f75357d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#32 0x7f324031fb0b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
#33 0x7f3240246087 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
#34 0x7f3240245f92 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#35 0x7f3240245f92 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#36 0x7f323f748366 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
#37 0x7f3255556557 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#38 0x7f32562c8608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#39 0x7f3255e8f132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/base/nsContentUtils.cpp:9994:16 in nsContentUtils::StructuredClone(JSContext*, nsIGlobalObject*, JS::Handle<JS::Value>, mozilla::dom::StructuredSerializeOptions const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)
==1084857==ABORTING
|
Reporter | |
Comment 1•3 years ago
|
||
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220622161022-952fc558850b.
The bug appears to have been introduced in the following build range:
Start: 61fa00a3857433da6e086d12c64a8a940f7307eb (20220531160745)
End: cc8cef05c105c65d4aebd17ffa0e5b027c30bf9a (20220531192652)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=61fa00a3857433da6e086d12c64a8a940f7307eb&tochange=cc8cef05c105c65d4aebd17ffa0e5b027c30bf9a
Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 3•3 years ago
|
||
I think the caller was added in bug 1762482. Are we missing some null check?
|
||
Comment 4•3 years ago
|
||
Set release status flags based on info from the regressing bug 1762482
status-firefox101:
--- → unaffected
status-firefox102:
--- → unaffected
status-firefox103:
--- → affected
status-firefox-esr91:
--- → unaffected
|
|
||
Comment 5•3 years ago
|
||
Set release status flags based on info from the regressing bug 1762482
status-firefox104:
--- → affected
status-firefox-esr102:
--- → unaffected
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 6•3 years ago
|
||
I was able to produce the test case with a local build (the fuzzfetch builds crashed on start up for me). I wasn't able to find the minidump grizzly should have produced so with the reporter's help I was able to get the trace in a debugger by modifying the testcase to do a JS alert, running grizzly with --timeout=1200, I attached a debugger, and hit the enter key to dismiss the alert.
The code crashes on the following line:
if (aGlobal->IsSharedMemoryAllowed()) {
It looks like GetParentObject() returns null. I noticed I did guard against this in Performance::Mark so I leveraged that solution even though I don't remember exactly when the global object is unavailable
Assignee: nobody → michael.l.comella
Flags: needinfo?(michael.l.comella)
|
|
Assignee | |
Comment 7•3 years ago
|
||
Root cause: the global object can be null but I wasn't checking for it so it
caused a crash. I don't remember under what conditions it can be null but I saw
I had checked for null when I wrote Performance::Mark and remember debugging it
so it makes sense to do so here as well.
Pushed by mcomella@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1644072b7eac
check for null GetParentObject in Performance::Measure. r=sefeng
|
||
Comment 9•2 years ago
|
||
Backed out for causing failures on/test_performance_user_timing_dying_global.html
- backout: https://hg.mozilla.org/integration/autoland/rev/3942bd959e875ee3a08f8f6ebf5ff4003d6baaca
- push: https://treeherder.mozilla.org/jobs?repo=autoland&revision=1644072b7eacae32d7c84a379380aebc6e6f7d95&group_state=expanded
- failure log: https://treeherder.mozilla.org/logviewer?job_id=385325635&repo=autoland&lineNumber=7225
[task 2022-07-25T16:32:03.442Z] 16:32:03 INFO - TEST-PASS | dom/performance/tests/test_performance_user_timing_dying_global.html | performance.mark on dying global did not crash
[task 2022-07-25T16:32:03.443Z] 16:32:03 INFO - Buffered messages finished
[task 2022-07-25T16:32:03.444Z] 16:32:03 INFO - TEST-UNEXPECTED-FAIL | dom/performance/tests/test_performance_user_timing_dying_global.html | uncaught exception - InvalidStateError: Performance.measure: Global object is unavailable at testDoesNotCrash@http://mochi.test:8888/tests/dom/performance/tests/test_performance_user_timing_dying_global.html:49:41
[task 2022-07-25T16:32:03.445Z] 16:32:03 INFO - @http://mochi.test:8888/tests/dom/performance/tests/test_performance_user_timing_dying_global.html:13:33
[task 2022-07-25T16:32:03.446Z] 16:32:03 INFO -
[task 2022-07-25T16:32:03.446Z] 16:32:03 INFO - simpletestOnerror@SimpleTest/SimpleTest.js:1968:18
[task 2022-07-25T16:32:03.447Z] 16:32:03 INFO - GECKO(3777) | JavaScript error: http://mochi.test:8888/tests/dom/performance/tests/test_performance_user_timing_dying_global.html, line 49: InvalidStateError: Performance.measure: Global object is unavailable
[task 2022-07-25T16:32:03.448Z] 16:32:03 INFO - GECKO(3777) | MEMORY STAT | vsize 2534MB | residentFast 140MB | heapAllocated 10MB
[task 2022-07-25T16:32:03.449Z] 16:32:03 INFO - TEST-OK | dom/performance/tests/test_performance_user_timing_dying_global.html | took 206ms
Flags: needinfo?(michael.l.comella)
|
|
Assignee | |
Comment 10•2 years ago
|
||
Root cause of test failure: the updates in this bug caused performance.measure
to throw an exception if there is a dying global. However, the test didn't try
to catch the exception so it failed with an uncaught exception. I updated the
test to handle this case which it was already doing for performance.mark.
Additionally, I corrected some indentation.
Depends on D151960
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(michael.l.comella)
|
||
Comment 11•2 years ago
|
||
Pushed by mcomella@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9d20e5362eab
check for null GetParentObject in Performance::Measure. r=sefeng
https://hg.mozilla.org/integration/autoland/rev/e9b58b34cb70
update user_timing_dying_global test for performance.measure. r=sefeng
|
||
Comment 12•2 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/9d20e5362eab
https://hg.mozilla.org/mozilla-central/rev/e9b58b34cb70
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox105:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
|
||
Updated•2 years ago
|
|
|
||
Comment 13•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220727214405-4e99353cf333.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 14•2 years ago
|
||
Do we need this on ESR as well now that we're backporting bug 1762482 there?
|
|
||
Updated•2 years ago
|
Flags: needinfo?(sefeng)
|
|
||
Comment 15•2 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 16•2 years ago
|
||
Comment on attachment 9285704 [details]
Bug 1775499 - check for null GetParentObject in Performance::Measure. r=sefeng
I went ahead and did the uplift for completeness' sake.
Flags: needinfo?(sefeng)
Flags: needinfo?(michael.l.comella)
Attachment #9285704 -
Flags: approval-mozilla-esr102+
|
|
||
Updated•2 years ago
|
Attachment #9287141 -
Flags: approval-mozilla-esr102+
You need to log in
before you can comment on or make changes to this bug.
Description
•