Closed Bug 1796687 Opened 1 year ago Closed 1 year ago

Assertion failure: aActor, at /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:139

Categories

(Core :: DOM: File, defect, P2)

defect

Tracking

()

VERIFIED FIXED
108 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox106 --- wontfix
firefox107 --- wontfix
firefox108 --- verified
firefox109 --- verified

People

(Reporter: tsmith, Assigned: jstutte)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

Attached file testcase.zip

Found while fuzzing m-c 20221018-826073b561e0 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: aActor, at /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:139

#0 0x7f541313c90b in mozilla::RemoteLazyInputStream::RemoteLazyInputStream(mozilla::RemoteLazyInputStreamChild*, unsigned long, unsigned long) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:139:3
#1 0x7f541314728b in mozilla::RemoteLazyInputStream::IPCRead(IPC::MessageReader*) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:1392:24
#2 0x7f5413147773 in IPC::ParamTraits<mozilla::RemoteLazyInputStream*>::Read(IPC::MessageReader*, RefPtr<mozilla::RemoteLazyInputStream>*) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:1417:14
#3 0x7f541314dd45 in Read /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:820:12
#4 0x7f541314dd45 in ReadParam<RefPtr<mozilla::RemoteLazyInputStream> > /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:296:10
#5 0x7f541314dd45 in IPC::ParamTraits<mozilla::RemoteLazyStream>::Read(IPC::MessageReader*, mozilla::RemoteLazyStream*) /builds/worker/workspace/obj-build/ipc/ipdl/IPCBlob.cpp:290:20
#6 0x7f541314e4e4 in ReadParam<mozilla::RemoteLazyStream> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:296:10
#7 0x7f541314e4e4 in IPC::ParamTraits<mozilla::dom::IPCBlob>::Read(IPC::MessageReader*, mozilla::dom::IPCBlob*) /builds/worker/workspace/obj-build/ipc/ipdl/IPCBlob.cpp:469:12
#8 0x7f5414256371 in ReadParam<mozilla::dom::IPCBlob> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:296:10
#9 0x7f5414256371 in ReadSequenceParam<(lambda at /builds/worker/workspace/obj-build/dist/include/ipc/IPCMessageUtilsSpecializations.h:171:39), mozilla::dom::IPCBlob> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:454:12
#10 0x7f5414256371 in Read /builds/worker/workspace/obj-build/dist/include/ipc/IPCMessageUtilsSpecializations.h:171:12
#11 0x7f5414256371 in ReadParam<nsTArray<mozilla::dom::IPCBlob> > /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:296:10
#12 0x7f5414256371 in IPC::ParamTraits<mozilla::dom::ClonedMessageData>::Read(IPC::MessageReader*, mozilla::dom::ClonedMessageData*) /builds/worker/workspace/obj-build/ipc/ipdl/DOMTypes.cpp:141:12
#13 0x7f5414257d5a in ReadParam<mozilla::dom::ClonedMessageData> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:296:10
#14 0x7f5414257d5a in IPC::ParamTraits<mozilla::dom::MessageDataType>::Read(IPC::MessageReader*, mozilla::dom::MessageDataType*) /builds/worker/workspace/obj-build/ipc/ipdl/DOMTypes.cpp:669:20
#15 0x7f5414258024 in ReadParam<mozilla::dom::MessageDataType> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:296:10
#16 0x7f5414258024 in IPC::ParamTraits<mozilla::dom::MessageData>::Read(IPC::MessageReader*, mozilla::dom::MessageData*) /builds/worker/workspace/obj-build/ipc/ipdl/DOMTypes.cpp:739:12
#17 0x7f54144e6eb4 in ReadParam<mozilla::dom::MessageData> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:296:10
#18 0x7f54144e6eb4 in mozilla::dom::PBroadcastChannelChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBroadcastChannelChild.cpp:195:20
#19 0x7f541056dcc4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6267:32
#20 0x7f54104fee71 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
#21 0x7f54104fb9c5 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
#22 0x7f54104fc566 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
#23 0x7f54104fd8f1 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
#24 0x7f540f916a54 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
#25 0x7f540f912ce9 in NS_ProcessPendingEvents(nsIThread*, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:430:19
#26 0x7f54144757a3 in mozilla::dom::WorkerPrivate::ClearMainEventQueue(mozilla::dom::WorkerPrivate::WorkerRanOrNot) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3831:5
#27 0x7f5414472f50 in mozilla::dom::WorkerPrivate::NotifyInternal(mozilla::dom::WorkerStatus) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:4659:7
#28 0x7f54144830ae in mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12
#29 0x7f5414472b41 in mozilla::dom::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3783:9
#30 0x7f541447521f in ProcessAllControlRunnables /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.h:1104:12
#31 0x7f541447521f in mozilla::dom::WorkerPrivate::InterruptCallback(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3571:19
#32 0x7f541703ce96 in HandleInterrupt /builds/worker/checkouts/gecko/js/src/vm/Runtime.cpp:398:10
#33 0x7f541703ce96 in JSContext::handleInterrupt() /builds/worker/checkouts/gecko/js/src/vm/Runtime.cpp:466:12
#34 0x25e89eb124ed  (<unknown module>)
Flags: in-testsuite?

(In reply to Olli Pettay [:smaug][bugs@pettay.fi] from comment #1)

This might be a regression from bug 1776209.
Because of that actor can be more likely null here
https://searchfox.org/mozilla-central/rev/88f285c5163f73abd209d4f73cfa476660351982/dom/file/ipc/RemoteLazyInputStream.cpp#1389
That is because of
https://searchfox.org/mozilla-central/rev/88f285c5163f73abd209d4f73cfa476660351982/dom/file/ipc/RemoteLazyInputStream.cpp#161 and that
changed here https://searchfox.org/mozilla-central/rev/88f285c5163f73abd209d4f73cfa476660351982/dom/file/ipc/RemoteLazyInputStreamThread.cpp#71-72

Thanks, yeah, that sounds very likely (it might as well prevent us from worse consequences, though). I am just wondering if the right reaction in RemoteLazyInputStream::IPCRead would be then to return nullptr or to do_AddRef(new RemoteLazyInputStream()); - I see both as possible failure handling.

IIUC returning nullptr would result in aReader->FatalError("Error deserializing 'inputStream' (RemoteLazyStream) member of 'IPCBlob'"); inside ParamTraits<mozilla::dom::IPCBlob>::Read which translates potentially to a crash. So I am inclined to just return a new, empty RemoteLazyInputStream here.

Flags: needinfo?(jstutte)
Regressed by: 1776209
Assignee: nobody → jstutte

Set release status flags based on info from the regressing bug 1776209

Pushed by jstutte@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ef693184441a
Check if we can bind to actor during deserialize and wrap. r=smaug
Severity: -- → S3
Priority: -- → P2
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch

Bugmon Analysis
Unable to reproduce bug 1796687 using build mozilla-central 20221018094831-826073b561e0. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
QA Whiteboard: [qa-108b-p2]

I was able to reproduce the issue with Firefox build 2022-10-18 on Ubuntu 22.04 by following the infos provided in Comment 0.

The issue is fixed on Firefox 108.0a1 (2022-10-26) and 109.0a1 (2022-11-20) on the same system.

By trying with newer builds (2022-11-21 and up) the "Failure during launch (retries 2)" will appear twice and then "Launch failed, please verify browser build works as expected".

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-108b-p2]
You need to log in before you can comment on or make changes to this bug.