1798596 - crash near null [@ mozilla::dom::PFileSystemAccessHandleChild::SendClose]

Status: VERIFIED FIXED

(Core :: DOM: File, defect, P1)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20221101-f8dff2edfe1b (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==26950==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f0a13bf4247 bp 0x7f09ca86b890 sp 0x7f09ca86b740 T70)
==26950==The signal is caused by a READ memory access.
==26950==Hint: address points to the zero page.
    #0 0x7f0a13bf4247 in Id /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:219:31
    #1 0x7f0a13bf4247 in mozilla::dom::PFileSystemAccessHandleChild::SendClose() /builds/worker/workspace/obj-build/ipc/ipdl/PFileSystemAccessHandleChild.cpp:51:72
    #2 0x7f0a0d984b75 in nsCycleCollector::CollectWhite() /gecko/xpcom/base/nsCycleCollector.cpp:3102:26
    #3 0x7f0a0d987cc5 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /gecko/xpcom/base/nsCycleCollector.cpp:3468:26
    #4 0x7f0a0d9874ab in nsCycleCollector::ShutdownCollect() /gecko/xpcom/base/nsCycleCollector.cpp:3379:20
    #5 0x7f0a0d989996 in nsCycleCollector::Shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:3675:5
    #6 0x7f0a0d98b8f2 in nsCycleCollector_shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:3999:18
    #7 0x7f0a15dbe253 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2089:7
    #8 0x7f0a0db6e13e in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1198:16
    #9 0x7f0a0db783c4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #10 0x7f0a0f347415 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:300:20
    #11 0x7f0a0f1c1f71 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #12 0x7f0a0f1c1f71 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #13 0x7f0a0f1c1f71 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #14 0x7f0a0db65298 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:383:10
    #15 0x7f0a309e93ee in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #16 0x7f0a3167b608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #17 0x7f0a31242132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:219:31 in Id
Thread T70 (DOM Worker) created by T0 (Isolated Web Co) here:
    #0 0x55a4248201dc in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f0a309d949c in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f0a309ca83e in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f0a0db68205 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:617:18
    #4 0x7f0a15e0e09a in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /gecko/dom/workers/WorkerThread.cpp:102:7
    #5 0x7f0a15d983e5 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1323:37
    #6 0x7f0a15d9746b in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1205:19
    #7 0x7f0a15de1d97 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /gecko/dom/workers/WorkerPrivate.cpp:2588:24
    #8 0x7f0a15da83e5 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /gecko/dom/workers/Worker.cpp:43:41
    #9 0x7f0a1270d1e4 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1107:52
    #10 0x7f0a1bd5b987 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:459:13
    #11 0x7f0a1bd5b987 in CallJSNativeConstructor /gecko/js/src/vm/Interpreter.cpp:475:8
    #12 0x7f0a1bd5b987 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:694:10
    #13 0x7f0a1cc61ee5 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /gecko/js/src/jit/BaselineIC.cpp:1563:10
    #14 0x39ff1cda9da8  (<unknown module>)
    #15 0x39ff1cdb16a8  (<unknown module>)
    #16 0x39ff1cda74ed  (<unknown module>)
    #17 0x7f0a1cc71248 in EnterBaseline(JSContext*, EnterJitData&) /gecko/js/src/jit/BaselineJIT.cpp:142:5
    #18 0x7f0a1cc7098b in js::jit::EnterBaselineInterpreterAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /gecko/js/src/jit/BaselineJIT.cpp:198:26
    #19 0x7f0a1bd4ecb5 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:2232:17
    #20 0x7f0a1bd2ce5e in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:431:13
    #21 0x7f0a1bd590d5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:579:13
    #22 0x7f0a1bd5ac5e in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
    #23 0x7f0a1bd5ac5e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:646:8
    #24 0x7f0a1c1f3114 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/SelfHosting.cpp:1488:10
    #25 0x7f0a1be278b1 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /gecko/js/src/vm/AsyncFunction.cpp:154:8
    #26 0x7f0a1c0ff1fe in AsyncFunctionPromiseReactionJob(JSContext*, JS::Handle<PromiseReactionRecord*>) /gecko/js/src/builtin/Promise.cpp:2111:12
    #27 0x7f0a1c0fcff4 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /gecko/js/src/builtin/Promise.cpp:2174:12
    #28 0x7f0a1bd58fb3 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:459:13
    #29 0x7f0a1bd58fb3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:547:12
    #30 0x7f0a1bd5ac5e in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
    #31 0x7f0a1bd5ac5e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:646:8
    #32 0x7f0a1be62c85 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #33 0x7f0a11c266fc in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
    #34 0x7f0a0d94b6e7 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
    #35 0x7f0a0d94b6e7 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
    #36 0x7f0a0d94b6e7 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18
    #37 0x7f0a0d92bd57 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17
    #38 0x7f0a0d92cdaf in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /gecko/xpcom/base/CycleCollectedJSContext.cpp:463:3
    #39 0x7f0a0f633580 in XPCJSContext::AfterProcessTask(unsigned int) /gecko/js/xpconnect/src/XPCJSContext.cpp:1480:28
    #40 0x7f0a0db6de68 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1241:24
    #41 0x7f0a0db783c4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #42 0x7f0a0f345d6f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #43 0x7f0a0f1c1f71 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #44 0x7f0a0f1c1f71 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #45 0x7f0a0f1c1f71 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #46 0x7f0a166eda97 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:150:27
    #47 0x7f0a1b939037 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
    #48 0x7f0a0f1c1f71 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #49 0x7f0a0f1c1f71 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #50 0x7f0a0f1c1f71 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #51 0x7f0a1b938003 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
    #52 0x55a424874465 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #53 0x55a4248748b7 in main /gecko/browser/app/nsBrowserApp.cpp:357:18
    #54 0x7f0a31147082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/4stSE0bjRGir6HFh4u-idA/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20221102044132-99e2e426103b.
The bug appears to have been introduced in the following build range:

Start: ee014b202046f874453bfad6ce071ffff33af799 (20221028004810)
End: 543dc6f40be1ce8f8357394dc0c13c5d0eb2422f (20221028035551)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ee014b202046f874453bfad6ce071ffff33af799&tochange=543dc6f40be1ce8f8357394dc0c13c5d0eb2422f

Comment 3

[Jens Stutte [:jstutte]]

(In reply to Tyson Smith [:tsmith] from comment #1)

A Pernosco session is available here: https://pernos.co/debug/4stSE0bjRGir6HFh4u-idA/index.html

At the end of the worker lifecycle, we do WorkerGlobalScope::NoteTerminating() which will PFileSystemManagerChild::OnChannelClose() which in the end calls explicitly FileSystemSyncAccessHandle::ClearActor(). Then, in the final worker GC/CC, we want to unlink the FileSystemSyncAccessHandle and find mActor to be nullptr. That deserves probably just a check?

Comment 4

[Jan Varga [:janv]]

A check would fix the crash, but I think we should do more here and close the handles when we get the shutdown notification.

Comment 5

[Release mgmt bot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1791745

Comment 6

[Jan Varga [:janv]]

Attachment: Bug 1798596 - Close all open files in the content before shutting down; r=#dom-storage

Comment 7

[Pulsebot]

Pushed by jvarga@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4fde608071f9
Close all open files in the content before shutting down; r=dom-storage-reviewers,jesup

Comment 8

[Marian-Vasile Laza]

https://hg.mozilla.org/mozilla-central/rev/4fde608071f9

Comment 9

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20221108161116-b24c96f2af9c.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.