crash at null in [@ Gecko_AddRefURLExtraDataArbitraryThread] from a worker
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox106 | --- | wontfix |
firefox107 | --- | wontfix |
firefox108 | --- | fixed |
People
(Reporter: tsmith, Assigned: aosmond)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr)
Attachments
(1 file)
Found while fuzzing m-c 20221104-510fd2811bcd (--enable-address-sanitizer --enable-fuzzing)
This was first reported by fuzzers targeting m-c 20221006-83c0895d0f34. We have been unable to get a reliable test case to reduce but I do a have a Pernosco session.
==5316==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff74f0a662c bp 0x7ff7213f4c30 sp 0x7ff7213f4c30 T45)
==5316==The signal is caused by a WRITE memory access.
==5316==Hint: address points to the zero page.
#0 0x7ff74f0a662c in fetch_add /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/atomic_base.h:514:16
#1 0x7ff74f0a662c in operator++ /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:354:19
#2 0x7ff74f0a662c in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/URLExtraData.h:46:3
#3 0x7ff74f0a662c in Gecko_AddRefURLExtraDataArbitraryThread /gecko/layout/style/GeckoBindings.cpp:1308:1
#4 0x7ff75c42c65b in _$LT$style..gecko_bindings..structs..root..mozilla..URLExtraData$u20$as$u20$style..gecko_bindings..sugar..refptr..RefCounted$GT$::addref::h9c6126d0e4b88924 /gecko/servo/components/style/gecko_bindings/sugar/refptr.rs:280:26
#5 0x7ff75c42c65b in style::stylesheets::UrlExtraData::new::h0acaad62c188fa05 /gecko/servo/components/style/stylesheets/mod.rs:158:13
#6 0x7ff75c42c65b in _$LT$style..stylesheets..UrlExtraData$u20$as$u20$core..clone..Clone$GT$::clone::h8d59efbc2c9b52ce /gecko/servo/components/style/stylesheets/mod.rs:111:9
#7 0x7ff75c42c65b in style::gecko::url::CssUrl::parse_from_string::h438090ebc71b1eb7 /gecko/servo/components/style/gecko/url.rs:80:25
#8 0x7ff75c429a6c in style::gecko::url::CssUrl::parse_with_cors_mode::hf472c6fcb3484475 /gecko/servo/components/style/gecko/url.rs:69:12
#9 0x7ff75be42d77 in _$LT$style..gecko..url..CssUrl$u20$as$u20$style..parser..Parse$GT$::parse::hc2dacd0dabac2183 /gecko/servo/components/style/gecko/url.rs:131:9
#10 0x7ff75be42d77 in _$LT$style..font_face..Source$u20$as$u20$style..parser..Parse$GT$::parse::h18c7de3f74279de7 /gecko/servo/components/style/font_face.rs:531:19
#11 0x7ff75b8f370f in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$style..parser..Parse$GT$::parse::_$u7b$$u7b$closure$u7d$$u7d$::h274bdda6581155ae /gecko/servo/components/style/parser.rs:185:56
#12 0x7ff75b8f370f in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$mut$u20$F$GT$::call_once::h108603eab2b91b36 /builds/worker/fetches/rust/library/core/src/ops/function.rs:306:13
#13 0x7ff75b8f370f in cssparser::parser::Parser::parse_entirely::h5610fb31ed9126bc /gecko/third_party/rust/cssparser/src/parser.rs:634:22
#14 0x7ff75b8f370f in cssparser::parser::parse_until_before::hd628238110a12d6f /gecko/third_party/rust/cssparser/src/parser.rs:970:18
#15 0x7ff75b8f370f in cssparser::parser::Parser::parse_until_before::h7b2f8635df54b304 /gecko/third_party/rust/cssparser/src/parser.rs:709:9
#16 0x7ff75b8f370f in cssparser::parser::Parser::parse_comma_separated::ha3519f0c53449697 /gecko/third_party/rust/cssparser/src/parser.rs:664:25
#17 0x7ff75b8f370f in _$LT$style_traits..values..Comma$u20$as$u20$style_traits..values..Separator$GT$::parse::hf31addbdc9432390 /gecko/servo/components/style_traits/values.rs:361:9
#18 0x7ff75b8f370f in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$style..parser..Parse$GT$::parse::hf19e3483d1b5befe /gecko/servo/components/style/parser.rs:185:9
#19 0x7ff75b8f370f in geckoservo::glue::Servo_FontFaceRule_SetDescriptor::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h5be7aeb4c0c1101c /gecko/servo/ports/geckolib/glue.rs:3481:74
#20 0x7ff75b8f370f in cssparser::parser::Parser::parse_entirely::h8f75598e36aa122e /gecko/third_party/rust/cssparser/src/parser.rs:634:22
#21 0x7ff75b8f370f in geckoservo::glue::Servo_FontFaceRule_SetDescriptor::_$u7b$$u7b$closure$u7d$$u7d$::h7c693aa8a346561d /gecko/servo/ports/geckolib/glue.rs:3500:9
#22 0x7ff75b8f0516 in geckoservo::glue::write_locked_arc_worker::_$u7b$$u7b$closure$u7d$$u7d$::h4b3e15c2fd10aa55 /gecko/servo/ports/geckolib/glue.rs:2147:9
#23 0x7ff75b8f0516 in std::thread::local::LocalKey$LT$T$GT$::try_with::h147d5e437bfc1143 /builds/worker/fetches/rust/library/std/src/thread/local.rs:445:16
#24 0x7ff75b8f0516 in std::thread::local::LocalKey$LT$T$GT$::with::h9cb1f13d5095d814 /builds/worker/fetches/rust/library/std/src/thread/local.rs:421:9
#25 0x7ff75b8f0516 in geckoservo::glue::with_maybe_worker_shared_lock::hf8e9a98c0b47e15d /gecko/servo/ports/geckolib/glue.rs:2081:9
#26 0x7ff75b8f0516 in geckoservo::glue::write_locked_arc_worker::h7a40f1f9f573c382 /gecko/servo/ports/geckolib/glue.rs:2145:5
#27 0x7ff75b8f0516 in Servo_FontFaceRule_SetDescriptor /gecko/servo/ports/geckolib/glue.rs:3472:5
#28 0x7ff74f073d34 in mozilla::dom::FontFaceImpl::SetDescriptor(nsCSSFontDesc, nsTSubstring<char> const&, mozilla::ErrorResult&) /gecko/layout/style/FontFaceImpl.cpp:423:8
#29 0x7ff74f071a05 in mozilla::dom::FontFaceImpl::InitializeSourceURL(nsTSubstring<char> const&) /gecko/layout/style/FontFaceImpl.cpp:121:3
#30 0x7ff74f070e63 in mozilla::dom::FontFace::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char> const&, mozilla::dom::UTF8StringOrArrayBufferOrArrayBufferView const&, mozilla::dom::FontFaceDescriptors const&, mozilla::ErrorResult&) /gecko/layout/style/FontFace.cpp:128:17
#31 0x7ff74b2d1ab5 in mozilla::dom::FontFace_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FontFaceBinding.cpp:2268:54
#32 0x7ff753fab42b in CallJSNative /gecko/js/src/vm/Interpreter.cpp:459:13
#33 0x7ff753fab42b in CallJSNativeConstructor /gecko/js/src/vm/Interpreter.cpp:475:8
#34 0x7ff753fab42b in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:694:10
#35 0x7ff753f97676 in ConstructFromStack /gecko/js/src/vm/Interpreter.cpp:722:10
#36 0x7ff753f97676 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3360:16
#37 0x7ff753f7ad7c in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:431:13
#38 0x7ff753fa8b2a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:579:13
#39 0x7ff753faa85f in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
#40 0x7ff753faa85f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:646:8
#41 0x7ff7540add75 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
#42 0x7ff74b18692f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#43 0x7ff74c027b94 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#44 0x7ff74c026164 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /gecko/dom/events/JSEventHandler.cpp:201:12
#45 0x7ff74bfeb7cc in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1316:22
#46 0x7ff74bfed071 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1506:17
#47 0x7ff74bfdaf62 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:348:17
#48 0x7ff74bfd9814 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:550:16
#49 0x7ff74bfdd98d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1119:11
#50 0x7ff74bfe3645 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
#51 0x7ff74bf91dfe in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/events/DOMEventTargetHelper.cpp:176:17
#52 0x7ff74bffa213 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /gecko/dom/events/EventTarget.cpp:180:13
#53 0x7ff74e2bcd18 in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /gecko/dom/workers/MessageEventRunnable.cpp:104:12
#54 0x7ff74e325160 in mozilla::dom::WorkerRunnable::Run() /gecko/dom/workers/WorkerRunnable.cpp:377:12
#55 0x7ff7463e8a82 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1198:16
#56 0x7ff7463f29e4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#57 0x7ff74e30d7cc in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /gecko/dom/workers/WorkerPrivate.cpp:3205:7
#58 0x7ff74e2e6421 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2042:42
#59 0x7ff7463e8a82 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1198:16
#60 0x7ff7463f29e4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#61 0x7ff747b39064 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:300:20
#62 0x7ff7479bbec7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
#63 0x7ff7479bbec7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
#64 0x7ff7479bbec7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
#65 0x7ff7463e0365 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:383:10
#66 0x7ff767eeb628 in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#67 0x7ff768b9d608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#68 0x7ff768748132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Reporter | ||
Updated•2 years ago
|
Reporter | ||
Comment 1•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/eJXD-Ll-AD3vt55UCH2mzw/index.html
Comment 2•2 years ago
|
||
It seems FontFaceSetWorkerImpl::mUrlExtraData is null because the initialization runnable hasn't run yet. Andrew can you look? It seems the worker base uri etc should be available off the main thread? Maybe we can initialize the extra data sooner...
Updated•2 years ago
|
Assignee | ||
Comment 3•2 years ago
|
||
I was under the impression that the initialization was synchronous but maybe I misinterpreted the classes/methods:
https://searchfox.org/mozilla-central/rev/3c194fa1d6f339036d2ec9516bd310c6ad612859/dom/workers/WorkerRunnable.h#357
https://searchfox.org/mozilla-central/rev/3c194fa1d6f339036d2ec9516bd310c6ad612859/dom/workers/WorkerRunnable.cpp#570
https://searchfox.org/mozilla-central/rev/3c194fa1d6f339036d2ec9516bd310c6ad612859/toolkit/components/telemetry/Histograms.json#14883
Assignee | ||
Comment 4•2 years ago
|
||
It looks like FontFaceSetWorkerImpl::mWorkerRef
is also null from the pernosco trace. My guess is that it probably initialized as expected, but then the worker started shutting down before we processed this event:
https://searchfox.org/mozilla-central/rev/3c194fa1d6f339036d2ec9516bd310c6ad612859/layout/style/FontFaceSetWorkerImpl.cpp#41
Assignee | ||
Comment 5•2 years ago
|
||
Err, it could not have initialized as expected, rather it must have been interrupted by the shutdown and cancelled. I think we just need to check for null and assume the worker is shutdown if so.
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 6•2 years ago
|
||
FontFaceSetWorkerImpl::GetURLExtraData should generally not return a
null pointer, but if it failed to initialize because the worker was
shutdown during FontFaceSetWorkerImpl initialization, then it may never
be created. This patch ensures we check for this race and handle it
appropriately.
Pushed by aosmond@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/73aa51da8199 Check FontFaceSetImpl::GetURLExtraData for nullptr. r=emilio
Comment 8•2 years ago
|
||
bugherder |
Comment 9•2 years ago
|
||
The patch landed in nightly and beta is affected.
:aosmond, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox107
towontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 10•2 years ago
|
||
We could uplift but I searched crash reports for a similar signature and couldn't find any. It seems unlikely to be much of a problem in the wild.
Updated•2 years ago
|
Updated•2 years ago
|
Description
•