Open Bug 1818532 Opened 2 years ago Updated 3 months ago

Assertion failure: !mService, at /dom/messagechannel/MessagePortParent.cpp:24

Categories

(Core :: DOM: postMessage, defect, P3)

Product:
Core
Component:
DOM: postMessage
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Assigned: aiunusov)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:confirm] dom-lws-bugdash-triage)

Attachments

(1 file)

Testcase
3.83 KB, application/octet-stream
Details

Testcase found while fuzzing mozilla-central rev 16f49fd3a5dc (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 16f49fd3a5dc --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip --no-harness

Assertion failure: !mService, at /dom/messagechannel/MessagePortParent.cpp:24

    ==829390==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f302fc8bf24 bp 0x7f3017dfe7b0 sp 0x7f3017dfe7a0 T829423)
    ==829390==The signal is caused by a WRITE memory access.
    ==829390==Hint: address points to the zero page.
        #0 0x7f302fc8bf24 in mozilla::dom::MessagePortParent::~MessagePortParent() /dom/messagechannel/MessagePortParent.cpp:24:3
        #1 0x7f302ba05cfa in mozilla::ipc::BackgroundParentImpl::DeallocPMessagePortParent(mozilla::dom::PMessagePortParent*) /ipc/glue/BackgroundParentImpl.cpp:1032:3
        #2 0x7f302ba82f92 in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy() /ipc/glue/ProtocolUtils.cpp:260:11
        #3 0x7f302aaa740f in mozilla::ipc::ActorLifecycleProxy::Release() /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:612:3
        #4 0x7f302bb10af7 in mozilla::ipc::PBackgroundParent::ClearSubtree() /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundParent.cpp:7518:9
        #5 0x7f302bb0e977 in mozilla::ipc::PBackgroundParent::OnChannelClose() /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundParent.cpp:7163:5
        #6 0x7f302ba6e6d6 in mozilla::ipc::MessageChannel::Close() /ipc/glue/MessageChannel.cpp:2178:7
        #7 0x7f302ba3dfb5 in operator() /ipc/glue/BackgroundImpl.cpp:991:20
        #8 0x7f302ba3dfb5 in mozilla::detail::ProxyFunctionRunnable<(anonymous namespace)::ParentImpl::ShutdownTimerCallback(nsITimer*, void*)::$_24, mozilla::MozPromise<bool, nsresult, true>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1674:29
        #9 0x7f302ae1eaf2 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1219:16
        #10 0x7f302ae24e7d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
        #11 0x7f302ba73893 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
        #12 0x7f302b9944d8 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #13 0x7f302b9943e1 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #14 0x7f302b9943e1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #15 0x7f302ae19ee7 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
        #16 0x7f303eb11c86 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #17 0x7f303e894b42 in start_thread nptl/pthread_create.c:442:8
        #18 0x7f303e9269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/messagechannel/MessagePortParent.cpp:24:3 in mozilla::dom::MessagePortParent::~MessagePortParent()
    ==829390==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20230223172038-8abe8c3a6233.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: c875dbd49223e460b596f01cc6564c6fb97d59c4 (20220225104705)
End: 16f49fd3a5dc65e1275c9d38e51e5fa62d0c3af7 (20230223151926)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

This is a debug only assertion. The relevant code is old.
I wonder if the assertion is too strict. Actually, I think it is. Or, do we need a Close() call at the end of
MessagePortParent::ActorDestroy

Artur, in case you're interested in debugging this. But I don't think this is particularly high priority

Severity: -- → S4
Flags: needinfo?(aiunusov)
Priority: -- → P3

Yeah, a minor logical error.
Close() method should be called somewhere before destruction (and that sounds reasonable)
I'll take a look, there are not many places where Close() is missing.

Assignee: nobody → aiunusov
Flags: needinfo?(aiunusov)

Unable to reproduce bug 1818532 using build mozilla-central 20230223151926-16f49fd3a5dc. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:confirm] dom-lws-bugdash-triage
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: