Closed Bug 1826992 Opened 2 years ago Closed 1 year ago

Assertion failure: false (We had an exception; we should not have), at /dom/script/ScriptSettings.cpp:384

Categories

(Core :: DOM: Streams, defect, P3)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
116 Branch
Tracking Status
firefox-esr102 --- disabled
firefox-esr115 --- wontfix
firefox114 --- wontfix
firefox115 --- wontfix
firefox116 --- verified

People

(Reporter: jkratzer, Assigned: saschanaz)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

Testcase found while fuzzing mozilla-central rev f29ff53e9e3b (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build f29ff53e9e3b --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: false (We had an exception; we should not have), at /dom/script/ScriptSettings.cpp:384

    ==130682==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff5ce8e4bdd bp 0x7ffde6fe3fd0 sp 0x7ffde6fe3b40 T130682)
    ==130682==The signal is caused by a WRITE memory access.
    ==130682==Hint: address points to the zero page.
        #0 0x7ff5ce8e4bdd in mozilla::dom::AutoJSAPI::InitInternal(nsIGlobalObject*, JSObject*, JSContext*, bool) /dom/script/ScriptSettings.cpp:384:5
        #1 0x7ff5ce8c5ef6 in mozilla::dom::AutoEntryScript::AutoEntryScript(nsIGlobalObject*, char const*, bool) /dom/script/AutoEntryScript.cpp:66:7
        #2 0x7ff5ca670d57 in void mozilla::dom::Promise::MaybeSomething<JS::Handle<JS::Value>&>(JS::Handle<JS::Value>&, void (mozilla::dom::Promise::*)(JSContext*, JS::Handle<JS::Value>)) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:419:21
        #3 0x7ff5ce6b4c90 in MaybeReject /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:100:5
        #4 0x7ff5ce6b4c90 in mozilla::dom::streams_abstract::ReadableStreamError(JSContext*, mozilla::dom::ReadableStream*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/ReadableStream.cpp:576:28
        #5 0x7ff5ce6c1723 in mozilla::dom::streams_abstract::ReadableStreamDefaultControllerEnqueue(JSContext*, mozilla::dom::ReadableStreamDefaultController*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/ReadableStreamDefaultController.cpp
        #6 0x7ff5ce6d38f6 in mozilla::dom::TransformStreamDefaultController::Enqueue(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/TransformStreamDefaultController.cpp:111:3
        #7 0x7ff5ce6e5a74 in mozilla::dom::TransformerAlgorithms::TransformCallback(JSContext*, JS::Handle<JS::Value>, mozilla::dom::TransformStreamDefaultController&, mozilla::ErrorResult&) /dom/streams/TransformerCallbackHelpers.cpp:37:17
        #8 0x7ff5ce6dff85 in mozilla::dom::TransformStreamDefaultControllerPerformTransform(JSContext*, mozilla::dom::TransformStreamDefaultController*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/TransformStream.cpp:176:19
        #9 0x7ff5ce6db261 in mozilla::dom::TransformStreamUnderlyingSinkAlgorithms::WriteCallback(JSContext*, JS::Handle<JS::Value>, mozilla::dom::WritableStreamDefaultController&, mozilla::ErrorResult&) /dom/streams/TransformStream.cpp:303:12
        #10 0x7ff5ce6f2825 in WritableStreamDefaultControllerProcessWrite /dom/streams/WritableStreamDefaultController.cpp:311:19
        #11 0x7ff5ce6f2825 in mozilla::dom::streams_abstract::WritableStreamDefaultControllerAdvanceQueueIfNeeded(JSContext*, mozilla::dom::WritableStreamDefaultController*, mozilla::ErrorResult&) /dom/streams/WritableStreamDefaultController.cpp:429:3
        #12 0x7ff5ce6f2b9f in mozilla::dom::streams_abstract::WritableStreamDefaultControllerWrite(JSContext*, mozilla::dom::WritableStreamDefaultController*, JS::Handle<JS::Value>, double, mozilla::ErrorResult&) /dom/streams/WritableStreamDefaultController.cpp:489:3
        #13 0x7ff5ce6f4610 in mozilla::dom::streams_abstract::WritableStreamDefaultWriterWrite(JSContext*, mozilla::dom::WritableStreamDefaultWriter*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/WritableStreamDefaultWriter.cpp:333:3
        #14 0x7ff5ce6e3cbb in operator() /dom/streams/ReadableStreamPipeTo.cpp:619:17
        #15 0x7ff5ce6e3cbb in CallCallback<(lambda at /dom/streams/ReadableStreamPipeTo.cpp:613:7), 0UL, 1UL, 0UL> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise-inl.h:206:12
        #16 0x7ff5ce6e3cbb in already_AddRefed<mozilla::dom::Promise> mozilla::dom::(anonymous namespace)::NativeThenHandler<mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)::$_8, mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)::$_8, std::tuple<RefPtr<mozilla::dom::PipeToPump>, RefPtr<mozilla::dom::WritableStreamDefaultWriter>>, std::tuple<JS::Handle<JS::Value>>>::CallCallback<mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)::$_8>(JSContext*, mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)::$_8 const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise-inl.h:214:12
        #17 0x7ff5ce6e3a39 in mozilla::dom::(anonymous namespace)::NativeThenHandler<mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)::$_8, mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)::$_8, std::tuple<RefPtr<mozilla::dom::PipeToPump>, RefPtr<mozilla::dom::WritableStreamDefaultWriter>>, std::tuple<JS::Handle<JS::Value>>>::CallResolveCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise-inl.h:185:12
        #18 0x7ff5ce68c66b in mozilla::dom::PromiseNativeThenHandlerBase::ResolvedCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/promise/Promise.cpp:294:29
        #19 0x7ff5ce693ff1 in mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::ResolvedCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/promise/Promise.cpp:469:12
        #20 0x7ff5ce69469a in mozilla::dom::NativeHandlerCallback(JSContext*, unsigned int, JS::Value*) /dom/promise/Promise.cpp
        #21 0x7ff5d0fdf9d6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:459:13
        #22 0x7ff5d0fdf2ff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:553:12
        #23 0x7ff5d0fe072c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:652:8
        #24 0x7ff5d1002f35 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.h:116:10
        #25 0x7ff5d125cbd9 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2240:10
        #26 0x7ff5d0fdf9d6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:459:13
        #27 0x7ff5d0fdf2ff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:553:12
        #28 0x7ff5d0fe072c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:652:8
        #29 0x7ff5d10a097c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #30 0x7ff5cbceefbe in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
        #31 0x7ff5c9797ce5 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #32 0x7ff5c97975b3 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #33 0x7ff5c97975b3 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #34 0x7ff5c9784d78 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:676:17
        #35 0x7ff5cd0fd4a7 in LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:246:7
        #36 0x7ff5cd0fd4a7 in ~nsAutoMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:394:13
        #37 0x7ff5cd0fd4a7 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1320:3
        #38 0x7ff5cd0fe039 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1508:17
        #39 0x7ff5cd0f2f26 in HandleEvent /dom/events/EventListenerManager.h:395:5
        #40 0x7ff5cd0f2f26 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:347:17
        #41 0x7ff5cd0f245b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:549:16
        #42 0x7ff5cd0f4c15 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1122:11
        #43 0x7ff5cd0f77f6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #44 0x7ff5cd0cbc5b in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/events/DOMEventTargetHelper.cpp:176:17
        #45 0x7ff5cd104aa2 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /dom/events/EventTarget.cpp:180:13
        #46 0x7ff5ce6893c2 in mozilla::dom::PostMessageRunnable::DispatchMessage() const /dom/messagechannel/MessagePort.cpp:160:12
        #47 0x7ff5ce688ba9 in mozilla::dom::PostMessageRunnable::Run() /dom/messagechannel/MessagePort.cpp:75:5
        #48 0x7ff5c98872c2 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:114:20
        #49 0x7ff5c9891df5 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:553:16
        #50 0x7ff5c988cf48 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:869:26
        #51 0x7ff5c988baba in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:700:15
        #52 0x7ff5c988be45 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:464:36
        #53 0x7ff5c9895436 in operator() /xpcom/threads/TaskController.cpp:191:37
        #54 0x7ff5c9895436 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
        #55 0x7ff5c98aae77 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1239:16
        #56 0x7ff5c98b13dd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #57 0x7ff5ca4f0283 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #58 0x7ff5ca412358 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:369:10
        #59 0x7ff5ca412261 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #60 0x7ff5ca412261 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #61 0x7ff5ceb45208 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #62 0x7ff5d0d9a05b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
        #63 0x7ff5ca4f1149 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #64 0x7ff5ca412358 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:369:10
        #65 0x7ff5ca412261 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #66 0x7ff5ca412261 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #67 0x7ff5d0d99ba8 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
        #68 0x5557e8222f20 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #69 0x5557e8222f20 in main /browser/app/nsBrowserApp.cpp:353:18
        #70 0x7ff5dce29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #71 0x7ff5dce29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #72 0x5557e81f9588 in _start (/home/jkratzer/builds/m-c-20230405093623-fuzzing-debug/firefox-bin+0x5b588) (BuildId: 66f0bbf8e15e90c4e7e7b1ce424089abfb3c351e)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/script/ScriptSettings.cpp:384:5 in mozilla::dom::AutoJSAPI::InitInternal(nsIGlobalObject*, JSObject*, JSContext*, bool)
    ==130682==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20230407213355-c3356b6d41ca.
The bug appears to have been introduced in the following build range:

Start: aaaed875acb35024eb955fca92ba50ae244be85c (20220519114425)
End: cc776278c4ea98788c42b90a53d1c6c37fdf47e7 (20220519125856)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=aaaed875acb35024eb955fca92ba50ae244be85c&tochange=cc776278c4ea98788c42b90a53d1c6c37fdf47e7

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Severity: -- → S3

This bug has been marked as a regression. Setting status flag for Nightly to affected.

:saschanaz, since you are the author of the regressor, bug 1659025, could you take a look?

For more information, please visit auto_nag documentation.

Flags: needinfo?(krosylight)

Oops, slipped from my radar. I'll take a look, thanks bot.

Assignee: nobody → krosylight
Flags: needinfo?(krosylight)
Priority: -- → P3

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

I guess we should restore the keyword in a lot of bugs 👀

Flags: needinfo?(jkratzer)

(In reply to Kagami [:saschanaz] from comment #7)

I guess we should restore the keyword in a lot of bugs 👀

I'm working on this now. A change to taskcluster on Friday broke bugmon.

Flags: needinfo?(jkratzer)
Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Pushed by krosylight@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d133fdc53dab
Clear pending exception before rethrowing r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/40795 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.

Upstream PR merged by moz-wptsync-bot

Verified bug as fixed on rev mozilla-central 20230629034514-d18ee9401610.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

The patch landed in nightly and beta is affected.
:saschanaz, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox115 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(krosylight)

I don't think this bug causes any severe problem. size() may return an invalid value is incorrectly and we are incorrectly triggering window.onerror event handler. That's an incorrect behavior, but returning incorrect size anyway breaks the stream and the author should anyway fix their code. So IMO the impact should be minimal, especially given that this issue has been there forever since the migration to DOM streams and we got no relevant bug report.

That said, the fix is quite straightforward, so maybe worth trying as we are going to get more and more streams use in the wild.

Flags: needinfo?(krosylight)

Meh, I still don't think this can practically affect any user, so wontfix for beta.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: