Closed Bug 1831131 Opened 1 year ago Closed 1 year ago

Crash [@ void mozilla::ipc::data_pipe_detail::DataPipeWrite<mozilla::ipc::DataPipeSender>]

Categories

(Core :: DOM: Networking, defect, P2)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
114 Branch
Tracking Status
firefox114 --- fixed

People

(Reporter: jkratzer, Assigned: jesup)

References

(Blocks 2 open bugs)

Details

(Keywords: testcase, Whiteboard: [bugmon:confirm][necko-triaged], [wptsync upstream])

Crash Data

Attachments

(2 files)

Testcase found while fuzzing mozilla-central rev f802f88c1fc7 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch git+https://github.com/MozillaSecurity/grizzly@webtransport
$ python -m fuzzfetch --build f802f88c1fc7 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --use-https
[@ void mozilla::ipc::data_pipe_detail::DataPipeWrite<mozilla::ipc::DataPipeSender>]

    =================================================================
    ==104795==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7fb3b55afee3 bp 0x7fb310bfc610 sp 0x7fb310bfc460 T5)
    ==104795==The signal is caused by a READ memory access.
    ==104795==Hint: address points to the zero page.
        #0 0x7fb3b55afee3 in void mozilla::ipc::data_pipe_detail::DataPipeWrite<mozilla::ipc::DataPipeSender>(IPC::MessageWriter*, mozilla::ipc::DataPipeSender*) /ipc/glue/DataPipe.cpp:433
        #1 0x7fb3be430884 in WriteParam<mozilla::ipc::DataPipeSender *&> /ipc/chromium/src/chrome/common/ipc_message_utils.h:442:3
        #2 0x7fb3be430884 in operator() /builds/worker/workspace/obj-build/ipc/ipdl/PWebTransportParent.cpp:334:21
        #3 0x7fb3be430884 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/FunctionRef.h:187:35
        #4 0x7fb3be430884 in mozilla::FunctionRef<void (IPC::Message*, mozilla::ipc::IProtocol*)>::FunctionRef<mozilla::dom::PWebTransportParent::OnMessageReceived(IPC::Message const&)::$_0::operator()(mozilla::ipc::DataPipeSender*) const::'lambda'(IPC::Message*, mozilla::ipc::IProtocol*), int, (void*)0>(mozilla::dom::PWebTransportParent::OnMessageReceived(IPC::Message const&)::$_0::operator()(mozilla::ipc::DataPipeSender*) const::'lambda'(IPC::Message*, mozilla::ipc::IProtocol*)&)::'lambda'(mozilla::FunctionRef<void (IPC::Message*, mozilla::ipc::IProtocol*)>::Payload const&, IPC::Message*, mozilla::ipc::IProtocol*)::__invoke(mozilla::FunctionRef<void (IPC::Message*, mozilla::ipc::IProtocol*)>::Payload const&, IPC::Message*, mozilla::ipc::IProtocol*) /builds/worker/workspace/obj-build/dist/include/mozilla/FunctionRef.h:180:18
        #5 0x7fb3b566e8f0 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/FunctionRef.h:217:12
        #6 0x7fb3b566e8f0 in mozilla::ipc::IPDLResolverInner::ResolveOrReject(bool, mozilla::FunctionRef<void (IPC::Message*, mozilla::ipc::IProtocol*)>) /ipc/glue/ProtocolUtils.cpp:798:3
        #7 0x7fb3be430534 in Resolve<(lambda at /builds/worker/workspace/obj-build/ipc/ipdl/PWebTransportParent.cpp:332:37)> /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:679:5
        #8 0x7fb3be430534 in operator() /builds/worker/workspace/obj-build/ipc/ipdl/PWebTransportParent.cpp:332:29
        #9 0x7fb3be430534 in std::_Function_handler<void (mozilla::ipc::DataPipeSender*), mozilla::dom::PWebTransportParent::OnMessageReceived(IPC::Message const&)::$_0>::_M_invoke(std::_Any_data const&, mozilla::ipc::DataPipeSender*&&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/std_function.h:316:2
        #10 0x7fb3be4061bc in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/std_function.h:706:14
        #11 0x7fb3be4061bc in mozilla::dom::ReceiveStream::OnError(unsigned char) /dom/webtransport/parent/WebTransportParent.cpp:282:5
        #12 0x7fb3b4ffbe48 in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/std_function.h:706:14
        #13 0x7fb3b4ffbe48 in operator() /netwerk/protocol/webtransport/WebTransportSessionProxy.cpp:633:13
        #14 0x7fb3b4ffbe48 in mozilla::detail::RunnableFunction<mozilla::net::WebTransportSessionProxy::OnStopRequest(nsIRequest*, nsresult)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
        #15 0x7fb3b3a34feb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
        #16 0x7fb3b3a421f4 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #17 0x7fb3b3ee02dd in mozilla::net::nsSocketTransportService::Run() /netwerk/base/nsSocketTransportService2.cpp:1201:11
        #18 0x7fb3b3ee2bac in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /netwerk/base/nsSocketTransportService2.cpp
        #19 0x7fb3b3a34feb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
        #20 0x7fb3b3a421f4 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #21 0x7fb3b5632401 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #22 0x7fb3b545b0ba in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #23 0x7fb3b545b0ba in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #24 0x7fb3b545b0ba in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #25 0x7fb3b3a2b282 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
        #26 0x7fb3da703b5f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #27 0x7fb3da494b42 in start_thread nptl/pthread_create.c:442:8
        #28 0x7fb3da5269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /ipc/glue/DataPipe.cpp:433 in void mozilla::ipc::data_pipe_detail::DataPipeWrite<mozilla::ipc::DataPipeSender>(IPC::MessageWriter*, mozilla::ipc::DataPipeSender*)
    Thread T5 created by T0 here:
        #0 0x5655132ef1da in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
        #1 0x7fb3da6f22c4 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7fb3da6dfebe in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7fb3b3a2f04c in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:633:18
        #4 0x7fb3b3a3fa9e in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /xpcom/threads/nsThreadManager.cpp:548:12
        #5 0x7fb3b3a4d9ac in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /xpcom/threads/nsThreadUtils.cpp:175:57
        #6 0x7fb3b3edd6fb in NS_NewNamedThread<14UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:87:10
        #7 0x7fb3b3edd6fb in mozilla::net::nsSocketTransportService::Init() /netwerk/base/nsSocketTransportService2.cpp:753:19
        #8 0x7fb3b3996249 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11405:7
        #9 0x7fb3b39cc32c in CreateInstance /xpcom/components/nsComponentManager.cpp:184:46
        #10 0x7fb3b39cc32c in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor>>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:971:17
        #11 0x7fb3b39ce8c1 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1160:10
        #12 0x7fb3b39d41b2 in CallGetService /xpcom/components/nsComponentManagerUtils.cpp:61:43
        #13 0x7fb3b39d41b2 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /xpcom/components/nsComponentManagerUtils.cpp:250:21
        #14 0x7fb3b37f7b9d in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:91:7
        #15 0x7fb3b3e18722 in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:790:5
        #16 0x7fb3b3e18722 in InitializeSocketTransportService /netwerk/base/nsIOService.cpp:431:29
        #17 0x7fb3b3e18722 in mozilla::net::nsIOService::SetOfflineInternal(bool, bool) /netwerk/base/nsIOService.cpp:1299:7
        #18 0x7fb3b3e087ea in SetOffline /netwerk/base/nsIOService.cpp:1238:48
        #19 0x7fb3b3e087ea in mozilla::net::nsIOService::Init() /netwerk/base/nsIOService.cpp:310:3
        #20 0x7fb3b3e0bd93 in mozilla::net::nsIOService::GetInstance() /netwerk/base/nsIOService.cpp:488:9
        #21 0x7fb3b3999645 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10897:48
        #22 0x7fb3b39cc32c in CreateInstance /xpcom/components/nsComponentManager.cpp:184:46
        #23 0x7fb3b39cc32c in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor>>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:971:17
        #24 0x7fb3b39ce8c1 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1160:10
        #25 0x7fb3b5d67763 in CallGetService<nsIIOService> /builds/worker/workspace/obj-build/dist/include/nsServiceManagerUtils.h:52:10
        #26 0x7fb3b5d67763 in nsScriptSecurityManager::Init() /caps/nsScriptSecurityManager.cpp:1551:17
        #27 0x7fb3b5d67f66 in nsScriptSecurityManager::InitStatics() /caps/nsScriptSecurityManager.cpp:1611:28
        #28 0x7fb3b5a30b17 in nsXPConnect::InitStatics() /js/xpconnect/src/nsXPConnect.cpp:165:3
        #29 0x7fb3b59bd120 in xpcModuleCtor() /js/xpconnect/src/XPCModule.cpp:11:3
        #30 0x7fb3c0207640 in nsLayoutModuleInitialize() /layout/build/nsLayoutModule.cpp:100:7
        #31 0x7fb3b39c6d0a in nsComponentManagerImpl::Init() /xpcom/components/nsComponentManager.cpp:371:5
        #32 0x7fb3b3ab9cab in NS_InitXPCOM /xpcom/build/XPCOMInit.cpp:421:51
        #33 0x7fb3c4cffb75 in ScopedXPCOMStartup::Initialize(bool) /toolkit/xre/nsAppRunner.cpp:1989:8
        #34 0x7fb3c4d1742d in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5844:22
        #35 0x7fb3c4d18541 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5904:21
        #36 0x565513344d33 in do_main /browser/app/nsBrowserApp.cpp:227:22
        #37 0x565513344d33 in main /browser/app/nsBrowserApp.cpp:445:16
        #38 0x7fb3da429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    ==104795==ABORTING
Attached file Testcase

Unable to reproduce bug 1831131 using build mozilla-central 20230503090148-f802f88c1fc7. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

creating streams is allowed before a transport is ready, and should fail
with InvalidStateError if the stream goes to closed or failed.

Assignee: nobody → rjesup
Status: NEW → ASSIGNED
Severity: -- → S3
Priority: -- → P2
Whiteboard: [bugmon:confirm] → [bugmon:confirm][necko-triaged]
Pushed by rjesup@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b66f8a4815b6 Handle WebTransport createUni/BidirectionalStream before ready r=necko-reviewers,kershaw
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/39866 for changes under testing/web-platform/tests
Whiteboard: [bugmon:confirm][necko-triaged] → [bugmon:confirm][necko-triaged], [wptsync upstream]
Regressions: 1831614
Regressions: 1831635
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 114 Branch
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: