Closed
Bug 1831131
Opened 1 year ago
Closed 1 year ago
Crash [@ void mozilla::ipc::data_pipe_detail::DataPipeWrite<mozilla::ipc::DataPipeSender>]
Categories
(Core :: DOM: Networking, defect, P2)
Tracking
()
RESOLVED
FIXED
114 Branch
Tracking | Status | |
---|---|---|
firefox114 | --- | fixed |
People
(Reporter: jkratzer, Assigned: jesup)
References
(Blocks 2 open bugs)
Details
(Keywords: testcase, Whiteboard: [bugmon:confirm][necko-triaged], [wptsync upstream])
Crash Data
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev f802f88c1fc7 (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch git+https://github.com/MozillaSecurity/grizzly@webtransport
$ python -m fuzzfetch --build f802f88c1fc7 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --use-https
[@ void mozilla::ipc::data_pipe_detail::DataPipeWrite<mozilla::ipc::DataPipeSender>]
=================================================================
==104795==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7fb3b55afee3 bp 0x7fb310bfc610 sp 0x7fb310bfc460 T5)
==104795==The signal is caused by a READ memory access.
==104795==Hint: address points to the zero page.
#0 0x7fb3b55afee3 in void mozilla::ipc::data_pipe_detail::DataPipeWrite<mozilla::ipc::DataPipeSender>(IPC::MessageWriter*, mozilla::ipc::DataPipeSender*) /ipc/glue/DataPipe.cpp:433
#1 0x7fb3be430884 in WriteParam<mozilla::ipc::DataPipeSender *&> /ipc/chromium/src/chrome/common/ipc_message_utils.h:442:3
#2 0x7fb3be430884 in operator() /builds/worker/workspace/obj-build/ipc/ipdl/PWebTransportParent.cpp:334:21
#3 0x7fb3be430884 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/FunctionRef.h:187:35
#4 0x7fb3be430884 in mozilla::FunctionRef<void (IPC::Message*, mozilla::ipc::IProtocol*)>::FunctionRef<mozilla::dom::PWebTransportParent::OnMessageReceived(IPC::Message const&)::$_0::operator()(mozilla::ipc::DataPipeSender*) const::'lambda'(IPC::Message*, mozilla::ipc::IProtocol*), int, (void*)0>(mozilla::dom::PWebTransportParent::OnMessageReceived(IPC::Message const&)::$_0::operator()(mozilla::ipc::DataPipeSender*) const::'lambda'(IPC::Message*, mozilla::ipc::IProtocol*)&)::'lambda'(mozilla::FunctionRef<void (IPC::Message*, mozilla::ipc::IProtocol*)>::Payload const&, IPC::Message*, mozilla::ipc::IProtocol*)::__invoke(mozilla::FunctionRef<void (IPC::Message*, mozilla::ipc::IProtocol*)>::Payload const&, IPC::Message*, mozilla::ipc::IProtocol*) /builds/worker/workspace/obj-build/dist/include/mozilla/FunctionRef.h:180:18
#5 0x7fb3b566e8f0 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/FunctionRef.h:217:12
#6 0x7fb3b566e8f0 in mozilla::ipc::IPDLResolverInner::ResolveOrReject(bool, mozilla::FunctionRef<void (IPC::Message*, mozilla::ipc::IProtocol*)>) /ipc/glue/ProtocolUtils.cpp:798:3
#7 0x7fb3be430534 in Resolve<(lambda at /builds/worker/workspace/obj-build/ipc/ipdl/PWebTransportParent.cpp:332:37)> /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:679:5
#8 0x7fb3be430534 in operator() /builds/worker/workspace/obj-build/ipc/ipdl/PWebTransportParent.cpp:332:29
#9 0x7fb3be430534 in std::_Function_handler<void (mozilla::ipc::DataPipeSender*), mozilla::dom::PWebTransportParent::OnMessageReceived(IPC::Message const&)::$_0>::_M_invoke(std::_Any_data const&, mozilla::ipc::DataPipeSender*&&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/std_function.h:316:2
#10 0x7fb3be4061bc in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/std_function.h:706:14
#11 0x7fb3be4061bc in mozilla::dom::ReceiveStream::OnError(unsigned char) /dom/webtransport/parent/WebTransportParent.cpp:282:5
#12 0x7fb3b4ffbe48 in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/std_function.h:706:14
#13 0x7fb3b4ffbe48 in operator() /netwerk/protocol/webtransport/WebTransportSessionProxy.cpp:633:13
#14 0x7fb3b4ffbe48 in mozilla::detail::RunnableFunction<mozilla::net::WebTransportSessionProxy::OnStopRequest(nsIRequest*, nsresult)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
#15 0x7fb3b3a34feb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
#16 0x7fb3b3a421f4 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#17 0x7fb3b3ee02dd in mozilla::net::nsSocketTransportService::Run() /netwerk/base/nsSocketTransportService2.cpp:1201:11
#18 0x7fb3b3ee2bac in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /netwerk/base/nsSocketTransportService2.cpp
#19 0x7fb3b3a34feb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
#20 0x7fb3b3a421f4 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#21 0x7fb3b5632401 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
#22 0x7fb3b545b0ba in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
#23 0x7fb3b545b0ba in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#24 0x7fb3b545b0ba in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#25 0x7fb3b3a2b282 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
#26 0x7fb3da703b5f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#27 0x7fb3da494b42 in start_thread nptl/pthread_create.c:442:8
#28 0x7fb3da5269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /ipc/glue/DataPipe.cpp:433 in void mozilla::ipc::data_pipe_detail::DataPipeWrite<mozilla::ipc::DataPipeSender>(IPC::MessageWriter*, mozilla::ipc::DataPipeSender*)
Thread T5 created by T0 here:
#0 0x5655132ef1da in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
#1 0x7fb3da6f22c4 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7fb3da6dfebe in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7fb3b3a2f04c in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:633:18
#4 0x7fb3b3a3fa9e in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /xpcom/threads/nsThreadManager.cpp:548:12
#5 0x7fb3b3a4d9ac in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /xpcom/threads/nsThreadUtils.cpp:175:57
#6 0x7fb3b3edd6fb in NS_NewNamedThread<14UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:87:10
#7 0x7fb3b3edd6fb in mozilla::net::nsSocketTransportService::Init() /netwerk/base/nsSocketTransportService2.cpp:753:19
#8 0x7fb3b3996249 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11405:7
#9 0x7fb3b39cc32c in CreateInstance /xpcom/components/nsComponentManager.cpp:184:46
#10 0x7fb3b39cc32c in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor>>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:971:17
#11 0x7fb3b39ce8c1 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1160:10
#12 0x7fb3b39d41b2 in CallGetService /xpcom/components/nsComponentManagerUtils.cpp:61:43
#13 0x7fb3b39d41b2 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /xpcom/components/nsComponentManagerUtils.cpp:250:21
#14 0x7fb3b37f7b9d in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:91:7
#15 0x7fb3b3e18722 in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:790:5
#16 0x7fb3b3e18722 in InitializeSocketTransportService /netwerk/base/nsIOService.cpp:431:29
#17 0x7fb3b3e18722 in mozilla::net::nsIOService::SetOfflineInternal(bool, bool) /netwerk/base/nsIOService.cpp:1299:7
#18 0x7fb3b3e087ea in SetOffline /netwerk/base/nsIOService.cpp:1238:48
#19 0x7fb3b3e087ea in mozilla::net::nsIOService::Init() /netwerk/base/nsIOService.cpp:310:3
#20 0x7fb3b3e0bd93 in mozilla::net::nsIOService::GetInstance() /netwerk/base/nsIOService.cpp:488:9
#21 0x7fb3b3999645 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10897:48
#22 0x7fb3b39cc32c in CreateInstance /xpcom/components/nsComponentManager.cpp:184:46
#23 0x7fb3b39cc32c in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor>>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:971:17
#24 0x7fb3b39ce8c1 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1160:10
#25 0x7fb3b5d67763 in CallGetService<nsIIOService> /builds/worker/workspace/obj-build/dist/include/nsServiceManagerUtils.h:52:10
#26 0x7fb3b5d67763 in nsScriptSecurityManager::Init() /caps/nsScriptSecurityManager.cpp:1551:17
#27 0x7fb3b5d67f66 in nsScriptSecurityManager::InitStatics() /caps/nsScriptSecurityManager.cpp:1611:28
#28 0x7fb3b5a30b17 in nsXPConnect::InitStatics() /js/xpconnect/src/nsXPConnect.cpp:165:3
#29 0x7fb3b59bd120 in xpcModuleCtor() /js/xpconnect/src/XPCModule.cpp:11:3
#30 0x7fb3c0207640 in nsLayoutModuleInitialize() /layout/build/nsLayoutModule.cpp:100:7
#31 0x7fb3b39c6d0a in nsComponentManagerImpl::Init() /xpcom/components/nsComponentManager.cpp:371:5
#32 0x7fb3b3ab9cab in NS_InitXPCOM /xpcom/build/XPCOMInit.cpp:421:51
#33 0x7fb3c4cffb75 in ScopedXPCOMStartup::Initialize(bool) /toolkit/xre/nsAppRunner.cpp:1989:8
#34 0x7fb3c4d1742d in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5844:22
#35 0x7fb3c4d18541 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5904:21
#36 0x565513344d33 in do_main /browser/app/nsBrowserApp.cpp:227:22
#37 0x565513344d33 in main /browser/app/nsBrowserApp.cpp:445:16
#38 0x7fb3da429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
==104795==ABORTING
Reporter | ||
Comment 1•1 year ago
|
||
Comment 2•1 year ago
|
||
Unable to reproduce bug 1831131 using build mozilla-central 20230503090148-f802f88c1fc7. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
Assignee | ||
Comment 3•1 year ago
|
||
creating streams is allowed before a transport is ready, and should fail
with InvalidStateError if the stream goes to closed or failed.
Updated•1 year ago
|
Assignee: nobody → rjesup
Status: NEW → ASSIGNED
Updated•1 year ago
|
Severity: -- → S3
Priority: -- → P2
Whiteboard: [bugmon:confirm] → [bugmon:confirm][necko-triaged]
Pushed by rjesup@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b66f8a4815b6
Handle WebTransport createUni/BidirectionalStream before ready r=necko-reviewers,kershaw
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/39866 for changes under testing/web-platform/tests
Whiteboard: [bugmon:confirm][necko-triaged] → [bugmon:confirm][necko-triaged], [wptsync upstream]
Comment 6•1 year ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox114:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 114 Branch
Upstream PR merged by moz-wptsync-bot
You need to log in
before you can comment on or make changes to this bug.
Description
•