Closed
Bug 1831173
Opened 1 year ago
Closed 1 year ago
Crash [@ mozilla::dom::WebTransportChild::Shutdown]
Categories
(Core :: DOM: Networking, defect, P2)
Tracking
()
RESOLVED
FIXED
116 Branch
| Tracking | Status | |
|---|---|---|
| firefox116 | --- | fixed |
People
(Reporter: jkratzer, Assigned: jesup)
References
(Blocks 2 open bugs)
Details
(Keywords: testcase, Whiteboard: [bugmon:confirm][necko-triaged], [wptsync upstream])
Crash Data
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev f802f88c1fc7 (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch git+https://github.com/MozillaSecurity/grizzly@webtransport
$ python -m fuzzfetch --build f802f88c1fc7 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --use-https
[@ mozilla::dom::WebTransportChild::Shutdown]
=================================================================
==266359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000180 (pc 0x7f097fe015be bp 0x7ffc800f2050 sp 0x7ffc800f2030 T0)
==266359==The signal is caused by a WRITE memory access.
==266359==Hint: address points to the zero page.
#0 0x7f097fe015be in mozilla::dom::WebTransportChild::Shutdown(bool) /dom/webtransport/child/WebTransportChild.cpp:15:14
#1 0x7f097fde50b7 in mozilla::dom::WebTransport::RejectWaitingConnection(nsresult) /dom/webtransport/api/WebTransport.cpp:411:13
#2 0x7f097fdfa1cb in operator() /dom/webtransport/api/WebTransport.cpp:357:24
#3 0x7f097fdfa1cb in InvokeMethod<(lambda at /dom/webtransport/api/WebTransport.cpp:344:14), void ((lambda at /dom/webtransport/api/WebTransport.cpp:344:14)::*)(mozilla::MozPromise<std::tuple<nsresult, unsigned char>, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue &&) const, mozilla::MozPromise<std::tuple<nsresult, unsigned char>, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:654:12
#4 0x7f097fdfa1cb in InvokeCallbackMethod<false, (lambda at /dom/webtransport/api/WebTransport.cpp:344:14), void ((lambda at /dom/webtransport/api/WebTransport.cpp:344:14)::*)(mozilla::MozPromise<std::tuple<nsresult, unsigned char>, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue &&) const, mozilla::MozPromise<std::tuple<nsresult, unsigned char>, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue, RefPtr<mozilla::MozPromise<std::tuple<nsresult, unsigned char>, mozilla::ipc::ResponseRejectReason, true>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:685:5
#5 0x7f097fdfa1cb in mozilla::MozPromise<std::tuple<nsresult, unsigned char>, mozilla::ipc::ResponseRejectReason, true>::ThenValue<mozilla::dom::WebTransport::Init(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WebTransportOptions const&, mozilla::ErrorResult&)::$_0>::DoResolveOrRejectInternal(mozilla::MozPromise<std::tuple<nsresult, unsigned char>, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:938:7
#6 0x7f097719b5f8 in mozilla::MozPromise<std::tuple<nsresult, unsigned char>, mozilla::ipc::ResponseRejectReason, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:490:21
#7 0x7f0975410be5 in mozilla::SimpleTaskQueue::DrainTasks() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:44:10
#8 0x7f0975437832 in nsThread::DrainDirectTasks() /xpcom/threads/nsThread.cpp:1437:16
#9 0x7f0975434967 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1262:3
#10 0x7f09754421f4 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#11 0x7f0977030bd3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
#12 0x7f0976e5b0ba in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
#13 0x7f0976e5b0ba in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#14 0x7f0976e5b0ba in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#15 0x7f0980762179 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#16 0x7f098671e9c8 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
#17 0x7f0976e5b0ba in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
#18 0x7f0976e5b0ba in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#19 0x7f0976e5b0ba in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#20 0x7f098671e08e in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
#21 0x55a721a350ee in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#22 0x55a721a350ee in main /browser/app/nsBrowserApp.cpp:375:18
#23 0x7f099be29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#24 0x7f099be29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#25 0x55a72195e708 in _start (/home/jkratzer/builds/m-c-20230503090148-fuzzing-asan-opt/firefox+0x106708) (BuildId: d7405ccf65d1215396e706c95bb0ed09a4a3915f)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /dom/webtransport/child/WebTransportChild.cpp:15:14 in mozilla::dom::WebTransportChild::Shutdown(bool)
==266359==ABORTING
|
Reporter | |
Comment 1•1 year ago
|
||
|
||
Comment 2•1 year ago
|
||
Unable to reproduce bug 1831173 using build mozilla-central 20230503090148-f802f88c1fc7. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
I think this was fixed by bug 1830096.
Should we also convert this test case to a WPT or do you think we can just close this as a dupe?
Flags: needinfo?(rjesup)
|
Assignee | |
Comment 4•1 year ago
|
||
We should add a web-platform test for this.
Flags: needinfo?(rjesup)
|
|
Assignee | |
Comment 5•1 year ago
|
||
|
||
Updated•1 year ago
|
Assignee: nobody → rjesup
Status: NEW → ASSIGNED
|
||
Updated•1 year ago
|
Severity: -- → S4
Priority: -- → P2
Whiteboard: [bugmon:confirm] → [bugmon:confirm][necko-triaged]
|
||
Comment 6•1 year ago
|
||
There is an r+ patch which didn't land and no activity in this bug for 2 weeks.
:jesup, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit BugBot documentation.
Flags: needinfo?(valentin.gosu)
Flags: needinfo?(rjesup)
Flags: needinfo?(valentin.gosu)
Pushed by rjesup@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d2675b33dd71 Add web-platform test for WebTransport close() without awaiting ready r=valentin
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/40841 for changes under testing/web-platform/tests
Whiteboard: [bugmon:confirm][necko-triaged] → [bugmon:confirm][necko-triaged], [wptsync upstream]
|
||
Comment 9•1 year ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox116:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch
Upstream PR merged by moz-wptsync-bot
|
|
Assignee | |
Updated•1 year ago
|
Flags: needinfo?(rjesup)
You need to log in
before you can comment on or make changes to this bug.
Description
•