1840626 - Crash [@ mozilla::dom::ReadableStream::CloseNative]

Status: RESOLVED FIXED

(Core :: Networking, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev b34d04613ffa (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch git+https://github.com/MozillaSecurity/grizzly.git@webtransport
$ python -m fuzzfetch --build b34d04613ffa --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

[@ mozilla::dom::ReadableStream::CloseNative]

    ==3118820==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f91d73b5ae5 bp 0x7ffe56ab8550 sp 0x7ffe56ab8530 T3118820)
    ==3118820==The signal is caused by a READ memory access.
    ==3118820==Hint: address points to the zero page.
        #0 0x7f91d73b5ae5 in mozilla::dom::ReadableStream::CloseNative(JSContext*, mozilla::ErrorResult&) /dom/streams/ReadableStream.cpp:1129:3
        #1 0x7f91d742cd8f in mozilla::dom::WebTransport::Cleanup(mozilla::dom::WebTransportError*, mozilla::dom::WebTransportCloseInfo const*, mozilla::ErrorResult&) /dom/webtransport/api/WebTransport.cpp:852:13
        #2 0x7f91d742e386 in mozilla::dom::WebTransport::Close(mozilla::dom::WebTransportCloseInfo const&, mozilla::ErrorResult&) /dom/webtransport/api/WebTransport.cpp:625:3
        #3 0x7f91d4ff85ef in mozilla::dom::WebTransport_Binding::close(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WebTransportBinding.cpp:1266:24
        #4 0x7f91d5662aa8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3327:13
        #5 0x7f91d9dd1f45 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:486:13
        #6 0x7f91d9dd179d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:580:12
        #7 0x7f91d9de6012 in CallFromStack /js/src/vm/Interpreter.cpp:652:10
        #8 0x7f91d9de6012 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3395:16
        #9 0x7f91d9dd0ced in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
        #10 0x7f91d9dd17b9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:612:13
        #11 0x7f91d9dd2dcd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
        #12 0x7f91da140997 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1499:10
        #13 0x7f91d9e8db34 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:149:8
        #14 0x7f91da0b5cae in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2111:12
        #15 0x7f91da0b5cae in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2174:12
        #16 0x7f91d9dd1f45 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:486:13
        #17 0x7f91d9dd179d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:580:12
        #18 0x7f91d9dd2dcd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
        #19 0x7f91d9ebe822 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #20 0x7f91d48066bc in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
        #21 0x7f91d22528f5 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #22 0x7f91d22521c5 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #23 0x7f91d22521c5 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #24 0x7f91d223e2c8 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:676:17
        #25 0x7f91d223f2b9 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
        #26 0x7f91d31f49e6 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1496:28
        #27 0x7f91d2372903 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1237:24
        #28 0x7f91d237927d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #29 0x7f91d302b233 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #30 0x7f91d2f446b1 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #31 0x7f91d2f446b1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #32 0x7f91d78681d8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #33 0x7f91d9b9093b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:717:20
        #34 0x7f91d302c166 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #35 0x7f91d2f446b1 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #36 0x7f91d2f446b1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #37 0x7f91d9b9020a in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:652:34
        #38 0x55828df66526 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #39 0x55828df66526 in main /browser/app/nsBrowserApp.cpp:375:18
        #40 0x7f91e6097d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #41 0x7f91e6097e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #42 0x55828df3d7c8 in _start (/home/jkratzer/builds/m-c-20230627094831-fuzzing-debug/firefox-bin+0x587c8) (BuildId: 1c7aa18211b8cc304440f81a56d478f9971e0515)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/streams/ReadableStream.cpp:1129:3 in mozilla::dom::ReadableStream::CloseNative(JSContext*, mozilla::ErrorResult&)
    ==3118820==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1840626 using build mozilla-central 20230627035723-b34d04613ffa. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 3

[Andrew Creskey [:acreskey]]

Locally I'm also unable to reproduce the bug using the testcase and mozilla-central 20230627035723-b34d04613ffa. (MacOs)

Similarly, on today's build I'm also unable to reproduce.

I set the whiteboard status to [bugmon:analyze], which I think will retrigger analysis?

Comment 4

[Jason Kratzer [:jkratzer]]

I can still reproduce this issue on mozilla-central rev 00ae001484c9 with --enable-debug --enable-fuzzing. I realized that I included the wrong build information in comment 0. I have since updated that comment. In order to retrigger bugmon analysis, you will also need to add the bugmon keyword though, that will not currently work as we do not use the webtransport branch of grizzly in bugmon. I've bisected this issue and it goes back to bug 1818754 where WebTransport was enabled by default. This is due to the prefs used by grizzly.

Comment 5

[Jason Kratzer [:jkratzer]]

A pernosco session for this bug can be found here.

Comment 6

[Andrew Creskey [:acreskey]]

Thank you Jason, that's perfect. I can see the error now.

Comment 7

[Andrew Creskey [:acreskey]]

Attachment: Bug 1840626 - Fix debug Crash [@ mozilla::dom::ReadableStream::CloseNative] r=saschanaz!

The assertion dereferences Algorithms(), which could have been freed.

Comment 8

[Andrew Creskey [:acreskey]]

For simplicity, this can be reproduced in a regular debug build by loading an html with these contents:

<!DOCTYPE html>
<script>
  window.addEventListener('load', async () => {
    const wt = new WebTransport('https://echo.webtransport.day')
    await wt.createBidirectionalStream({})
    await wt.incomingBidirectionalStreams.cancel(undefined)
    wt.close({})
  })
</script>

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

The following patch is waiting for review from an inactive reviewer:

ID	Title	Author	Reviewer Status
D187149	Fix debug Crash [@ mozilla::dom::ReadableStream::CloseNative] r=saschanaz!	acreskey	saschanaz: Back Sep 10, 2023

:acreskey, could you please find another reviewer?

For more information, please visit BugBot documentation.

Comment 10

[Pulsebot]

Pushed by acreskey@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/104877549ddc
Fix debug Crash [@ mozilla::dom::ReadableStream::CloseNative] r=saschanaz

Comment 11

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/104877549ddc