Crash [@ CanSend]
Categories
(Core :: DOM: Device Interfaces, defect, P2)
Tracking
()
People
(Reporter: jkratzer, Assigned: gsvelto)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file, 1 obsolete file)
|
3.86 KB,
application/octet-stream
|
Details |
Testcase found while fuzzing mozilla-central rev 5c56b92baa65 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5c56b92baa65 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
[@ CanSend]
==457476==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000011 (pc 0x7fa3718c1c57 bp 0x7ffdcc3f18f0 sp 0x7ffdcc3f18c0 T457476)
==457476==The signal is caused by a READ memory access.
==457476==Hint: address points to the zero page.
#0 0x7fa3718c1c57 in CanSend /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:223:33
#1 0x7fa3718c1c57 in mozilla::ipc::IProtocol::ChannelSend(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/ProtocolUtils.cpp:519:7
#2 0x7fa3754c50c4 in mozilla::dom::PMIDIPortChild::SendClose() /builds/worker/workspace/obj-build/ipc/ipdl/PMIDIPortChild.cpp:153:21
#3 0x7fa3754b1f22 in DisconnectFromOwner /dom/midi/MIDIPort.cpp:249:11
#4 0x7fa3754b1f22 in mozilla::dom::MIDIInput::DisconnectFromOwner() /dom/midi/MIDIInput.cpp:85:13
#5 0x7fa372ac5efe in operator() /dom/base/nsIGlobalObject.cpp:202:14
#6 0x7fa372ac5efe in std::_Function_handler<void (mozilla::DOMEventTargetHelper*, bool*), nsIGlobalObject::DisconnectEventTargetObjects()::$_0>::_M_invoke(std::_Any_data const&, mozilla::DOMEventTargetHelper*&&, bool*&&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:297:2
#7 0x7fa372a8144e in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
#8 0x7fa372a8144e in nsIGlobalObject::ForEachEventTargetObject(std::function<void (mozilla::DOMEventTargetHelper*, bool*)> const&) const /dom/base/nsIGlobalObject.cpp:193:5
#9 0x7fa372a7fd7a in DisconnectEventTargetObjects /dom/base/nsIGlobalObject.cpp:201:3
#10 0x7fa372a7fd7a in nsIGlobalObject::~nsIGlobalObject() /dom/base/nsIGlobalObject.cpp:70:3
#11 0x7fa37261266a in nsGlobalWindowInner::~nsGlobalWindowInner() /dom/base/nsGlobalWindowInner.cpp:1095:1
#12 0x7fa3726455af in DeleteCycleCollectable /dom/base/nsGlobalWindowInner.cpp:1330:1
#13 0x7fa3726455af in nsGlobalWindowInner::cycleCollection::DeleteCycleCollectable(void*) /dom/base/nsGlobalWindowInner.h:445:3
#14 0x7fa370afc8da in SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&) /xpcom/base/nsCycleCollector.cpp:2486:29
#15 0x7fa370aef843 in SnowWhiteKiller::~SnowWhiteKiller() /xpcom/base/nsCycleCollector.cpp:2473:7
#16 0x7fa370aee6e4 in nsCycleCollector::FreeSnowWhite(bool) /xpcom/base/nsCycleCollector.cpp:2663:3
#17 0x7fa370af4331 in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /xpcom/base/nsCycleCollector.cpp:3660:3
#18 0x7fa370af3cda in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /xpcom/base/nsCycleCollector.cpp:3484:9
#19 0x7fa370af39dd in nsCycleCollector::ShutdownCollect() /xpcom/base/nsCycleCollector.cpp:3418:20
#20 0x7fa370af4fc6 in nsCycleCollector::Shutdown(bool) /xpcom/base/nsCycleCollector.cpp:3722:5
#21 0x7fa370af6b98 in nsCycleCollector_shutdown(bool) /xpcom/base/nsCycleCollector.cpp:4046:18
#22 0x7fa370c38b86 in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:693:3
#23 0x7fa3784a6f8d in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:661:16
#24 0x55ab1b0d6926 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#25 0x55ab1b0d6926 in main /browser/app/nsBrowserApp.cpp:375:18
#26 0x7fa384fead8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#27 0x7fa384feae3f in __libc_start_main csu/../csu/libc-start.c:392:3
#28 0x55ab1b0adbc8 in _start (/home/jkratzer/builds/m-c-20230906091315-fuzzing-debug/firefox-bin+0x58bc8) (BuildId: 32c29819e4a761a6cea3e4573a5d4564a3a8e25f)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:223:33 in CanSend
==457476==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
|
||
Comment 2•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20230906091315-5c56b92baa65.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: 47e03ec3e25b8c196bd5f5ff8e54802f947e99be (20220907035543)
End: 5c56b92baa65aa27df61f84718594767ef8f26f4 (20230906091315)
BuildFlags: BuildFlags(asan=True, tsan=None, debug=None, fuzzing=True, coverage=None, valgrind=None, no_opt=None, fuzzilli=None, nyx=None)
|
||
Updated•2 years ago
|
|
||
Comment 3•2 years ago
|
||
Pinging Gabriele, as he has been working on the MIDI stuff.
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 4•2 years ago
|
||
Looking at the stack trace it seems that the IPC channel is NULL; which suggests that the call to Port() here is returning a NULL pointer.
|
|
Assignee | |
Comment 5•2 years ago
|
||
|
||
Comment 7•2 years ago
|
||
Backed out for causing failures on 1851829.html
- backout: https://hg.mozilla.org/integration/autoland/rev/5ed78c90a6d60161e4d3428fa5eacf8b47241f9b
- push: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&revision=ac2c12d8a02d44bc9f266491ff8746f1949b3f0b&selectedTaskRun=JzHeAx-SRHiMR6_0phYWcg.0
- failure log: https://treeherder.mozilla.org/logviewer?job_id=430623054&repo=autoland&lineNumber=5789
[task 2023-09-28T10:14:09.849Z] 10:14:09 WARNING - REFTEST ERROR | TEST-UNEXPECTED-FAIL | dom/midi/crashtests/1851829.html | application timed out after 370 seconds with no output
[task 2023-09-28T10:14:09.849Z] 10:14:09 INFO - REFTEST INFO | remotereftest.py | Application ran for: 0:11:36.896660
[task 2023-09-28T10:14:09.930Z] 10:14:09 INFO - REFTEST INFO | Copy/paste: /builds/worker/fetches/minidump-stackwalk/minidump-stackwalk --symbols-url=https://symbols.mozilla.org/ --cyborg=/tmp/tmpvr3k2dtf/29f7dd89-4a08-769f-ad1c-da3f6a539c76.trace /tmp/tmpx3egez0j/29f7dd89-4a08-769f-ad1c-da3f6a539c76.dmp /builds/worker/workspace/build/symbols
[task 2023-09-28T10:14:15.304Z] 10:14:15 INFO - REFTEST INFO | Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/29f7dd89-4a08-769f-ad1c-da3f6a539c76.dmp
[task 2023-09-28T10:14:15.304Z] 10:14:15 INFO - REFTEST INFO | Saved app info as /builds/worker/workspace/build/blobber_upload_dir/29f7dd89-4a08-769f-ad1c-da3f6a539c76.extra
[task 2023-09-28T10:14:15.306Z] 10:14:15 WARNING - REFTEST PROCESS-CRASH | application crashed [@ libc.so + 0x000000000008c66a] | dom/midi/crashtests/1851829.html
|
|
Assignee | |
Comment 8•2 years ago
|
||
I don't have the slightest idea of what that crash might be, since it seems to be happening in totally unrelated code. However given we don't have WebMIDI support on Android I might just turn off the test there so we can avoid it.
|
|
Assignee | |
Comment 9•2 years ago
|
||
Oh wait, I know what's going on. The test is timing out and we're killing the stray process via mozcrash (hence the SIGABRT being in a weird spot).
|
|
Assignee | |
Comment 10•2 years ago
|
||
Try run for the amended patch is here: https://treeherder.mozilla.org/jobs?repo=try&revision=556dd288cb21e48984dbdc3cc7bd542b480803ed
|
||
Comment 11•2 years ago
|
||
|
||
Comment 12•2 years ago
|
||
Backed out for crashtest failures on 1851829.html
Backout link: https://hg.mozilla.org/integration/autoland/rev/c3167e76bc8e1af59a444d63526d42fab3be8420
Log link: https://treeherder.mozilla.org/logviewer?job_id=430767651&repo=autoland&lineNumber=5789
|
|
Assignee | |
Comment 13•2 years ago
|
||
Duh, I forgot to update the patch before re-landing. Sorry for the mess.
|
|
||
Comment 14•2 years ago
|
||
|
|
||
Comment 15•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 16•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20231003093318-53af11a26cb6.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 17•2 years ago
|
||
| uplift | ||
|
||
Updated•2 years ago
|
|
|
||
Comment 18•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
|
||
Comment 19•2 years ago
|
||
| backout uplift | ||
https://hg.mozilla.org/releases/mozilla-esr115/rev/b50171423e923f4d6ac42932a0de7c5f22e7203c
Backed out changeset e9b6f035374a (Bug 1851829) with 1856695 and 185147 for causing crashtests failures
https://treeherder.mozilla.org/jobs?repo=mozilla-esr115&selectedTaskRun=LMiilIeWRE-SwK-iGYD0ag.0&searchStr=crashtest&revision=122fd292adeb25eede6a3fd37b77dd1100fa5b60&group_state=expanded
|
|
||
Comment 20•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Description
•