Closed Bug 1851847 Opened 1 year ago Closed 1 year ago

Crash [@ get]

Categories

(Core :: DOM: Device Interfaces, defect, P2)

Product:
Core
Component:
DOM: Device Interfaces
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
120 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- fixed
firefox117 --- wontfix
firefox118 --- wontfix
firefox119 --- fixed
firefox120 --- fixed

People

(Reporter: jkratzer, Assigned: gsvelto)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(3 files)

Testcase
3.92 KB, application/octet-stream
Details
Bug 1851847 - Check that we really do have a document before creating a MIDI port r=padenot
48 bytes, text/x-phabricator-request
Details | Review
[PATCH] crashtest
13.18 KB, text/plain
Details

Testcase found while fuzzing mozilla-central rev 5c56b92baa65 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5c56b92baa65 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

[@ get]

    ==517932==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000168 (pc 0x7f0b82fe6436 bp 0x7ffd7a3a7460 sp 0x7ffd7a3a72e0 T517932)
    ==517932==The signal is caused by a READ memory access.
    ==517932==Hint: address points to the zero page.
        #0 0x7f0b82fe6436 in get /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:747:48
        #1 0x7f0b82fe6436 in operator nsIURI * /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:755:33
        #2 0x7f0b82fe6436 in GetDocumentURI /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Document.h:761:43
        #3 0x7f0b82fe6436 in mozilla::dom::MIDIPort::Initialize(mozilla::dom::MIDIPortInfo const&, bool) /dom/midi/MIDIPort.cpp:66:41
        #4 0x7f0b82fe48d5 in Create /dom/midi/MIDIInput.cpp:30:14
        #5 0x7f0b82fe48d5 in mozilla::dom::MIDIAccess::MaybeCreateMIDIPort(mozilla::dom::MIDIPortInfo const&, mozilla::ErrorResult&) /dom/midi/MIDIAccess.cpp:153:12
        #6 0x7f0b82fe5157 in mozilla::dom::MIDIAccess::Notify(mozilla::dom::MIDIPortList const&) /dom/midi/MIDIAccess.cpp:216:5
        #7 0x7f0b82fe60f8 in Broadcast /builds/worker/workspace/obj-build/dist/include/mozilla/Observer.h:66:12
        #8 0x7f0b82fe60f8 in mozilla::dom::MIDIAccessManager::Update(mozilla::dom::MIDIPortList const&) /dom/midi/MIDIAccessManager.cpp:166:20
        #9 0x7f0b82fe7b29 in mozilla::dom::MIDIManagerChild::RecvMIDIPortListUpdate(mozilla::dom::MIDIPortList const&) /dom/midi/MIDIManagerChild.cpp:21:29
        #10 0x7f0b82ff808f in mozilla::dom::PMIDIManagerChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PMIDIManagerChild.cpp:152:84
        #11 0x7f0b7f3dd8bf in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1800:25
        #12 0x7f0b7f3da612 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1725:9
        #13 0x7f0b7f3db292 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
        #14 0x7f0b7f3dc3df in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
        #15 0x7f0b7e70d697 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:559:16
        #16 0x7f0b7e705213 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:886:26
        #17 0x7f0b7e703a67 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:709:15
        #18 0x7f0b7e703ec5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:495:36
        #19 0x7f0b7e7113b6 in operator() /xpcom/threads/TaskController.cpp:218:37
        #20 0x7f0b7e7113b6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #21 0x7f0b7e727bda in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
        #22 0x7f0b7e72eacd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #23 0x7f0b7f3e3825 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #24 0x7f0b7f2fe7b1 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #25 0x7f0b7f2fe7b1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #26 0x7f0b83d6fcb8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #27 0x7f0b85fdc75b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:722:20
        #28 0x7f0b7f3e4706 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #29 0x7f0b7f2fe7b1 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #30 0x7f0b7f2fe7b1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #31 0x7f0b85fdbf83 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:657:34
        #32 0x55c15a629926 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #33 0x55c15a629926 in main /browser/app/nsBrowserApp.cpp:375:18
        #34 0x7f0b92b87d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #35 0x7f0b92b87e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #36 0x55c15a600bc8 in _start (/home/jkratzer/builds/m-c-20230906091315-fuzzing-debug/firefox-bin+0x58bc8) (BuildId: 32c29819e4a761a6cea3e4573a5d4564a3a8e25f)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:747:48 in get
    ==517932==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20230906091315-5c56b92baa65.
The bug appears to have been introduced in the following build range:

Start: c5ddc463e9f84902a198e1f14dc97fea3bd4fbef (20221229092636)
End: 9b5c52e4d5ce3d83895213c0f5ffcdce5c46d220 (20221229085942)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c5ddc463e9f84902a198e1f14dc97fea3bd4fbef&tochange=9b5c52e4d5ce3d83895213c0f5ffcdce5c46d220

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Not sure who's the best person for MIDI. Moving to DOM: Device Interface.

Component: DOM: Core & HTML → DOM: Device Interfaces

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox119: --- → affected

I'm not sure what the regressor is from the push log, could it be Bug 1807854?
:cmartin pinging you as triage owner if you could take a look?

Flags: needinfo?(cmartin)

Thanks! Let me forward this to Gabriele, since he worked on the MIDI stuff.

Flags: needinfo?(cmartin) → needinfo?(gsvelto)
Assignee: nobody → gsvelto
Status: NEW → ASSIGNED

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:gsvelto, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(gsvelto)
Flags: needinfo?(gsvelto)
Regressed by: 1758468

Set release status flags based on info from the regressing bug 1758468

status-firefox117: --- → affected
status-firefox118: --- → affected
status-firefox-esr102: --- → affected
status-firefox-esr115: --- → affected
Attached file [PATCH] crashtest

I tried to adapt the test-case into a crashtest but as much as I tried I couldn't get it to work. I'm attaching the patch here in case I find some time to come back to this.

Pushed by gsvelto@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7ef01057696f Check that we really do have a document before creating a MIDI port r=padenot

https://hg.mozilla.org/mozilla-central/rev/7ef01057696f

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox119: fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → 119 Branch

Bug marked as FIXED but still reproduces on mozilla-central 20230915220551-4f0dacf9e5b5. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.

Status: RESOLVED → REOPENED
status-firefox119: fixedaffected
Resolution: FIXED → ---

I'm puzzled, I can't reproduce locally using the testcase in comment 0 and the patch that I just landed, maybe I'm missing something?

Flags: needinfo?(jkratzer)

I now get the following crash using that testcase on mozilla-central rev 0a60f8be5517 (built with: --enable-debug --enable-fuzzing).

==108992==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1aeca9e3c9 bp 0x7fff160afa80 sp 0x7fff160afa70 T108992)
==108992==The signal is caused by a WRITE memory access.
==108992==Hint: address points to the zero page.
    #0 0x7f1aeca9e3c9 in AssertReportedOrSuppressed /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h:583:5
    #1 0x7f1aeca9e3c9 in mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::~TErrorResult() /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h:185:7
    #2 0x7f1af143cf46 in mozilla::dom::MIDIAccess::Notify(mozilla::dom::MIDIPortList const&) /builds/worker/checkouts/gecko/dom/midi/MIDIAccess.cpp:224:3
    #3 0x7f1af143de48 in Broadcast /builds/worker/workspace/obj-build/dist/include/mozilla/Observer.h:66:12
    #4 0x7f1af143de48 in mozilla::dom::MIDIAccessManager::Update(mozilla::dom::MIDIPortList const&) /builds/worker/checkouts/gecko/dom/midi/MIDIAccessManager.cpp:166:20
    #5 0x7f1af143fa39 in mozilla::dom::MIDIManagerChild::RecvMIDIPortListUpdate(mozilla::dom::MIDIPortList const&) /builds/worker/checkouts/gecko/dom/midi/MIDIManagerChild.cpp:21:29
    #6 0x7f1af144ff9f in mozilla::dom::PMIDIManagerChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PMIDIManagerChild.cpp:152:84
    #7 0x7f1aed82de4f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
    #8 0x7f1aed82aba2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
    #9 0x7f1aed82b822 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
    #10 0x7f1aed82c96f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
    #11 0x7f1aecb64767 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:559:16
    #12 0x7f1aecb5c2e3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886:26
    #13 0x7f1aecb5ab37 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709:15
    #14 0x7f1aecb5af95 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495:36
    #15 0x7f1aecb68486 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
    #16 0x7f1aecb68486 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #17 0x7f1aecb7ecaa in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
    #18 0x7f1aecb85b9d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #19 0x7f1aed833db5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #20 0x7f1aed74e881 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #21 0x7f1aed74e881 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #22 0x7f1af21dbcd8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #23 0x7f1af43fa4db in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
    #24 0x7f1aed834c96 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
    #25 0x7f1aed74e881 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #26 0x7f1aed74e881 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #27 0x7f1af43f9cfe in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
    #28 0x5586c15af926 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #29 0x5586c15af926 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
    #30 0x7f1b00f92d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #31 0x7f1b00f92e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #32 0x5586c1586bc8 in _start (/home/jkratzer/builds/m-c-20230919093728-fuzzing-debug/firefox-bin+0x58bc8) (BuildId: a4dc98feb33e4d66b8770ed74681d0bb5ffc0fad)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h:583:5 in AssertReportedOrSuppressed
Flags: needinfo?(jkratzer)

Using an asan build, this reproduces the issue listed in bug 1851829.

The issue in comment 15 appears to be a separate problem, I'll file a new bug for it.

Depends on: 1854386

Set release status flags based on info from the regressing bug 1758468

status-firefox120: --- → affected

The severity field is not set for this bug.
:cmartin, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(cmartin)
Severity: -- → S3
Flags: needinfo?(cmartin)
Priority: -- → P2

:gsvelto wondering about the current status of this?
It was reopened and additional fixes landed in Fx120 under Bug 1854386 and Bug 1851829 (re: comment 16 and comment 17)
Should this bug be resolved as fixed in Fx119? Then let Bug 1854386 and Bug 1851829 ride the train with Fx120?

Flags: needinfo?(gsvelto)

Yes, this was definitely fixed when bug 1854386 landed.

Flags: needinfo?(gsvelto)
Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
status-firefox119: affectedfixed
status-firefox120: affectedfixed
Resolution: --- → FIXED
Target Milestone: 119 Branch → 120 Branch

Bug marked as FIXED but still reproduces on mozilla-central 20230915220551-4f0dacf9e5b5. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.

Status: RESOLVED → REOPENED
status-firefox120: fixedaffected
Resolution: FIXED → ---

Sorry. Bugmon was still enabled for this bug. Marking as resolved.

Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
Keywords: bugmon
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: