Assertion failure: !mPromise, at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1358
Categories
(Core :: DOM: Web Authentication, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox118 | --- | unaffected |
firefox119 | --- | unaffected |
firefox120 | --- | verified |
People
(Reporter: jkratzer, Assigned: jschanck)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])
Attachments
(1 file, 1 obsolete file)
958 bytes,
text/plain
|
Details |
Testcase found while fuzzing mozilla-central rev 461a9c98a535 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 461a9c98a535 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !mPromise, at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1358
==415493==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9765b21660 bp 0x7ffcae3a0590 sp 0x7ffcae3a0580 T415493)
==415493==The signal is caused by a WRITE memory access.
==415493==Hint: address points to the zero page.
#0 0x7f9765b21660 in ~MozPromiseHolderBase /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1358:29
#1 0x7f9765b21660 in ~WebAuthnRegisterPromiseHolder /dom/webauthn/WebAuthnPromiseHolder.h:44:44
#2 0x7f9765b21660 in mozilla::dom::WebAuthnRegisterPromiseHolder::Release() /dom/webauthn/WebAuthnPromiseHolder.cpp:10:1
#3 0x7f976b15e41f in core::ptr::drop_in_place$LT$authrs_bridge..TransactionPromise$GT$::h3bb38a37e03c7331 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
#4 0x7f976b15e41f in core::ptr::drop_in_place$LT$authrs_bridge..TransactionState$GT$::h7b07300a9d4f87bb /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
#5 0x7f976b15e41f in core::ptr::drop_in_place$LT$core..option..Option$LT$authrs_bridge..TransactionState$GT$$GT$::h45808a49d2cb67c3 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
#6 0x7f976b15e41f in core::ptr::drop_in_place$LT$core..cell..UnsafeCell$LT$core..option..Option$LT$authrs_bridge..TransactionState$GT$$GT$$GT$::hf0004862d88eb536 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
#7 0x7f976b15e41f in core::ptr::drop_in_place$LT$std..sync..mutex..Mutex$LT$core..option..Option$LT$authrs_bridge..TransactionState$GT$$GT$$GT$::hc5d929719ef3dba0 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
#8 0x7f976b15e41f in alloc::sync::Arc$LT$T$GT$::drop_slow::h8826af52a93ae7f6 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/alloc/src/sync.rs:1263:18
#9 0x7f976b192519 in _$LT$alloc..sync..Arc$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h53f4bdf4b02e7acf /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/alloc/src/sync.rs:1897:13
#10 0x7f976b192519 in core::ptr::drop_in_place$LT$alloc..sync..Arc$LT$std..sync..mutex..Mutex$LT$core..option..Option$LT$authrs_bridge..TransactionState$GT$$GT$$GT$$GT$::h50cf5ec0922c189d /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
#11 0x7f976b192519 in core::ptr::drop_in_place$LT$authrs_bridge..AuthrsService$GT$::h45ff17b0e31cf6a5 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
#12 0x7f976b192519 in core::ptr::drop_in_place$LT$alloc..boxed..Box$LT$authrs_bridge..AuthrsService$GT$$GT$::h89178844f9a53dd2 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
#13 0x7f976b192519 in core::mem::drop::h8c8a3cebde1758c5 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/mem/mod.rs:987:24
#14 0x7f976b192519 in authrs_bridge::AuthrsService::Release::h4d1c3fbf2109ef79 /dom/webauthn/authrs_bridge/src/lib.rs:461:1
#15 0x7f976097af02 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:54:40
#16 0x7f976097af02 in ~nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:344:7
#17 0x7f976097af02 in ~SegmentImpl /builds/worker/workspace/obj-build/dist/include/mozilla/SegmentedVector.h:78:21
#18 0x7f976097af02 in mozilla::SegmentedVector<nsCOMPtr<nsISupports>, 4096ul, mozilla::MallocAllocPolicy>::PopLastN(unsigned int) /builds/worker/workspace/obj-build/dist/include/mozilla/SegmentedVector.h:246:14
#19 0x7f9760966ea2 in mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize(unsigned int, void*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:2803:15
#20 0x7f9760967569 in mozilla::IncrementalFinalizeRunnable::ReleaseNow(bool) /xpcom/base/CycleCollectedJSRuntime.cpp:1726:17
#21 0x7f9760967b4d in mozilla::CycleCollectedJSRuntime::FinalizeDeferredThings(mozilla::CycleCollectedJSContext::DeferredFinalizeType) /xpcom/base/CycleCollectedJSRuntime.cpp:1802:24
#22 0x7f9760965a8b in mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus, JS::GCReason) /xpcom/base/CycleCollectedJSRuntime.cpp:1878:7
#23 0x7f9768d65b92 in js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus, JS::GCReason) /js/src/gc/GC.cpp:4135:3
#24 0x7f9768d66843 in ~AutoCallGCCallbacks /js/src/gc/GC.cpp:4108:32
#25 0x7f9768d66843 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) /js/src/gc/GC.cpp:4225:1
#26 0x7f9768d67e33 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) /js/src/gc/GC.cpp:4410:9
#27 0x7f9768d37659 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) /js/src/gc/GC.cpp:4487:3
#28 0x7f9768d8479f in JS::NonIncrementalGC(JSContext*, JS::GCOptions, JS::GCReason) /js/src/gc/GCAPI.cpp:298:21
#29 0x7f97609902e5 in nsCycleCollector::FixGrayBits(bool, TimeLog&) /xpcom/base/nsCycleCollector.cpp
#30 0x7f9760991256 in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /xpcom/base/nsCycleCollector.cpp:3655:3
#31 0x7f9760990c03 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /xpcom/base/nsCycleCollector.cpp:3484:9
#32 0x7f97609908fd in nsCycleCollector::ShutdownCollect() /xpcom/base/nsCycleCollector.cpp:3418:20
#33 0x7f9760991f06 in nsCycleCollector::Shutdown(bool) /xpcom/base/nsCycleCollector.cpp:3722:5
#34 0x7f97609939ad in nsCycleCollector_shutdown(bool) /xpcom/base/nsCycleCollector.cpp:4046:18
#35 0x7f9760ad6696 in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:702:3
#36 0x7f97681a9852 in ScopedXPCOMStartup::~ScopedXPCOMStartup() /toolkit/xre/nsAppRunner.cpp:1986:5
#37 0x7f97681b8c9f in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:459:5
#38 0x7f97681b8c9f in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:301:7
#39 0x7f97681b8c9f in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:271:5
#40 0x7f97681b8c9f in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5905:16
#41 0x7f97681b9872 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5940:21
#42 0x55b1fb598147 in do_main /browser/app/nsBrowserApp.cpp:227:22
#43 0x55b1fb598147 in main /browser/app/nsBrowserApp.cpp:445:16
#44 0x7f9774d6fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#45 0x7f9774d6fe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#46 0x55b1fb56df68 in _start (/home/jkratzer/builds/m-c-20231006092133-fuzzing-debug/firefox-bin+0x58f68) (BuildId: d97922557cda625d0f41e45d0271dc60e71db811)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1358:29 in ~MozPromiseHolderBase
==415493==ABORTING
Reporter | ||
Comment 1•11 months ago
|
||
Reporter | ||
Updated•11 months ago
|
Comment 2•11 months ago
|
||
Unable to reproduce bug 1857948 using build mozilla-central 20231006092133-461a9c98a535. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Reporter | ||
Comment 3•11 months ago
|
||
(In reply to Bugmon [:jkratzer for issues] from comment #2)
Unable to reproduce bug 1857948 using build mozilla-central 20231006092133-461a9c98a535. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Bugmon fails here because an upstream fix in grizzly-framework hasn't been pushed to pip yet. I'll run this manually.
Reporter | ||
Comment 4•11 months ago
|
||
Adding an NI to remind me to re-enable bugmon once a release has been made.
Comment 5•11 months ago
|
||
Verified bug as reproducible on mozilla-central 20231009160804-70c980c054e9.
The bug appears to have been introduced in the following build range:
Start: c5b63a02d71951f66853cbeb8a677986fc2ddf47 (20231005035341)
End: c406ccc1889d7f77e187d219bc9800009e26c02e (20231005041514)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c5b63a02d71951f66853cbeb8a677986fc2ddf47&tochange=c406ccc1889d7f77e187d219bc9800009e26c02e
Assignee | ||
Comment 6•11 months ago
|
||
Updated•11 months ago
|
Comment 7•11 months ago
|
||
Set release status flags based on info from the regressing bug 1856395
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f7da4696baf1 reset webauthn service in parent actor destroy. r=keeler
Comment 9•11 months ago
|
||
Backed out for causing test_webauthn_authenticator_selection.html failures
- backout: https://hg.mozilla.org/integration/autoland/rev/d70b547b0a925701957115d69f6e0c9b8ba96aa0
- push: https://treeherder.mozilla.org/jobs?repo=autoland&selectedTaskRun=f95t4GpDQNWJhq9Qgryqjw.1&revision=f7da4696baf1582683f0f21771bd9eee3897bf23
- failure log: https://treeherder.mozilla.org/logviewer?job_id=432024538&repo=autoland&lineNumber=68
[task 2023-10-10T19:59:25.353Z] 19:59:25 INFO - TEST-START | dom/webauthn/tests/test_webauthn_authenticator_selection.html
[task 2023-10-10T19:59:25.353Z] 19:59:25 INFO - Buffered messages logged at 19:59:15
[task 2023-10-10T19:59:25.353Z] 19:59:25 INFO - add_task | Entering
[task 2023-10-10T19:59:25.353Z] 19:59:25 INFO - add_task | Leaving
[task 2023-10-10T19:59:25.353Z] 19:59:25 INFO - add_task | Entering test_make_credential_successes
[task 2023-10-10T19:59:25.353Z] 19:59:25 INFO - Buffered messages finished
[task 2023-10-10T19:59:25.353Z] 19:59:25 WARNING - TEST-UNEXPECTED-FAIL | dom/webauthn/tests/test_webauthn_authenticator_selection.html | Bad result! Received a: AbortError: The operation was aborted.
[task 2023-10-10T19:59:25.353Z] 19:59:25 INFO - SimpleTest.ok@https://example.com/tests/SimpleTest/SimpleTest.js:426:16
[task 2023-10-10T19:59:25.353Z] 19:59:25 INFO - arrivingHereIsBad@https://example.com/tests/dom/webauthn/tests/test_webauthn_authenticator_selection.html:27:9
[task 2023-10-10T19:59:25.353Z] 19:59:25 INFO - promise callback*test_make_credential_successes@https://example.com/tests/dom/webauthn/tests/test_webauthn_authenticator_selection.html:81:10
[task 2023-10-10T19:59:25.353Z] 19:59:25 INFO - nextTick/<@https://example.com/tests/SimpleTest/SimpleTest.js:2189:34
[task 2023-10-10T19:59:25.353Z] 19:59:25 INFO - async*nextTick@https://example.com/tests/SimpleTest/SimpleTest.js:2233:11
[task 2023-10-10T19:59:25.354Z] 19:59:25 INFO - setTimeout handler*SimpleTest_setTimeoutShim@https://example.com/tests/SimpleTest/SimpleTest.js:922:41
[task 2023-10-10T19:59:25.354Z] 19:59:25 INFO - add_task@https://example.com/tests/SimpleTest/SimpleTest.js:2137:17
[task 2023-10-10T19:59:25.354Z] 19:59:25 INFO - @https://example.com/tests/dom/webauthn/tests/test_webauthn_authenticator_selection.html:18:13
[task 2023-10-10T19:59:25.354Z] 19:59:25 INFO - TEST-PASS | dom/webauthn/tests/test_webauthn_authenticator_selection.html | Good result! Received a: [object PublicKeyCredential]
Comment 10•11 months ago
|
||
There are also some more failures:
TEST-UNEXPECTED-FAIL | dom/webauthn/tests/test_webauthn_authenticator_transports.html | Expecting a InvalidStateError, got AbortError: The operation was aborted.
TEST-UNEXPECTED-FAIL | dom/webauthn/tests/test_webauthn_sameorigin.html | Bad result! Received a: AbortError: The operation was aborted.
TEST-UNEXPECTED-FAIL | dom/webauthn/tests/test_webauthn_webdriver_virtual_authenticator.html | Bad result! Received a: AbortError: The operation was aborted.
Assignee | ||
Updated•11 months ago
|
Comment 11•11 months ago
|
||
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/df898dc64459 reset webauthn service in parent actor destroy. r=keeler
Comment 12•11 months ago
|
||
bugherder |
Comment 13•11 months ago
|
||
Verified bug as fixed on rev mozilla-central 20231011211944-7df8f9c41c9b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•10 months ago
|
Updated•10 months ago
|
Description
•