1857948 - Assertion failure: !mPromise, at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1358

Status: VERIFIED FIXED

(Core :: DOM: Web Authentication, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 461a9c98a535 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 461a9c98a535 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !mPromise, at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1358

    ==415493==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9765b21660 bp 0x7ffcae3a0590 sp 0x7ffcae3a0580 T415493)
    ==415493==The signal is caused by a WRITE memory access.
    ==415493==Hint: address points to the zero page.
        #0 0x7f9765b21660 in ~MozPromiseHolderBase /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1358:29
        #1 0x7f9765b21660 in ~WebAuthnRegisterPromiseHolder /dom/webauthn/WebAuthnPromiseHolder.h:44:44
        #2 0x7f9765b21660 in mozilla::dom::WebAuthnRegisterPromiseHolder::Release() /dom/webauthn/WebAuthnPromiseHolder.cpp:10:1
        #3 0x7f976b15e41f in core::ptr::drop_in_place$LT$authrs_bridge..TransactionPromise$GT$::h3bb38a37e03c7331 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
        #4 0x7f976b15e41f in core::ptr::drop_in_place$LT$authrs_bridge..TransactionState$GT$::h7b07300a9d4f87bb /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
        #5 0x7f976b15e41f in core::ptr::drop_in_place$LT$core..option..Option$LT$authrs_bridge..TransactionState$GT$$GT$::h45808a49d2cb67c3 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
        #6 0x7f976b15e41f in core::ptr::drop_in_place$LT$core..cell..UnsafeCell$LT$core..option..Option$LT$authrs_bridge..TransactionState$GT$$GT$$GT$::hf0004862d88eb536 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
        #7 0x7f976b15e41f in core::ptr::drop_in_place$LT$std..sync..mutex..Mutex$LT$core..option..Option$LT$authrs_bridge..TransactionState$GT$$GT$$GT$::hc5d929719ef3dba0 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
        #8 0x7f976b15e41f in alloc::sync::Arc$LT$T$GT$::drop_slow::h8826af52a93ae7f6 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/alloc/src/sync.rs:1263:18
        #9 0x7f976b192519 in _$LT$alloc..sync..Arc$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h53f4bdf4b02e7acf /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/alloc/src/sync.rs:1897:13
        #10 0x7f976b192519 in core::ptr::drop_in_place$LT$alloc..sync..Arc$LT$std..sync..mutex..Mutex$LT$core..option..Option$LT$authrs_bridge..TransactionState$GT$$GT$$GT$$GT$::h50cf5ec0922c189d /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
        #11 0x7f976b192519 in core::ptr::drop_in_place$LT$authrs_bridge..AuthrsService$GT$::h45ff17b0e31cf6a5 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
        #12 0x7f976b192519 in core::ptr::drop_in_place$LT$alloc..boxed..Box$LT$authrs_bridge..AuthrsService$GT$$GT$::h89178844f9a53dd2 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ptr/mod.rs:497:1
        #13 0x7f976b192519 in core::mem::drop::h8c8a3cebde1758c5 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/mem/mod.rs:987:24
        #14 0x7f976b192519 in authrs_bridge::AuthrsService::Release::h4d1c3fbf2109ef79 /dom/webauthn/authrs_bridge/src/lib.rs:461:1
        #15 0x7f976097af02 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:54:40
        #16 0x7f976097af02 in ~nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:344:7
        #17 0x7f976097af02 in ~SegmentImpl /builds/worker/workspace/obj-build/dist/include/mozilla/SegmentedVector.h:78:21
        #18 0x7f976097af02 in mozilla::SegmentedVector<nsCOMPtr<nsISupports>, 4096ul, mozilla::MallocAllocPolicy>::PopLastN(unsigned int) /builds/worker/workspace/obj-build/dist/include/mozilla/SegmentedVector.h:246:14
        #19 0x7f9760966ea2 in mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize(unsigned int, void*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:2803:15
        #20 0x7f9760967569 in mozilla::IncrementalFinalizeRunnable::ReleaseNow(bool) /xpcom/base/CycleCollectedJSRuntime.cpp:1726:17
        #21 0x7f9760967b4d in mozilla::CycleCollectedJSRuntime::FinalizeDeferredThings(mozilla::CycleCollectedJSContext::DeferredFinalizeType) /xpcom/base/CycleCollectedJSRuntime.cpp:1802:24
        #22 0x7f9760965a8b in mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus, JS::GCReason) /xpcom/base/CycleCollectedJSRuntime.cpp:1878:7
        #23 0x7f9768d65b92 in js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus, JS::GCReason) /js/src/gc/GC.cpp:4135:3
        #24 0x7f9768d66843 in ~AutoCallGCCallbacks /js/src/gc/GC.cpp:4108:32
        #25 0x7f9768d66843 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) /js/src/gc/GC.cpp:4225:1
        #26 0x7f9768d67e33 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) /js/src/gc/GC.cpp:4410:9
        #27 0x7f9768d37659 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) /js/src/gc/GC.cpp:4487:3
        #28 0x7f9768d8479f in JS::NonIncrementalGC(JSContext*, JS::GCOptions, JS::GCReason) /js/src/gc/GCAPI.cpp:298:21
        #29 0x7f97609902e5 in nsCycleCollector::FixGrayBits(bool, TimeLog&) /xpcom/base/nsCycleCollector.cpp
        #30 0x7f9760991256 in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /xpcom/base/nsCycleCollector.cpp:3655:3
        #31 0x7f9760990c03 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /xpcom/base/nsCycleCollector.cpp:3484:9
        #32 0x7f97609908fd in nsCycleCollector::ShutdownCollect() /xpcom/base/nsCycleCollector.cpp:3418:20
        #33 0x7f9760991f06 in nsCycleCollector::Shutdown(bool) /xpcom/base/nsCycleCollector.cpp:3722:5
        #34 0x7f97609939ad in nsCycleCollector_shutdown(bool) /xpcom/base/nsCycleCollector.cpp:4046:18
        #35 0x7f9760ad6696 in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:702:3
        #36 0x7f97681a9852 in ScopedXPCOMStartup::~ScopedXPCOMStartup() /toolkit/xre/nsAppRunner.cpp:1986:5
        #37 0x7f97681b8c9f in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:459:5
        #38 0x7f97681b8c9f in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:301:7
        #39 0x7f97681b8c9f in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:271:5
        #40 0x7f97681b8c9f in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5905:16
        #41 0x7f97681b9872 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5940:21
        #42 0x55b1fb598147 in do_main /browser/app/nsBrowserApp.cpp:227:22
        #43 0x55b1fb598147 in main /browser/app/nsBrowserApp.cpp:445:16
        #44 0x7f9774d6fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #45 0x7f9774d6fe3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #46 0x55b1fb56df68 in _start (/home/jkratzer/builds/m-c-20231006092133-fuzzing-debug/firefox-bin+0x58f68) (BuildId: d97922557cda625d0f41e45d0271dc60e71db811)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1358:29 in ~MozPromiseHolderBase
    ==415493==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1857948 using build mozilla-central 20231006092133-461a9c98a535. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 3

[Jason Kratzer [:jkratzer]]

(In reply to Bugmon [:jkratzer for issues] from comment #2)

Unable to reproduce bug 1857948 using build mozilla-central 20231006092133-461a9c98a535. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Bugmon fails here because an upstream fix in grizzly-framework hasn't been pushed to pip yet. I'll run this manually.

Comment 4

[Jason Kratzer [:jkratzer]]

Adding an NI to remind me to re-enable bugmon once a release has been made.

Comment 5

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20231009160804-70c980c054e9.
The bug appears to have been introduced in the following build range:

Start: c5b63a02d71951f66853cbeb8a677986fc2ddf47 (20231005035341)
End: c406ccc1889d7f77e187d219bc9800009e26c02e (20231005041514)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c5b63a02d71951f66853cbeb8a677986fc2ddf47&tochange=c406ccc1889d7f77e187d219bc9800009e26c02e

Comment 6

[John Schanck [:jschanck]]

Attachment: Bug 1857948 - reset webauthn service after transaction completion. r=keeler

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1856395

Comment 8

[Pulsebot]

Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f7da4696baf1
reset webauthn service in parent actor destroy. r=keeler

Comment 9

[Natalia Csoregi [:nataliaCs]]

Backed out for causing test_webauthn_authenticator_selection.html failures

• backout: https://hg.mozilla.org/integration/autoland/rev/d70b547b0a925701957115d69f6e0c9b8ba96aa0
• push: https://treeherder.mozilla.org/jobs?repo=autoland&selectedTaskRun=f95t4GpDQNWJhq9Qgryqjw.1&revision=f7da4696baf1582683f0f21771bd9eee3897bf23
• failure log: https://treeherder.mozilla.org/logviewer?job_id=432024538&repo=autoland&lineNumber=68

[task 2023-10-10T19:59:25.353Z] 19:59:25     INFO -  TEST-START | dom/webauthn/tests/test_webauthn_authenticator_selection.html
[task 2023-10-10T19:59:25.353Z] 19:59:25     INFO -  Buffered messages logged at 19:59:15
[task 2023-10-10T19:59:25.353Z] 19:59:25     INFO -  add_task | Entering
[task 2023-10-10T19:59:25.353Z] 19:59:25     INFO -  add_task | Leaving
[task 2023-10-10T19:59:25.353Z] 19:59:25     INFO -  add_task | Entering test_make_credential_successes
[task 2023-10-10T19:59:25.353Z] 19:59:25     INFO -  Buffered messages finished
[task 2023-10-10T19:59:25.353Z] 19:59:25  WARNING -  TEST-UNEXPECTED-FAIL | dom/webauthn/tests/test_webauthn_authenticator_selection.html | Bad result! Received a: AbortError: The operation was aborted.
[task 2023-10-10T19:59:25.353Z] 19:59:25     INFO -  SimpleTest.ok@https://example.com/tests/SimpleTest/SimpleTest.js:426:16
[task 2023-10-10T19:59:25.353Z] 19:59:25     INFO -  arrivingHereIsBad@https://example.com/tests/dom/webauthn/tests/test_webauthn_authenticator_selection.html:27:9
[task 2023-10-10T19:59:25.353Z] 19:59:25     INFO -  promise callback*test_make_credential_successes@https://example.com/tests/dom/webauthn/tests/test_webauthn_authenticator_selection.html:81:10
[task 2023-10-10T19:59:25.353Z] 19:59:25     INFO -  nextTick/<@https://example.com/tests/SimpleTest/SimpleTest.js:2189:34
[task 2023-10-10T19:59:25.353Z] 19:59:25     INFO -  async*nextTick@https://example.com/tests/SimpleTest/SimpleTest.js:2233:11
[task 2023-10-10T19:59:25.354Z] 19:59:25     INFO -  setTimeout handler*SimpleTest_setTimeoutShim@https://example.com/tests/SimpleTest/SimpleTest.js:922:41
[task 2023-10-10T19:59:25.354Z] 19:59:25     INFO -  add_task@https://example.com/tests/SimpleTest/SimpleTest.js:2137:17
[task 2023-10-10T19:59:25.354Z] 19:59:25     INFO -  @https://example.com/tests/dom/webauthn/tests/test_webauthn_authenticator_selection.html:18:13
[task 2023-10-10T19:59:25.354Z] 19:59:25     INFO -  TEST-PASS | dom/webauthn/tests/test_webauthn_authenticator_selection.html | Good result! Received a: [object PublicKeyCredential]

Comment 10

[Natalia Csoregi [:nataliaCs]]

There are also some more failures:

TEST-UNEXPECTED-FAIL | dom/webauthn/tests/test_webauthn_authenticator_transports.html | Expecting a InvalidStateError, got AbortError: The operation was aborted.
TEST-UNEXPECTED-FAIL | dom/webauthn/tests/test_webauthn_sameorigin.html | Bad result! Received a: AbortError: The operation was aborted.
TEST-UNEXPECTED-FAIL | dom/webauthn/tests/test_webauthn_webdriver_virtual_authenticator.html | Bad result! Received a: AbortError: The operation was aborted.

Comment 11

[Pulsebot]

Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/df898dc64459
reset webauthn service in parent actor destroy. r=keeler

Comment 12

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/df898dc64459

Comment 13

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20231011211944-7df8f9c41c9b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.