1865728 - Assertion failure: mFetchStreamReader, at /dom/fetch/Fetch.cpp:1257

Status: VERIFIED FIXED

(Core :: Storage: Cache API, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev c3021f5ece18 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build c3021f5ece18 --debug --fuzzing  -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: mFetchStreamReader, at /dom/fetch/Fetch.cpp:1257

    ==456382==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc781f7e757 bp 0x7fc774266be0 sp 0x7fc774266bb0 T456541)
    ==456382==The signal is caused by a WRITE memory access.
    ==456382==Hint: address points to the zero page.
        #0 0x7fc781f7e757 in mozilla::dom::FetchBody<mozilla::dom::Response>::SetBodyUsed(JSContext*, mozilla::ErrorResult&) /dom/fetch/Fetch.cpp:1257:7
        #1 0x7fc781951ef9 in mozilla::dom::cache::TypeUtils::ToCacheResponse(JSContext*, mozilla::dom::cache::CacheResponse&, mozilla::dom::Response&, mozilla::ErrorResult&) /dom/cache/TypeUtils.cpp:220:9
        #2 0x7fc7818fc04a in mozilla::dom::cache::AutoChildOpArgs::Add(JSContext*, mozilla::dom::InternalRequest const&, mozilla::dom::cache::TypeUtils::BodyAction, mozilla::dom::cache::TypeUtils::SchemeAction, mozilla::dom::Response&, mozilla::ErrorResult&) /dom/cache/AutoUtils.cpp:282:21
        #3 0x7fc781900694 in mozilla::dom::cache::Cache::Put(JSContext*, mozilla::dom::RequestOrUSVString const&, mozilla::dom::Response&, mozilla::ErrorResult&) /dom/cache/Cache.cpp:413:8
        #4 0x7fc780d888b0 in put /builds/worker/workspace/obj-build/dom/bindings/./CacheBinding.cpp:545:60
        #5 0x7fc780d888b0 in mozilla::dom::Cache_Binding::put_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./CacheBinding.cpp:561:13
        #6 0x7fc7818bfa69 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3330:13
        #7 0x7fc786099be4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
        #8 0x7fc7860994fd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
        #9 0x7fc7860a9ac8 in CallFromStack /js/src/vm/Interpreter.cpp:638:10
        #10 0x7fc7860a9ac8 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3053:16
        #11 0x7fc786098a52 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:444:13
        #12 0x7fc786099519 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:598:13
        #13 0x7fc78609a9bd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
        #14 0x7fc78640de47 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1519:10
        #15 0x7fc786151344 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:149:8
        #16 0x7fc78636c7c9 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2115:12
        #17 0x7fc78636c7c9 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2178:12
        #18 0x7fc786099be4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
        #19 0x7fc7860994fd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
        #20 0x7fc78609a9bd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
        #21 0x7fc786181ca4 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #22 0x7fc780b4e50c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./PromiseBinding.cpp:83:8
        #23 0x7fc77e5b5635 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #24 0x7fc77e5b4f75 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #25 0x7fc77e5b4f75 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:210:18
        #26 0x7fc77e5a0dc8 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:673:17
        #27 0x7fc77e5a1de9 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:460:3
        #28 0x7fc77e6d6583 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1236:24
        #29 0x7fc77e6dd23d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #30 0x7fc78367382e in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3328:7
        #31 0x7fc783657051 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2106:42
        #32 0x7fc77e6d62ad in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1192:16
        #33 0x7fc77e6dd23d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #34 0x7fc77f3994ee in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #35 0x7fc77f2b2281 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #36 0x7fc77f2b2281 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #37 0x7fc77e6d1593 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:370:10
        #38 0x7fc793b65d0f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #39 0x7fc794406ac2 in start_thread nptl/pthread_create.c:442:8
        #40 0x7fc794498a3f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/fetch/Fetch.cpp:1257:7 in mozilla::dom::FetchBody<mozilla::dom::Response>::SetBodyUsed(JSContext*, mozilla::ErrorResult&)
    ==456382==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20231120173116-e39cc33d2356.
The bug appears to have been introduced in the following build range:

Start: a1c3dcc09af599d18e7f8b278d565686f7d486d1 (20230515221112)
End: 6854d5a61f68124288044381b0a94207c541e80a (20230516011519)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a1c3dcc09af599d18e7f8b278d565686f7d486d1&tochange=6854d5a61f68124288044381b0a94207c541e80a

Comment 3

[Jens Stutte [:jstutte]]

(In reply to Bugmon [:jkratzer for issues] from comment #2)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a1c3dcc09af599d18e7f8b278d565686f7d486d1&tochange=6854d5a61f68124288044381b0a94207c541e80a

That seems to point to bug 1832326 ?

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1832326

Comment 5

[Kagami Rosylight [:saschanaz] (they/them)]

Attachment: Bug 1865728 - Reverse the check order in Fetch::SetBodyUsed r=smaug

nsIInputStream can exist and then may later go away when the stream becomes unreadable (closed/errored). Since FetchStreamReader is created only when nsIInputStream initially did not exist, the current assertion may fail.

This patch now goes LockStream way if FetchStreamReader doesn't exist, regardless of whether nsIInputStream exists or not.

Comment 6

[Pulsebot]

Pushed by krosylight@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1f71cce4363a
Reverse the check order in Fetch::SetBodyUsed r=smaug

Comment 7

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/43471 for changes under testing/web-platform/tests

Comment 8

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/1f71cce4363a

Comment 9

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 10

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20231202093228-bf4c1083cec1.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 11

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:saschanaz, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox121 to wontfix.

For more information, please visit BugBot documentation.

Comment 12

[Kagami Rosylight [:saschanaz] (they/them)]

This is an edge case and I don't see any relevant crash report. Feel free to ping me again if anyone finds one.