1907428 - crash near null in [@ mozilla::dom::FetchChild::RecvOnResponseAvailableInternal]

Status: VERIFIED FIXED

(Core :: DOM: Networking, defect, P2)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing 20240710-bc4609b7aa7a (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Depends on pref dom.fetchKeepalive.enabled=true

==245921==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7c1218ecdcbf bp 0x7ffc9ca48b90 sp 0x7ffc9ca48b00 T0)
==245921==The signal is caused by a READ memory access.
==245921==Hint: address points to the zero page.
    #0 0x7c1218ecdcbf in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:314:27
    #1 0x7c1218ecdcbf in operator nsIGlobalObject * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:327:12
    #2 0x7c1218ecdcbf in MaybeSomething<mozilla::ErrorResult> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:419:25
    #3 0x7c1218ecdcbf in mozilla::dom::Promise::MaybeReject(mozilla::ErrorResult&&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:116:5
    #4 0x7c121f283a1b in MaybeRejectWithTypeError<(mozilla::dom::ErrNum)29> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:148:5
    #5 0x7c121f283a1b in mozilla::dom::FetchChild::RecvOnResponseAvailableInternal(mozilla::dom::ParentToChildInternalResponse&&) /builds/worker/checkouts/gecko/dom/fetch/FetchChild.cpp:109:13
    #6 0x7c121f30db0a in mozilla::dom::PFetchChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PFetchChild.cpp:210:78
    #7 0x7c121a35f471 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:4919:32
    #8 0x7c121a2cb8d5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1820:25
    #9 0x7c121a2c787f in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1739:9
    #10 0x7c121a2c87a1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530:3
    #11 0x7c121a2c9cf3 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1630:14
    #12 0x7c1218d3f39a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
    #13 0x7c1218d2b6dd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
    #14 0x7c1218d28f28 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
    #15 0x7c1218d29546 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
    #16 0x7c1218d465c1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
    #17 0x7c1218d465c1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #18 0x7c1218d6735d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
    #19 0x7c1218d72128 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #20 0x7c121a2d387e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #21 0x7c121a1b7824 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #22 0x7c121a1b7824 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #23 0x7c121a1b7824 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #24 0x7c1222ab8e09 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #25 0x7c1222c6d7eb in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
    #26 0x7c12248c88fd in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:714:20
    #27 0x7c121a1b7824 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #28 0x7c121a1b7824 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #29 0x7c121a1b7824 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #30 0x7c12248c7ee5 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:649:34
    #31 0x626af9edb3b0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #32 0x626af9edb3b0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
    #33 0x7c1237c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #34 0x7c1237c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #35 0x626af9e02a18 in _start (/home/user/workspace/browsers/m-c-20240711092457-fuzzing-asan-opt/firefox+0xd5a18) (BuildId: 0774f07beb183b8825c5b166c438534383d1d096)

Comment 1

[Tyson Smith [:tsmith]]

Attachment: prefs.js

prefs.js for bugmon

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240711215213-9881aaa9dcd6.
Unable to bisect testcase (Unable to launch the start build!):

Start: 196cda3a105202c8969a926a0637db0e0014c07d (20230714094120)
End: bc4609b7aa7a3dff961f43d527bc66c5c85f6f4b (20240710160741)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Comment 3

[Kagami Rosylight [:saschanaz] (they/them)]

Seems like I totally missed MaybeSomething() when implementing https://bugzilla.mozilla.org/show_bug.cgi?id=1811538. Specifically the assertion condition MOZ_ASSERT(PromiseObj()); in line 422 doesn't always fulfill, it can now be null.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1811538

Comment 5

[Kagami Rosylight [:saschanaz] (they/them)]

Sunil, do you want me to fix this? Should just be some if-checks away.

Comment 6

[Sunil Mayya]

(In reply to Kagami Rosylight [:saschanaz] (they/them) from comment #5)

Sunil, do you want me to fix this? Should just be some if-checks away.

Kagami, It would be very helpful if you can fix this!
Thanks!

Comment 7

[Kagami Rosylight [:saschanaz] (they/them)]

Attachment: Bug 1907428 - Return when mPromise is null r=sunil

We should probably remove FetchObserver at this point, btw.

Comment 8

[Kagami Rosylight [:saschanaz] (they/them)]

(Not a regression actually, this is FetchObserver thing)

Comment 9

[Pulsebot]

Pushed by krosylight@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f7ef18cdcabb
Return when mPromise is null r=sunil

Comment 10

[Noemi Erli[:noemi_erli]]

https://hg.mozilla.org/mozilla-central/rev/f7ef18cdcabb

Comment 11

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20240917040755-f7ef18cdcabb.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.