Closed Bug 1928123 Opened 11 months ago Closed 11 months ago

Crash [@ IsCurrentThread]

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
134 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox132 --- disabled
firefox133 --- disabled
firefox134 --- verified

People

(Reporter: jkratzer, Assigned: baku)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Testcase
4.61 KB, application/octet-stream
Details
Bug 1928123 - CookieStore must check if the worker is already shutting down, r?asuth
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 12d31a1006e7 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 12d31a1006e7 --asan --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

[@ IsCurrentThread]

    =================================================================
    ==72809==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f0253a8afda bp 0x7f0241ffd790 sp 0x7f0241ffd780 T21)
    ==72809==The signal is caused by a READ memory access.
    ==72809==Hint: address points to the zero page.
        #0 0x7f0253a8afda in IsCurrentThread /xpcom/base/nsISupportsImpl.cpp:48:10
        #1 0x7f0253a8afda in nsAutoOwningThread::AssertCurrentThreadOwnsMe(char const*) const /xpcom/base/nsISupportsImpl.cpp:41:7
        #2 0x7f025a45f98b in mozilla::dom::CookieStoreNotificationWatcherWrapper::ResolvePromiseWhenNotified(nsID const&, mozilla::dom::Promise*) /dom/cookiestore/CookieStoreNotificationWatcherWrapper.cpp:132:21
        #3 0x7f025a47992f in operator() /dom/cookiestore/CookieStore.cpp:525:37
        #4 0x7f025a47992f in mozilla::detail::RunnableFunction<mozilla::dom::CookieStore::Delete(mozilla::dom::CookieStoreDeleteOptions const&, mozilla::ErrorResult&)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
        #5 0x7f0253c20806 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1149:16
        #6 0x7f0253c2b1b8 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #7 0x7f025d7a2619 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3601:7
        #8 0x7f025d76cffb in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2154:42
        #9 0x7f0253c20806 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1149:16
        #10 0x7f0253c2b1b8 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #11 0x7f02551d26f1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:299:20
        #12 0x7f02550b6d54 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #13 0x7f02550b6d54 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #14 0x7f02550b6d54 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #15 0x7f0253c1937c in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:366:10
        #16 0x7f0274beb5fb in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:191:3
        #17 0x648969fee2f8 in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
        #18 0x7f0275291a93 in start_thread nptl/pthread_create.c:447:8
        #19 0x7f027531ec3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /xpcom/base/nsISupportsImpl.cpp:48:10 in IsCurrentThread
    Thread T21 created by T0 (Isolated Servic) here:
        #0 0x648969fd7d01 in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:250:3
        #1 0x7f0274bdbfb8 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:429:10
        #2 0x7f0274bca12e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:496:10
        #3 0x7f0253c1bee9 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:615:20
        #4 0x7f025d7d3793 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /dom/workers/WorkerThread.cpp:109:7
        #5 0x7f025d745507 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1332:37
        #6 0x7f025d743c7a in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1215:19
        #7 0x7f025d79b084 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&) /dom/workers/WorkerPrivate.cpp:2828:24
        #8 0x7f025d7e6350 in mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&) /dom/workers/remoteworkers/RemoteWorkerChild.cpp:390:41
        #9 0x7f025d8178e7 in operator() /dom/workers/remoteworkers/RemoteWorkerChild.cpp:219:29
        #10 0x7f025d8178e7 in mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
        #11 0x7f0253bf8c6a in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:618:16
        #12 0x7f0253be4f1e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:945:26
        #13 0x7f0253be2738 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:768:15
        #14 0x7f0253be2d56 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:554:36
        #15 0x7f0253bfff41 in operator() /xpcom/threads/TaskController.cpp:268:37
        #16 0x7f0253bfff41 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #17 0x7f0253c2045f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1155:16
        #18 0x7f0253c2b1b8 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #19 0x7f02551d108e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #20 0x7f02550b6d54 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #21 0x7f02550b6d54 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #22 0x7f02550b6d54 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #23 0x7f025e137b09 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #24 0x7f025e2d80ca in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:469:33
        #25 0x7f025ff789dd in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:651:20
        #26 0x7f02550b6d54 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #27 0x7f02550b6d54 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #28 0x7f02550b6d54 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #29 0x7f025ff76e8c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:586:34
        #30 0x64896a031779 in main /browser/app/nsBrowserApp.cpp:397:22
        #31 0x7f027521f1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #32 0x7f027521f28a in __libc_start_main csu/../csu/libc-start.c:360:3
        #33 0x648969f595d8 in _start (/home/jkratzer/builds/m-c-20241030093012-fuzzing-asan-opt/firefox+0xd55d8) (BuildId: c31ea8134d878182118c90245d41ea32744ac7cd)
    
    ==72809==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20241030214633-55a693c2543b.
The bug appears to have been introduced in the following build range:

Start: b98486f0aad5d732a1733ceffad17b1dc5abc552 (20240916114729)
End: 7dba2056b41df6d25944dded2ef59b143aad3bd5 (20240916132925)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b98486f0aad5d732a1733ceffad17b1dc5abc552&tochange=7dba2056b41df6d25944dded2ef59b143aad3bd5

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Severity: -- → S3
Priority: -- → P3

https://searchfox.org/mozilla-central/source/dom/cookiestore/CookieStoreNotificationWatcherWrapper.cpp#90
Sounds like ResolvePromiseWhenNotified at the end creates ThreadSafeWorkerRef, but for some reason, threads are different: https://searchfox.org/mozilla-central/source/dom/workers/WorkerPrivate.cpp#6169

Component: DOM: Service Workers → DOM: Core & HTML
Regressed by: 1918643

Set release status flags based on info from the regressing bug 1918643

:baku, since you are the author of the regressor, bug 1918643, could you take a look?

For more information, please visit BugBot documentation.

status-firefox132: --- → affected
status-firefox133: --- → affected
status-firefox134: --- → affected
status-firefox-esr128: --- → unaffected
Flags: needinfo?(amarchesini)

(searchfox using moz.build data says CookieStore.cpp and friends are in Core :: Networking: Cookies)

Severity: S3 → --
Component: DOM: Core & HTML → Networking: Cookies
Priority: P3 → --

It's worth noting that the test case looks like:

(async () => {
  for (let i = 0; i < 18; i++) {
    queueMicrotask(async function() {
      await timeout(registration.unregister())
      await timeout(cookieStore.delete(
        "𖱋𐇽I㣀🙅n𯗻٫\r𫦍\uDC1D⁡𝅧杣-󠈁𡺼-󠛫𛖨/=🮤𝘆٠\b𝅱ꛕ\f"))
    })
  }
})()

The call to unregister will likely terminate the worker so the attempt to create the StrongWorkerRef may have failed. Normally we want to check for the StrongWorkerRef being null: https://searchfox.org/mozilla-central/rev/783f3fca1dda58353f7d3075744dd48b66e00e5e/dom/cookiestore/CookieStoreNotificationWatcherWrapper.cpp#128-130

RefPtr<StrongWorkerRef> strongWorkerRef = StrongWorkerRef::Create(
    workerPrivate, "CookieStoreNotificationWatcher::PromiseResolver",
    [resolver = RefPtr(resolver)]() { resolver->Run(); });
Flags: needinfo?(amarchesini)
Assignee: nobody → amarchesini
Status: NEW → ASSIGNED
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4fe53726ec87 CookieStore must check if the worker is already shutting down, r=asuth

https://hg.mozilla.org/mozilla-central/rev/4fe53726ec87

Status: ASSIGNED → RESOLVED
Closed: 11 months ago
status-firefox134: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 134 Branch

Verified bug as fixed on rev mozilla-central 20241102092659-bd3648a27f03.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox134: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: