Closed Bug 1969341 Opened 3 months ago Closed 2 months ago

Assertion failure: !mRequest, at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1629

Categories

(Core :: DOM: Web Authentication, defect, P3)

Product:
Core
Component:
DOM: Web Authentication
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
141 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox139 --- wontfix
firefox140 --- wontfix
firefox141 --- verified

People

(Reporter: jkratzer, Assigned: jschanck)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Testcase
1.15 KB, text/html
Details
Bug 1969341 - clean up WebAuthn transaction state before resolving promises. r?djackson,nkulatova
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 5f5c3d10232a (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 5f5c3d10232a --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: !mRequest, at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1629

    ==1831060==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7028e4f5eaae bp 0x7ffe050e48f0 sp 0x7ffe050e48e0 T1831060)
    ==1831060==The signal is caused by a WRITE memory access.
    ==1831060==Hint: address points to the zero page.
        #0 0x7028e4f5eaae in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
        #1 0x7028e4f5eaae in ~MozPromiseRequestHolder /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1629:32
        #2 0x7028e4f5eaae in ~WebAuthnTransaction /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WebAuthnHandler.h:55:7
        #3 0x7028e4f5eaae in mozilla::Maybe<mozilla::dom::WebAuthnTransaction>::reset() /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:810:19
        #4 0x7028e4f5d4aa in mozilla::dom::WebAuthnHandler::ResolveTransaction(RefPtr<mozilla::dom::PublicKeyCredential> const&) /dom/webauthn/WebAuthnHandler.cpp:963:16
        #5 0x7028e4f5cecf in mozilla::dom::WebAuthnHandler::FinishMakeCredential(mozilla::dom::WebAuthnMakeCredentialResult const&) /dom/webauthn/WebAuthnHandler.cpp:835:3
        #6 0x7028e4f741bd in operator() /dom/webauthn/WebAuthnHandler.cpp:421:21
        #7 0x7028e4f741bd in InvokeMethod<(lambda at /dom/webauthn/WebAuthnHandler.cpp:414:11), void ((lambda at /dom/webauthn/WebAuthnHandler.cpp:414:11)::*)(const mozilla::MozPromise<mozilla::dom::WebAuthnMakeCredentialResponse, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue &) const, mozilla::MozPromise<mozilla::dom::WebAuthnMakeCredentialResponse, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:652:14
        #8 0x7028e4f741bd in InvokeCallbackMethod<false, mozilla::MozPromise<mozilla::dom::WebAuthnMakeCredentialResponse, mozilla::ipc::ResponseRejectReason, true>, (lambda at /dom/webauthn/WebAuthnHandler.cpp:414:11), void ((lambda at /dom/webauthn/WebAuthnHandler.cpp:414:11)::*)(const mozilla::MozPromise<mozilla::dom::WebAuthnMakeCredentialResponse, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue &) const, mozilla::MozPromise<mozilla::dom::WebAuthnMakeCredentialResponse, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:666:7
        #9 0x7028e4f741bd in mozilla::MozPromise<mozilla::dom::WebAuthnMakeCredentialResponse, mozilla::ipc::ResponseRejectReason, true>::ThenValue<mozilla::dom::WebAuthnHandler::MakeCredential(mozilla::dom::PublicKeyCredentialCreationOptions const&, mozilla::dom::Optional<mozilla::OwningNonNull<mozilla::dom::AbortSignal>> const&, mozilla::ErrorResult&)::$_0>::DoResolveOrRejectInternal(mozilla::MozPromise<mozilla::dom::WebAuthnMakeCredentialResponse, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:923:11
        #10 0x7028e3c8f7dd in mozilla::MozPromise<mozilla::dom::WebAuthnMakeCredentialResponse, mozilla::ipc::ResponseRejectReason, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:488:21
        #11 0x7028dfa6b0ab in mozilla::SimpleTaskQueue::DrainTasks() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:48:10
        #12 0x7028dfa889b7 in nsThread::DrainDirectTasks() /xpcom/threads/nsThread.cpp:1375:16
        #13 0x7028dfa87a2d in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1182:3
        #14 0x7028dfa8deaf in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #15 0x7028e063c853 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #16 0x7028e0595901 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #17 0x7028e0595901 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #18 0x7028e537f128 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #19 0x7028e5440cf4 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:471:33
        #20 0x7028e638026b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:652:20
        #21 0x7028e063d744 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #22 0x7028e0595901 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #23 0x7028e0595901 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #24 0x7028e637f6a9 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:590:34
        #25 0x6208ce0e175e in main /browser/app/nsBrowserApp.cpp:397:22
        #26 0x7028f03ef1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #27 0x7028f03ef28a in __libc_start_main csu/../csu/libc-start.c:360:3
        #28 0x6208ce0b4fc8 in _start (/home/jkratzer/builds/m-c-20250529033404-fuzzing-debug/firefox-bin+0x56fc8) (BuildId: 7794f7a961947f05c8d97792967bce27cf614bc8)
    
    ==1831060==Register values:
    rax = 0x0000000000000000  rbx = 0x00006208f4e54ba0  rcx = 0x000000000000065d  rdx = 0x00007028f05c9563  
    rdi = 0x00007028f05ca700  rsi = 0x0000000000000000  rbp = 0x00007ffe050e48f0  rsp = 0x00007ffe050e48e0  
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293  
    r12 = 0x00006208f4debe20  r13 = 0x0000000000000020  r14 = 0x00006208f4e54ba0  r15 = 0x00006208f4e00588  
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3 in MOZ_CrashSequence
    ==1831060==ABORTING
Attached file Testcase
Attachment #9491584 - Attachment filename: testcase.html.undefined → testcase.html
Attachment #9491584 - Attachment mime type: text/plain → text/html

I also got a crash from the testcase: https://crash-stats.mozilla.org/report/index/aadc832f-fb7c-4e8c-8222-551a50250530
I think i used windows auth 2 times and then i declined to use any auth. Then the testcase crashed.

Crash Signature: [@ mozilla::Maybe<T>::ref | mozilla::dom::WebAuthnHandler::GetAssertion::<T>::operator() ]

Verified bug as reproducible on mozilla-central 20250529210702-57ec49c7bcac.
The bug appears to have been introduced in the following build range:

Start: 18cfcd8171505cb373b68923efae27e4577ea45a (20250211234945)
End: 6552eb82bbf4c72c9dbfa333a0f062c3b6c3d9f8 (20250212025601)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=18cfcd8171505cb373b68923efae27e4577ea45a&tochange=6552eb82bbf4c72c9dbfa333a0f062c3b6c3d9f8

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Regressed by: 1945969

Set release status flags based on info from the regressing bug 1945969

:jschanck, since you are the author of the regressor, bug 1945969, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox139: --- → affected
status-firefox140: --- → affected
status-firefox141: --- → affected
status-firefox-esr128: --- → unaffected
Flags: needinfo?(jschanck)
Assignee: nobody → jschanck
Status: NEW → ASSIGNED
Severity: -- → S3
Flags: needinfo?(jschanck)
Priority: -- → P3
Attachment #9491863 - Attachment description: Bug 1969341 - clean up WebAuthn transaction state before resolving promises. r=djackson → Bug 1969341 - clean up WebAuthn transaction state before resolving promises. r?djackson,nkulatova

https://hg.mozilla.org/mozilla-central/rev/e1dc56ae7277

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
status-firefox141: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch

The patch landed in nightly and beta is affected.
:jschanck, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(jschanck)

Verified bug as fixed on rev mozilla-central 20250606085416-a1119874c162.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox141: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: