Open Bug 2007557 Opened 15 days ago Updated 11 days ago

Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:1011

Categories

(Core :: DOM: Service Workers, defect)

Product:
Core
Component:
DOM: Service Workers
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr140 --- unaffected
firefox146 --- wontfix
firefox147 --- wontfix
firefox148 --- affected

People

(Reporter: jkratzer, Unassigned, NeedInfo)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: bugmon, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
4.64 KB, application/zip
Details

Testcase found while fuzzing mozilla-central rev ebcaeb01dd74 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework pipx --upgrade
$ python -m pipx ensurepath
$ fuzzfetch --build ebcaeb01dd74 --asan --fuzzing  -n firefox
$ grizzly-replay-bugzilla ./firefox/firefox <bugid>

Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:1011

    =================================================================
    ==480296==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x6e99d94c96c5 bp 0x7fff18df1090 sp 0x7fff18df1080 T0)
    ==480296==The signal is caused by a WRITE memory access.
    ==480296==Hint: address points to the zero page.
        #0 0x6e99d94c96c5 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
        #1 0x6e99d94c96c5 in mozilla::Maybe<mozilla::dom::ClientInfo>::ref() & /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:1011:3
        #2 0x6e99e2e8e93f in mozilla::dom::ServiceWorker::PostMessage(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Sequence<JSObject*> const&, mozilla::ErrorResult&) /dom/serviceworkers/ServiceWorker.cpp:255:39
        #3 0x6e99dd687185 in mozilla::dom::ServiceWorker_Binding::postMessage(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./ServiceWorkerBinding.cpp:315:32
        #4 0x6e99de409ad0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3306:13
        #5 0x6e99e6ff6b8d in CallJSNative /js/src/vm/Interpreter.cpp:490:13
        #6 0x6e99e6ff6b8d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:586:12
        #7 0x6e99e7014be2 in InternalCall /js/src/vm/Interpreter.cpp:653:10
        #8 0x6e99e7014be2 in CallFromStack /js/src/vm/Interpreter.cpp:658:10
        #9 0x6e99e7014be2 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3272:16
        #10 0x6e99e6ff59d9 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:384:10
        #11 0x6e99e6ff59d9 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:460:13
        #12 0x6e99e6ff6d07 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:618:13
        #13 0x6e99e6ff8814 in InternalCall /js/src/vm/Interpreter.cpp:653:10
        #14 0x6e99e6ff8814 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:685:8
        #15 0x6e99e7346f08 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #16 0x6e99de2cf955 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./FunctionBinding.cpp:50:8
        #17 0x6e99dc7b1a1d in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject>>(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObjectBase::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
        #18 0x6e99dc7b16fc in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /dom/base/TimeoutHandler.cpp:169:29
        #19 0x6e99dc1cfb14 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*) /dom/base/nsGlobalWindowInner.cpp:6391:38
        #20 0x6e99dc7ac7b7 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /dom/base/TimeoutManager.cpp:956:39
        #21 0x6e99dc7ab5a3 in mozilla::dom::TimeoutExecutor::MaybeExecute() /dom/base/TimeoutExecutor.cpp:179:11
        #22 0x6e99dc7ae6da in Notify /dom/base/TimeoutExecutor.cpp:246:5
        #23 0x6e99dc7ae6da in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /dom/base/TimeoutExecutor.cpp:0:0
        #24 0x6e99d824419f in operator() /xpcom/threads/nsTimerImpl.cpp:746:44
        #25 0x6e99d824419f in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, std::function<void (nsITimer *)> > &, (lambda at /xpcom/threads/nsTimerImpl.cpp:746:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:747:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:750:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:751:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:305:16
        #26 0x6e99d824419f in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, std::function<void (nsITimer *)> > &, (lambda at /xpcom/threads/nsTimerImpl.cpp:745:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:746:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:747:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:750:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:751:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:314:14
        #27 0x6e99d824419f in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, std::function<void (nsITimer *)> > &, (lambda at /xpcom/threads/nsTimerImpl.cpp:745:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:746:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:747:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:750:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:751:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:905:12
        #28 0x6e99d824419f in match<(lambda at /xpcom/threads/nsTimerImpl.cpp:745:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:746:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:747:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:750:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:751:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:860:12
        #29 0x6e99d824419f in nsTimerImpl::Fire(unsigned long) /xpcom/threads/nsTimerImpl.cpp:744:22
        #30 0x6e99d8242f6d in nsTimerEvent::Run() /xpcom/threads/TimerThread.cpp:560:11
        #31 0x6e99d827aad4 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /xpcom/threads/ThrottledEventQueue.cpp:253:18
        #32 0x6e99d8273b7f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /xpcom/threads/ThrottledEventQueue.cpp:80:15
        #33 0x6e99d822698a in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:705:16
        #34 0x6e99d821660b in mozilla::TaskController::RunTask(mozilla::Task*) /xpcom/threads/TaskController.cpp:196:19
        #35 0x6e99d821d90d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1325:20
        #36 0x6e99d821b3e8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1148:15
        #37 0x6e99d821ba06 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:641:36
        #38 0x6e99d8235af4 in operator() /xpcom/threads/TaskController.cpp:336:37
        #39 0x6e99d8235af4 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /xpcom/threads/nsThreadUtils.h:549:5
        #40 0x6e99d8256f9a in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1164:16
        #41 0x6e99d8261e68 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:461:10
        #42 0x6e99d9995f63 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #43 0x6e99d9876944 in RunInternal /ipc/chromium/src/base/message_loop.cc:368:10
        #44 0x6e99d9876944 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #45 0x6e99d9876944 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #46 0x6e99e3210086 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:152:27
        #47 0x6e99e33fcecb in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:555:33
        #48 0x6e99e54bf4cd in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:656:20
        #49 0x6e99d9876944 in RunInternal /ipc/chromium/src/base/message_loop.cc:368:10
        #50 0x6e99d9876944 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #51 0x6e99d9876944 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #52 0x6e99e54be486 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:594:34
        #53 0x5caa8702639a in main /browser/app/nsBrowserApp.cpp:465:22
        #54 0x7299fd6251c9 in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #55 0x7299fd62528a in __libc_start_main ./csu/../csu/libc-start.c:360:3
        #56 0x5caa86f404b8 in _start ??:0:0
    
    ==480296==Register values:
    rax = 0x0000000000000001  rbx = 0x00007fff18df13f0  rcx = 0x00000000000003f3  rdx = 0x0000000000000000
    rdi = 0x00005caa87163790  rsi = 0x00007fff18df1038  rbp = 0x00007fff18df1090  rsp = 0x00007fff18df1080
     r8 = 0x0000000000000000   r9 = 0xffffff0000000000  r10 = 0xefffffffffffffff  r11 = 0x4000000000000000
    r12 = 0x00007fff18df12d0  r13 = 0x00007fff18df1eb0  r14 = 0x0000000000000000  r15 = 0x00001000631b636a
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/home/jkratzer/builds/m-c-20251223085800-fuzzing-asan-opt/libxul.so+0x83076c5) (BuildId: bb49d147533b9bc2d45cd63910f81fb002464acb)
    ==480296==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20251223215030-33339852198f.
The bug appears to have been introduced in the following build range:

Start: 9f9ce883cf0b61e97a1feef5a1f430d94b5f7c3a (20250325234437)
End: b49721f16330eae75d15354026c33d78d5d1d4f4 (20250326022108)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9f9ce883cf0b61e97a1feef5a1f430d94b5f7c3a&tochange=b49721f16330eae75d15354026c33d78d5d1d4f4

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox148: --- → affected

Bug 1320796 looks like a possible regressor. Please correct if needed.

status-firefox146: --- → wontfix
status-firefox147: --- → wontfix
status-firefox-esr115: --- → unaffected
status-firefox-esr140: --- → unaffected
Flags: needinfo?(bugmail)
Regressed by: 1320796
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: