Testcase found while fuzzing mozilla-central rev fc74eb2c7b84 (built with --enable-debug).

Assertion failure: inputStream, at /builds/worker/checkouts/gecko/dom/file/ipc/IPCBlobUtils.cpp:57

    #0 0x7fb618dd04b2 in mozilla::dom::IPCBlobUtils::Deserialize(mozilla::dom::IPCBlob const&) /builds/worker/checkouts/gecko/dom/file/ipc/IPCBlobUtils.cpp:57:3
    #1 0x7fb619c20cfc in void mozilla::dom::ipc::UnpackClonedMessageData<(mozilla::dom::ipc::MemoryFlavorEnum)2, (mozilla::dom::ipc::ActorFlavorEnum)0>(mozilla::dom::ipc::MemoryTraits<(mozilla::dom::ipc::MemoryFlavorEnum)2>::ClonedMessageType&, mozilla::dom::ipc::StructuredCloneData&) /builds/worker/checkouts/gecko/dom/ipc/StructuredCloneData.cpp:290:35
    #2 0x7fb61b42f7fe in mozilla::ipc::IPDLParamTraits<mozilla::dom::SessionHistoryInfo>::Read(IPC::Message const*, PickleIterator*, mozilla::ipc::IProtocol*, mozilla::dom::SessionHistoryInfo*) /builds/worker/checkouts/gecko/docshell/shistory/SessionHistoryEntry.cpp:1509:28
    #3 0x7fb61b42fd0b in mozilla::ipc::IPDLParamTraits<mozilla::dom::LoadingSessionHistoryInfo>::Read(IPC::Message const*, PickleIterator*, mozilla::ipc::IProtocol*, mozilla::dom::LoadingSessionHistoryInfo*) /builds/worker/checkouts/gecko/docshell/shistory/SessionHistoryEntry.cpp:1530:8
    #4 0x7fb61636af3e in mozilla::ipc::IPDLParamTraits<mozilla::Maybe<mozilla::dom::LoadingSessionHistoryInfo> >::Read(IPC::Message const*, PickleIterator*, mozilla::ipc::IProtocol*, mozilla::Maybe<mozilla::dom::LoadingSessionHistoryInfo>*) /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/IPDLParamTraits.h:278:12
    #5 0x7fb61633a6d6 in mozilla::ipc::IPDLParamTraits<mozilla::dom::DocShellLoadStateInit>::Read(IPC::Message const*, PickleIterator*, mozilla::ipc::IProtocol*, mozilla::dom::DocShellLoadStateInit*) /builds/worker/workspace/obj-build/ipc/ipdl/DOMTypes.cpp:2551:12
    #6 0x7fb6163c947f in mozilla::ipc::IPDLParamTraits<mozilla::net::DocumentChannelCreationArgs>::Read(IPC::Message const*, PickleIterator*, mozilla::ipc::IProtocol*, mozilla::net::DocumentChannelCreationArgs*) /builds/worker/workspace/obj-build/ipc/ipdl/NeckoChannelParams.cpp:3862:12
    #7 0x7fb6166b942d in mozilla::net::PNeckoParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PNeckoParent.cpp:2275:20
    #8 0x7fb6164b7b9c in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6709:32
    #9 0x7fb6162f365e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2153:25
    #10 0x7fb6162efbdd in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2077:9
    #11 0x7fb6162f1086 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1925:3
    #12 0x7fb6162f1dcb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1956:13
    #13 0x7fb6159c730f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:472:16
    #14 0x7fb6159c5886 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:753:26
    #15 0x7fb6159c46e4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:611:15
    #16 0x7fb6159c4897 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:395:36
    #17 0x7fb6159cb126 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:133:37
    #18 0x7fb6159cb126 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #19 0x7fb6159dc617 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1158:16
    #20 0x7fb6159e2a6a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #21 0x7fb6162f8f46 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #22 0x7fb616264563 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #23 0x7fb61626447d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #24 0x7fb61626447d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #25 0x7fb61a0c3858 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #26 0x7fb61b7f0cb6 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:271:30
    #27 0x7fb61b8ffe6d in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5246:22
    #28 0x7fb61b90158a in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5438:8
    #29 0x7fb61b901ed0 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5501:21
    #30 0x55c674730eb0 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:220:22
    #31 0x55c674730eb0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:344:16
    #32 0x7fb62b8840b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210217094559-3d42785f84cb.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 28cf163158a673037d20ccc1aa7b825e406e927b (20200219043403)
End: 00b18dc4bfac9e9d226627f9ccbf2a2f4e3e6a9d (20210216031051)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Could we have the new stack trace or even better a pernosco session here? Thanks!

A pernosco session for this bug can be found at:
https://pernos.co/debug/drhFpX6YAS9aE0vDDtPI4Q/index.html

I put some notes, it seems we end up trying to deserialize a non existing blob, but I am not really able to make sense of what I see in that code in terms of the root cause other than it seems that we ignore possible error conditions here and there. Simon, do you want to take a look?

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211119093910-a7391d47652c.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 5b8265dc60c869d1196c475ade06e254d53ce7f4 (20201120094511)
End: fc74eb2c7b844552ae57a81dc635f413767deeb8 (20210216094005)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Hi Jens, is there anyone available to have a look at this issue? It is the issue most frequently hit by the DOM fuzzers.

Would an updated Pernosco session be helpful?

(In reply to Tyson Smith [:tsmith] from comment #14)

Hi Jens, is there anyone available to have a look at this issue? It is the issue most frequently hit by the DOM fuzzers.

Would an updated Pernosco session be helpful?

Hi Tyson, I think so, the other one is pretty old (not that Blob code changed much, but still).

A Pernosco session is available here: https://pernos.co/debug/NwBMSwQ8g7PAspmNsoKZ0g/index.html

Collected with m-c 20220429-a3002a9b4204.

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210516091748-3210b5354d3e) but not with tip (mozilla-central 20220514040948-28b2e8958185.)
The bug appears to have been fixed in the following build range:

Start: 69fb0f363c1889e054c8aac505a63875e6ce3099 (20220513143920)
End: 3f4ebef6a4b1b4fb858d9d8eba17a4ccae268d1a (20220513150208)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=69fb0f363c1889e054c8aac505a63875e6ce3099&tochange=3f4ebef6a4b1b4fb858d9d8eba17a4ccae268d1a
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

It looks as if the changes from bug 1754004 fixed this.