Open Bug 1822154 Opened 2 years ago Updated 2 years ago

Occasional crash when testing WebTransport DOM with xpcshell tests

Categories

(Core :: DOM: Networking, defect, P2)

Product:
Core
Component:
DOM: Networking
Type:
defect

Tracking

()

People

(Reporter: edgul, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

While developing solution for Bug 1818828, I came across this crash a few times.

As the tests are it only occurs occasionally/rarely when running verify tests. However, I am able to reliably elicit a similar crash with a call to the following test with .only() and --verify on debug (and IIRC release) builds on linux locally. The cancel() seems particularly problematic.

add_task(async function test_wt_incoming_unidi_stream() {
  let wt = new WebTransport(
    "https://" + host + "/create_unidi_stream_and_hello"
  );
  registerCleanupFunction(async () => {
    wt.close();
  });
  await wt.ready;

  const streams = await wt.incomingUnidirectionalStreams;
  const stream_reader = streams.getReader();
  const { value: recv_stream } = await stream_reader.read();
  let str = await read_stream_as_string(recv_stream);
  await stream_reader.cancel(); // after adding this
  await stream_reader.closed;
  stream_reader.releaseLock();
  Assert.equal(str, "qwerty");

  wt.close();
  await wt.closed;
});

A local ./mach xpcshell-test <test> --verify reveals:

0:03.13 PASS test_wt_incoming_unidi_stream - [test_wt_incoming_unidi_stream : 200] "qwerty" == "qwerty"
0:03.13 pid:524989 ExceptionHandler::GenerateDump cloned child 525022
0:03.13 pid:524989 ExceptionHandler::SendContinueSignalToChild sent continue signal to child
0:03.13 pid:524989 ExceptionHandler::WaitForContinueSignal waiting for continue signal...
<...>
Operating system: Linux
                  6.0.12-76060006-generic #202212290932~1674139725~22.04~ca93ccf SMP PREEMPT_DYNAMIC Thu J
CPU: amd64
     family 6 model 141 stepping 1
     1 CPU
Linux Pop 22.04 - jammy (Pop!_OS 22.04 LTS)

Crash reason:  SIGSEGV / SEGV_MAPERR
Crash address: 0x10
Crashing instruction: `mov rax, qword [rax]`
Memory accessed by instruction:
  0. Address: 0x0000000000000010
     Size: 8
Process uptime: not available

Thread 3 Socket Thread (crashed)
 0  libxul.so + 0xd6fca5c
     rax = 0x0000000000000010    rdx = 0x0000000000000098
     rcx = 0x00007f3a315fc278    rbx = 0x00007f3a315fe640
     rsi = 0x00000000000000aa    rdi = 0x0000000000000010
     rbp = 0x00007f3a315fc1a0    rsp = 0x00007f3a315fc1a0
      r8 = 0x00007f3a339784c0     r9 = 0x0000000000000000
     r10 = 0x0000000000000000    r11 = 0x0000000000000000
     r12 = 0x00007f3a315fe640    r13 = 0x0000000000000002
     r14 = 0x00007f3a34e94850    r15 = 0x00007ffebc173b70
     rip = 0x00007f3a43afca5c
    Found by: given as instruction pointer in context
 1  libxul.so + 0xd702424
     rbp = 0x00007f3a315fc1c0    rsp = 0x00007f3a315fc1b0
     rip = 0x00007f3a43b02425
    Found by: previous frame's frame pointer
 2  libxul.so + 0xd6f1114
<...>
FAIL dom/webtransport/test/xpcshell/test_simple.js - xpcshell return code: -11

A debug stack of the failure:

Thread 1 "xpcshell" received signal SIGSEGV, Segmentation fault.
0x00007fffec8ff6b1 in mozilla::dom::ReadableStream::CloseNative (this=0x7fffd246dbe0, aCx=0x7fffd5633f00, aRv=...) at /home/ed/mozilla/central/dom/st
reams/ReadableStream.cpp:1098
1098     MOZ_ASSERT(mController->GetAlgorithms()->IsNative());
(gdb) bt
#0  0x00007fffec8ff6b1 in mozilla::dom::ReadableStream::CloseNative(JSContext*, mozilla::ErrorResult&)
    (this=0x7fffd246dbe0, aCx=0x7fffd5633f00, aRv=...) at /home/ed/mozilla/central/dom/streams/ReadableStream.cpp:1098
#1  0x00007fffec9c1504 in mozilla::dom::WebTransport::Cleanup(mozilla::dom::WebTransportError*, mozilla::dom::WebTransportCloseInfo const*, mozilla::
ErrorResult&) (this=0x7fffd24803a0, aError=0x7fffced37600, aCloseInfo=0x7fffffff0828, aRv=...)
    at /home/ed/mozilla/central/dom/webtransport/api/WebTransport.cpp:734
#2  0x00007fffec9c1fb9 in mozilla::dom::WebTransport::Close(mozilla::dom::WebTransportCloseInfo const&, mozilla::ErrorResult&)
    (this=0x7fffd24803a0, aOptions=..., aRv=...) at /home/ed/mozilla/central/dom/webtransport/api/WebTransport.cpp:518
#3  0x00007fffe98a1f63 in mozilla::dom::WebTransport_Binding::close(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&)
    (cx_=0x7fffd5633f00, obj=..., void_self=0x7fffd24803a0, args=...) at WebTransportBinding.cpp:1276
#4  0x00007fffea066671 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::T
hrowExceptions>(JSContext*, unsigned int, JS::Value*) (cx=0x7fffd5633f00, argc=0, vp=0x7fffd29fb378)
    at /home/ed/mozilla/central/dom/bindings/BindingUtils.cpp:3318
#5  0x00007ffff18c166c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)
    (cx=0x7fffd5633f00, native=0x7fffea0662f0 <mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::d
om::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call, args=...)
    at /home/ed/mozilla/central/js/src/vm/Interpreter.cpp:459
#6  0x00007ffff18afd73 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)
    (cx=0x7fffd5633f00, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/ed/mozilla/central/js/src/vm/Interpreter.cpp:547
#7  0x00007ffff18b04f9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)
    (cx=0x7fffd5633f00, args=..., reason=js::CallReason::Call) at /home/ed/mozilla/central/js/src/vm/Interpreter.cpp:614
#8  0x00007ffff18b0333 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason)
    (cx=0x7fffd5633f00, args=..., reason=js::CallReason::Call) at /home/ed/mozilla/central/js/src/vm/Interpreter.cpp:619
#9  0x00007ffff18a41e8 in Interpret(JSContext*, js::RunState&) (cx=0x7fffd5633f00, state=...)
    at /home/ed/mozilla/central/js/src/vm/Interpreter.cpp:3362
#10 0x00007ffff1898a61 in js::RunScript(JSContext*, js::RunState&) (cx=0x7fffd5633f00, state=...)
    at /home/ed/mozilla/central/js/src/vm/Interpreter.cpp:431
#11 0x00007ffff18aff83 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)
    (cx=0x7fffd5633f00, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/ed/mozilla/central/js/src/vm/Interpreter.cpp:579
#12 0x00007ffff18b04f9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)
    (cx=0x7fffd5633f00, args=..., reason=js::CallReason::Call) at /home/ed/mozilla/central/js/src/vm/Interpreter.cpp:614
#13 0x00007ffff18b06a9 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>,
js::CallReason) (cx=0x7fffd5633f00, fval=..., thisv=..., args=..., rval=..., reason=js::CallReason::Call)
    at /home/ed/mozilla/central/js/src/vm/Interpreter.cpp:646
#14 0x00007ffff1ced78a in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::
MutableHandle<JS::Value>) (cx=0x7fffd5633f00, name=..., thisv=..., args=..., rval=...) at /home/ed/mozilla/central/js/src/vm/SelfHosting.cpp:1488
#15 0x00007ffff2756403 in js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Value*, JS::MutableHandle<JS::Value>)
    (cx=0x7fffd5633f00, obj=..., stackValues=0x7fffffff3d88, rval=...) at /home/ed/mozilla/central/js/src/jit/VMFunctions.cpp:1086

And a debug stack of where we call ClearAlgorithms, which nulls the mAlgorithms ptr:

Thread 1 "xpcshell" hit Breakpoint 5, mozilla::dom::ReadableStreamController::ClearAlgorithms (this=0x7fffd2bd8ca0) at /home/ed/mozilla/central/obj-d
ebug/dist/include/mozilla/dom/ReadableStreamController.h:54
54         mAlgorithms = nullptr;
(gdb) bt
#0  mozilla::dom::ReadableStreamController::ClearAlgorithms() (this=0x7fffd2bd8ca0)
    at /home/ed/mozilla/central/obj-debug/dist/include/mozilla/dom/ReadableStreamController.h:54
#1  0x00007fffec904795 in mozilla::dom::streams_abstract::ReadableStreamDefaultControllerClearAlgorithms(mozilla::dom::ReadableStreamDefaultControlle
r*) (aController=0x7fffd2bd8ca0) at /home/ed/mozilla/central/dom/streams/ReadableStreamDefaultController.cpp:202
#2  0x00007fffec904ed1 in mozilla::dom::ReadableStreamDefaultController::CancelSteps(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)
    (this=0x7fffd2bd8ca0, aCx=0x7fffd5633f00, aReason=..., aRv=...) at /home/ed/mozilla/central/dom/streams/ReadableStreamDefaultController.cpp:596
#3  0x00007fffec8fc1c2 in mozilla::dom::streams_abstract::ReadableStreamCancel(JSContext*, mozilla::dom::ReadableStream*, JS::Handle<JS::Value>, mozi
lla::ErrorResult&) (aCx=0x7fffd5633f00, aStream=0x7fffd246dbe0, aError=..., aRv=...) at /home/ed/mozilla/central/dom/streams/ReadableStream.cpp:389
#4  0x00007fffec8fec88 in mozilla::dom::ReadableStream::IteratorReturn(JSContext*, mozilla::dom::AsyncIterableIterator<mozilla::dom::ReadableStream>*
, JS::Handle<JS::Value>, mozilla::ErrorResult&) (this=0x7fffd246dbe0, aCx=0x7fffd5633f00, aIterator=0x7fffced3a2e0, aValue=..., aRv=...)
    at /home/ed/mozilla/central/dom/streams/ReadableStream.cpp:950
#5  0x00007fffe91b9218 in mozilla::dom::binding_detail::AsyncIterableIteratorWithReturn<mozilla::dom::ReadableStream>::GetReturnPromise(JSContext*, J
S::Handle<JS::Value>, mozilla::ErrorResult&) (this=0x7fffced3a2e0, aCx=0x7fffd5633f00, aValue=..., aRv=...)
    at /home/ed/mozilla/central/obj-debug/dist/include/mozilla/dom/IterableIterator.h:402
#6  0x00007fffe91b92cc in non-virtual thunk to mozilla::dom::binding_detail::AsyncIterableIteratorWithReturn<mozilla::dom::ReadableStream>::GetReturn
Promise(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) () at /home/ed/mozilla/central/obj-debug/dist/bin/libxul.so
#7  0x00007fffea043e5b in mozilla::dom::binding_detail::AsyncIterableReturnImpl::ReturnSteps(JSContext*, mozilla::dom::AsyncIterableIteratorBase*, ns
IGlobalObject*, JS::Handle<JS::Value>, mozilla::ErrorResult&)
    (this=0x7fffced3a330, aCx=0x7fffd5633f00, aObject=0x7fffced3a2e0, aGlobalObject=0x7fffd2b03be0, aValue=..., aRv=...)
    at /home/ed/mozilla/central/dom/bindings/IterableIterator.cpp:257
#8  0x00007fffea0441b7 in mozilla::dom::binding_detail::AsyncIterableReturnImpl::Return(JSContext*, mozilla::dom::AsyncIterableIteratorBase*, nsISupp
orts*, JS::Handle<JS::Value>, mozilla::ErrorResult&)
    (this=0x7fffced3a330, aCx=0x7fffd5633f00, aObject=0x7fffced3a2e0, aGlobalObject=0x7fffd2b03be0, aValue=..., aRv=...)
    at /home/ed/mozilla/central/dom/bindings/IterableIterator.cpp:310
#9  0x00007fffe91b9759 in mozilla::dom::binding_detail::AsyncIterableIteratorWithReturn<mozilla::dom::ReadableStream>::Return(JSContext*, JS::Handle<
JS::Value>, mozilla::ErrorResult&) (this=0x7fffced3a2e0, aCx=0x7fffd5633f00, aValue=..., aRv=...)
    at /home/ed/mozilla/central/obj-debug/dist/include/mozilla/dom/IterableIterator.h:392
#10 0x00007fffe918589c in mozilla::dom::ReadableStreamAsyncIterator_Binding::_return_(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs c
onst&) (cx=0x7fffd5633f00, obj=..., void_self=0x7fffced3a2e0, args=...) at ReadableStreamBinding.cpp:1459
#11 0x00007fffe9185686 in mozilla::dom::ReadableStreamAsyncIterator_Binding::_return__promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitM
ethodCallArgs const&) (cx=0x7fffd5633f00, obj=..., void_self=0x7fffced3a2e0, args=...) at ReadableStreamBinding.cpp:1473
#12 0x00007fffea066b21 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::C
onvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) (cx=0x7fffd5633f00, argc=0, vp=0x7fffd29fb3a8)
    at /home/ed/mozilla/central/dom/bindings/BindingUtils.cpp:3318
#13 0x00007ffff18c166c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)
    (cx=0x7fffd5633f00, native=0x7fffea0667a0 <mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::d
om::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call, args=...)
    at /home/ed/mozilla/central/js/src/vm/Interpreter.cpp:459
#14 0x00007ffff18afd73 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)
    (cx=0x7fffd5633f00, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/ed/mozilla/central/js/src/vm/Interpreter.cpp:547
#15 0x00007ffff18b04f9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)
    (cx=0x7fffd5633f00, args=..., reason=js::CallReason::Call) at /home/ed/mozilla/central/js/src/vm/Interpreter.cpp:614
Blocks: 1790674
Severity: -- → S3
Priority: -- → P2
See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=1818828
Whiteboard: [necko-triaged]
You need to log in before you can comment on or make changes to this bug.