Open Bug 1441601 Opened 2 years ago Updated 1 year ago

Assertion failure: mExtraForgetSkippableCalls == 0 (Forget to reset extra forget skippable calls?), at /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1336

Categories

(Core :: DOM: Core & HTML, defect, P3)

59 Branch
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase-wanted, Whiteboard: [fuzzblocker])

Attachments

(1 file)

Found while fuzzing esr52 rev fe9968b35619.  Currently reducing testcase and will update shortly.

rax = 0x000000000062ad50   rdx = 0x0000000000000000
rcx = 0x00007f4087641c02   rbx = 0x00007f40890c4590
rsi = 0x00007f4082724770   rdi = 0x00007f4082723540
rbp = 0x00007fff51241130   rsp = 0x00007fff51241120
r8 = 0x00007f4082724770    r9 = 0x00007f4089cf6c00
r10 = 0x0000000000000012   r11 = 0x0000000000000000
r12 = 0x00007fff51241298   r13 = 0x0000000000000000
r14 = 0x0000000000000001   r15 = 0x0000000051241301
rip = 0x00007f4084b8e07e
OS|Linux|0.0.0 Linux 4.4.0-1050-aws #59-Ubuntu SMP Tue Jan 30 19:57:10 UTC 2018 x86_64
CPU|amd64|family 6 model 63 stepping 2|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|CycleCollectorStats::FinishCycleCollectionSlice|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsJSEnvironment.cpp:fe9968b35619|1336|0x0
0|1|libxul.so|nsJSContext::EndCycleCollectionCallback|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsJSEnvironment.cpp:fe9968b35619|1576|0xc
0|2|libxul.so|XPCJSContext::EndCycleCollectionCallback|hg:hg.mozilla.org/releases/mozilla-esr52:js/xpconnect/src/XPCJSContext.cpp:fe9968b35619|681|0x5
0|3|libxul.so|nsCycleCollector::CleanupAfterCollection|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/base/nsCycleCollector.cpp:fe9968b35619|3578|0xe
0|4|libxul.so|nsCycleCollector::Collect|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/base/nsCycleCollector.cpp:fe9968b35619|3678|0x8
0|5|libxul.so|nsCycleCollector_collect|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/base/nsCycleCollector.cpp:fe9968b35619|4144|0x1e
0|6|libxul.so|nsJSContext::CycleCollectNow|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsJSEnvironment.cpp:fe9968b35619|1440|0x8
0|7|libxul.so|nsDOMWindowUtils::CycleCollect|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsDOMWindowUtils.cpp:fe9968b35619|1340|0x5
0|8|libxul.so|NS_InvokeByIndex|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/reflect/xptcall/md/unix/xptcinvoke_x86_64_unix.cpp:fe9968b35619|182|0x41
0|9|libxul.so|CallMethodHelper::Call|hg:hg.mozilla.org/releases/mozilla-esr52:js/xpconnect/src/XPCWrappedNative.cpp:fe9968b35619|2058|0x5
0|10|libxul.so|XPCWrappedNative::CallMethod|hg:hg.mozilla.org/releases/mozilla-esr52:js/xpconnect/src/XPCWrappedNative.cpp:fe9968b35619|1344|0x8
0|11|libxul.so|XPC_WN_CallMethod|hg:hg.mozilla.org/releases/mozilla-esr52:js/xpconnect/src/XPCWrappedNativeJSOps.cpp:fe9968b35619|1000|0xa
0|12|libxul.so|js::CallJSNative|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jscntxtinlines.h:fe9968b35619|239|0x9
0|13|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:fe9968b35619|459|0xf
0|14|libxul.so|Interpret|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:fe9968b35619|510|0xf
0|15|libxul.so|js::RunScript|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:fe9968b35619|405|0xb
0|16|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:fe9968b35619|477|0xb
0|17|libxul.so|js::Call|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:fe9968b35619|523|0x5
0|18|libxul.so|JS_CallFunctionValue|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jsapi.cpp:fe9968b35619|2769|0xf
0|19|libxul.so|xpc::FunctionForwarder|hg:hg.mozilla.org/releases/mozilla-esr52:js/xpconnect/src/ExportHelpers.cpp:fe9968b35619|315|0x8
0|20|libxul.so|js::CallJSNative|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jscntxtinlines.h:fe9968b35619|239|0x9
0|21|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:fe9968b35619|459|0xf
0|22|libxul.so|Interpret|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:fe9968b35619|510|0xf
0|23|libxul.so|js::RunScript|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:fe9968b35619|405|0xb
0|24|libxul.so|js::ExecuteKernel|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:fe9968b35619|686|0x5
0|25|libxul.so|EvalKernel|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/builtin/Eval.cpp:fe9968b35619|328|0x1a
0|26|libxul.so|js::IndirectEval|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/builtin/Eval.cpp:fe9968b35619|421|0xa
0|27|||||0x2b8f97ef79e5
0|28|||||0x7f4062285af0
0|29|||||0x2b8f97efb7a1
0|30|||||0x7f4061303288
0|31|||||0x2b8f97d55e1d
0|32|libxul.so|EnterBaseline|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jit/BaselineJIT.cpp:fe9968b35619|155|0x9
0|33|libxul.so|js::jit::EnterBaselineAtBranch|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jit/BaselineJIT.cpp:fe9968b35619|261|0xb
0|34|libxul.so|Interpret|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:fe9968b35619|1916|0x14
0|35|libxul.so|js::RunScript|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:fe9968b35619|405|0xb
0|36|libxul.so|js::ExecuteKernel|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:fe9968b35619|686|0x5
0|37|libxul.so|js::Execute|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:fe9968b35619|719|0x28
0|38|libxul.so|Evaluate|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jsapi.cpp:fe9968b35619|4440|0xf
0|39|libxul.so|Evaluate|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jsapi.cpp:fe9968b35619|4466|0x1d
0|40|libxul.so|nsJSUtils::EvaluateString|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsJSUtils.cpp:fe9968b35619|207|0x1c
0|41|libxul.so|nsJSUtils::EvaluateString|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsJSUtils.cpp:fe9968b35619|275|0x2a
0|42|libxul.so|nsScriptLoader::EvaluateScript|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsScriptLoader.cpp:fe9968b35619|2194|0x21
0|43|libxul.so|nsScriptLoader::ProcessRequest|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsScriptLoader.cpp:fe9968b35619|1979|0xb
0|44|libxul.so|nsScriptLoader::ProcessScriptElement|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsScriptLoader.cpp:fe9968b35619|1712|0xf
0|45|libxul.so|nsScriptElement::MaybeProcessScript|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsScriptElement.cpp:fe9968b35619|149|0x13
0|46|libxul.so|nsIScriptElement::AttemptToExecute|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsIScriptElement.h:fe9968b35619|222|0x3
0|47|libxul.so|nsHtml5TreeOpExecutor::RunScript|hg:hg.mozilla.org/releases/mozilla-esr52:parser/html/nsHtml5TreeOpExecutor.cpp:fe9968b35619|666|0x10
0|48|libxul.so|nsHtml5TreeOpExecutor::RunFlushLoop|hg:hg.mozilla.org/releases/mozilla-esr52:parser/html/nsHtml5TreeOpExecutor.cpp:fe9968b35619|489|0x8
0|49|libxul.so|nsHtml5ExecutorReflusher::Run|hg:hg.mozilla.org/releases/mozilla-esr52:parser/html/nsHtml5TreeOpExecutor.cpp:fe9968b35619|58|0xd
0|50|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/threads/nsThread.cpp:fe9968b35619|1216|0x11
0|51|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/glue/nsThreadUtils.cpp:fe9968b35619|361|0xd
0|52|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/glue/MessagePump.cpp:fe9968b35619|96|0xa
0|53|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:fe9968b35619|232|0x17
0|54|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:fe9968b35619|225|0x8
0|55|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/releases/mozilla-esr52:widget/nsBaseAppShell.cpp:fe9968b35619|156|0xd
0|56|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/releases/mozilla-esr52:toolkit/xre/nsEmbedFunctions.cpp:fe9968b35619|866|0x6
0|57|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/glue/MessagePump.cpp:fe9968b35619|269|0x5
0|58|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:fe9968b35619|232|0x17
0|59|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:fe9968b35619|225|0x8
0|60|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/releases/mozilla-esr52:toolkit/xre/nsEmbedFunctions.cpp:fe9968b35619|698|0xf
0|61|plugin-container|content_process_main|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/contentproc/plugin-container.cpp:fe9968b35619|197|0xe
0|62|libc-2.23.so||||0x20830
0|63|plugin-container|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/releases/mozilla-esr52:mfbt/Assertions.h:fe9968b35619|170|0x5
Attached file trigger.html
Testcase requires the fuzzPriv extension which can be found at:
https://github.com/MozillaSecurity/fuzzpriv
Hi Andrew, you touched this last. :-)
Flags: needinfo?(continuation)
Hopefully I can look at this at some point, but it isn't a high priority. IIRC, the ccSlice function hasn't helped find any real bugs so hopefully the fuzzer can avoid it...
Flags: needinfo?(continuation)
Priority: -- → P3
Hi Jason,

I am trying to reproduce your issue, but I am unsuccessful. The fuzzPriv extension seems like it's not working anymore. I can't install it.

Can you install it? Do you know where I could find a working fuzzPriv extension? 
Does this issue still occur for you?

Thank you for your contribution!
Flags: needinfo?(jkratzer)
Daniel,

I cannot reproduce this issue using the latest ESR60.  For future reference, the fuzzPriv extension does still work, at least for the time being.

It's easiest to use it via ffpuppet and the prefs located below:
https://github.com/MozillaSecurity/ffpuppet/
https://github.com/MozillaSecurity/fuzzdata/blob/master/settings/firefox/prefs-default-e10s.js

Example args:
python -m ffpuppet -p prefs-default-e10s.js -e ~/fuzzpriv/ ~/firefox/firefox -u testcase.html
Flags: needinfo?(jkratzer)
Hello again,

I have attempted to learn how to use fuzzing and how to reproduce this issue, but I have come across multiple confusions/complications. The articles that I could find online are a bit too technical for me.

1. Firstly, considering that the issue was reported on ESR52 and it does not occur in ESR60, it's probably best to check whether it still occurs in the latest ESR52 (because some companies still use the ESR52 version). Am I correct? 
 a. If the issue still occurs in ESR52, then... could we attempt to find the fix we have in ESR60 (since it does not occur anymore)? If yes, then the fix could probably be pushed to ESR52 as well, right?
 b. If it does not occur on the latest ESR52 anymore, then we could safely close the issue as WORKSFORME, right?

2. Secondly, I would like to learn to reproduce this kind of issues so I can address and triage them correctly. I could not find a detailed and easily understandable procedure anywhere. Is there such a tutorial on the web? If yes, I'd like to have it, but if no, then I would need you to write a detailed tutorial, please.

In any case, I have the impression that fuzzing the latest ESR52 version is not as simple as fuzzing the latest Nightly. I would really like to know everything about fuzzing and assertion failures.

In conclusion, what I need is this:
1. Learn whether this issue needs further addressing/learn the proper way to address and regress these types of issues.
2. Learn how to properly use the fuzzing function and how to properly reproduce/regress/verify these types of issues.

Can you, please, help me or at least point me in the right direction?

Thank you,
Dani
Flags: needinfo?(jkratzer)
Whether or not this should be fixed in ESR52 is not up to me.  NI'd the triage owner as they might know.

Regarding how to reproduce these issues, the instructions in comment #5 should suffice.  Unfortunately there is no detailed documentation regarding how to handle our fuzzing bugs as each fuzzer produces different types of testcases and the process required to reproduce each is different.  I'd suggest if you're having difficulty reproducing these issues, to request further information on each bug.

If you have more general questions regarding our fuzzing process, please feel free to reach out to me on IRC or Slack.
Flags: needinfo?(jkratzer) → needinfo?(htsai)
Thanks for raising the uplift to ESR52 question. I think it's fine without it being fixed in esr52 from what I can tell at the moment. Thanks!
Flags: needinfo?(htsai)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.