1453200 - Crash [@ mozalloc_abort]

Status: RESOLVED WORKSFORME

(Core :: Widget: Gtk, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

Testcase found while fuzzing esr52 rev d61516b059c1.

Under ASAN testcase exits immediately without reporting a stack trace.  Debug builds report the following minidump:

rax = 0xfffffffffffffdfc   rdx = 0x00000000ffffffff
rcx = 0x00007f94801e074d   rbx = 0x00007f9474b7e920
rsi = 0x0000000000000004   rdi = 0x00007f946704a660
rbp = 0x00007fffcb3bce70   rsp = 0x00007fffcb3bce50
r8 = 0x0000000000000048    r9 = 0x0000000000000001
r10 = 0x00007f9487a60510   r11 = 0x0000000000000293
r12 = 0x00007f946704a660   r13 = 0x00000000ffffffff
r14 = 0x00007f94838664a1   r15 = 0x0000000000000004
rip = 0x00007f94801e074d
OS|Linux|0.0.0 Linux 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|DUMP_REQUESTED|0x7f94801e074d|0
0|0|libc-2.23.so||||0xfb74d
0|1|libxul.so|PollWrapper|hg:hg.mozilla.org/releases/mozilla-esr52:widget/gtk/nsAppShell.cpp:d61516b059c1|42|0x10
0|2|libglib-2.0.so.0.4800.2||||0x4a38c
0|3|libglib-2.0.so.0.4800.2||||0x4a49c
0|4|libxul.so|nsAppShell::ProcessNextNativeEvent|hg:hg.mozilla.org/releases/mozilla-esr52:widget/gtk/nsAppShell.cpp:d61516b059c1|270|0x5
0|5|libxul.so|nsBaseAppShell::DoProcessNextNativeEvent|hg:hg.mozilla.org/releases/mozilla-esr52:widget/nsBaseAppShell.cpp:d61516b059c1|138|0x10
0|6|libxul.so|nsBaseAppShell::OnProcessNextEvent|hg:hg.mozilla.org/releases/mozilla-esr52:widget/nsBaseAppShell.cpp:d61516b059c1|289|0x8
0|7|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/threads/nsThread.cpp:d61516b059c1|1189|0x1b
0|8|libxul.so|mozilla::BaseAutoLock<mozilla::Mutex>::~BaseAutoLock|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/glue/Mutex.h:d61516b059c1|173|0x8
0|9|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/glue/nsThreadUtils.cpp:d61516b059c1|361|0xd
0|10|libxul.so|MessageLoop::DoIdleWork|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:d61516b059c1|460|0x5
0|11|libpthread-2.23.so||||0x2182c0
0|12|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/glue/MessagePump.cpp:d61516b059c1|124|0xd
0|13|libxul.so|_fini|||0x19ba108
0|14|libxul.so|_fini|||0x1a1678
0|15|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:d61516b059c1|232|0x17
0|16|libnspr4.so|PR_GetThreadPrivate|hg:hg.mozilla.org/releases/mozilla-esr52:nsprpub/pr/src/threads/prtpd.c:d61516b059c1|204|0x5
0|17|libpthread-2.23.so||||0x2182c0
0|18|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:d61516b059c1|225|0x8
0|19|libpthread-2.23.so||||0x2182c0
0|20|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/releases/mozilla-esr52:widget/nsBaseAppShell.cpp:d61516b059c1|156|0xd
0|21|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/releases/mozilla-esr52:toolkit/xre/nsEmbedFunctions.cpp:d61516b059c1|866|0x6
0|22|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/glue/MessagePump.cpp:d61516b059c1|269|0x5
0|23|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:d61516b059c1|232|0x17
0|24|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:d61516b059c1|225|0x8
0|25|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/releases/mozilla-esr52:toolkit/xre/nsEmbedFunctions.cpp:d61516b059c1|698|0xf
0|26|libxul.so|_fini|||0x19ea7a8

Comment 1

[Andrei Purice]

Hey Jason,
Does this crash still reproduce for you? Can you add a new test case because this one is missing.

Comment 2

[Jason Kratzer [:jkratzer]]

Andrei, I was unable to reproduce this issue on either mozilla-central 20210216-fc74eb2c7b84 or esr-78 20210212-cecd979ce5ff. I think we can safely close this issue.