Closed Bug 1484871 Opened 6 years ago Closed 2 years ago

Assertion failure: !mRawPtr, at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/AlreadyAddRefed.h:126

Categories

(Core :: Graphics: Canvas2D, defect, P3)

Product:
Core
Component:
Graphics: Canvas2D
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [MemShrink:P2][gfx-noted])

Crash Data

Attachments

(1 file)

testcase.html
2.30 KB, text/html
Details
Attached file testcase.html 
Reduced with m-c:
BuildID=20180820220028
SourceStamp=d0d2e0f4b33cd28bc05c353c185873256f7f926e

The most reliable why I've found to reproduce this is to open the testcase in a few tabs and then close the tabs one by one.

Assertion failure: !mRawPtr, at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/AlreadyAddRefed.h:126

#0 0x7f5cd716eaae in already_AddRefed<nsIRunnable>::~already_AddRefed() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/AlreadyAddRefed.h:126:8
#1 0x7f5cd72724f7 in nsIEventTarget::Dispatch(nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIEventTarget.h:37:7
#2 0x7f5cd9adc674 in mozilla::dom::ImageEncoder::ExtractDataAsync(nsTSubstring<char16_t>&, nsTSubstring<char16_t> const&, bool, mozilla::UniquePtr<unsigned char [], mozilla::DefaultDelete<unsigned char []> >, int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, bool, mozilla::dom::EncodeCompleteCallback*) /builds/worker/workspace/build/src/dom/base/ImageEncoder.cpp:338:23
#3 0x7f5cdb60ec3a in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::EncodeCompleteCallback*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:107:9
#4 0x7f5cdb60e6b6 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::BlobCallback&, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:63:3
#5 0x7f5cdbd31e97 in mozilla::dom::HTMLCanvasElement::ToBlob(JSContext*, mozilla::dom::BlobCallback&, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:915:33
#6 0x7f5cdb225bff in mozilla::dom::HTMLCanvasElement_Binding::toBlob(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:412:9
#7 0x7f5cdb51d028 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3294:13
#8 0x7f5ce0440955 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:445:15
#9 0x7f5ce0440036 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:533:16
#10 0x7f5ce0441863 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:584:12
#11 0x7f5ce0436e7b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3239:18
#12 0x7f5ce0420106 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:12
#13 0x7f5ce04401ea in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:557:15
#14 0x7f5ce0441863 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:584:12
#15 0x7f5ce0441a79 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:603:10
#16 0x7f5ce0d4a93c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2915:12
#17 0x7f5cdb1aa42e in mozilla::dom::BlobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Blob*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:87:8
#18 0x7f5cdb667a6d in mozilla::dom::BlobCallback::Call(mozilla::dom::Blob*, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/HTMLCanvasElementBinding.h:180:12
#19 0x7f5cdb6675e6 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::BlobCallback&, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&)::EncodeCallback::ReceiveBlob(already_AddRefed<mozilla::dom::Blob>) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:48:22
#20 0x7f5cd9af95ec in mozilla::dom::EncodingCompleteEvent::Run() /builds/worker/workspace/build/src/dom/base/ImageEncoder.cpp:109:37
#21 0x7f5cd734b576 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1235:14
#22 0x7f5cd7351e2c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#23 0x7f5cd734a1f8 in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsThread::Shutdown()::$_2>(nsThread::Shutdown()::$_2&&, nsIThread*) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
#24 0x7f5cd734a0e7 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:939:3
#25 0x7f5cd7355ffe in nsThreadPool::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:347:17
#26 0x7f5cd9af2f19 in mozilla::dom::EncoderThreadPoolTerminator::Observe(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/dom/base/ImageEncoder.cpp:534:36
#27 0x7f5cd7236219 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/ds/nsObserverList.cpp:112:19
#28 0x7f5cd7238ffc in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/ds/nsObserverService.cpp:295:19
#29 0x7f5cd73cce68 in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:912:24
#30 0x7f5ce01eb0c9 in XRE_TermEmbedding() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:230:3
#31 0x7f5cd80422f5 in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/workspace/build/src/ipc/glue/ScopedXREEmbed.cpp:108:5
#32 0x7f5ce01ebb5b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:767:16
#33 0x4f420a in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#34 0x4f448e in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287:18
#35 0x7f5cf70d182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#36 0x423d54 in _start (firefox+0x423d54)
Flags: in-testsuite?
Marking as s-s since there more serious looking version of this crash reported in the wild.
Group: gfx-core-security
Crash Signature: [@ mozilla::dom::ImageEncoder::ExtractDataAsync]
Keywords: crash
Group: gfx-core-security
The assertion means we're leaking a runnable.
Whiteboard: [MemShrink]
...which is not very bad in this case, since we're shutting down.
Priority: -- → P3
Whiteboard: [MemShrink] → [MemShrink][gfx-noted]
Whiteboard: [MemShrink][gfx-noted] → [MemShrink:P2][gfx-noted]

The attached test case no longer reproduces the issue and it is not longer reported by fuzzers.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: