Closed
Bug 1497633
Opened 7 years ago
Closed 6 years ago
heap-use-after-free in mozilla::dom::WorkerPrivate::ParentWindowResumed
Categories
(Core :: DOM: Workers, defect, P1)
Tracking
()
RESOLVED
INCOMPLETE
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | affected |
People
(Reporter: nils, Assigned: edenchuang, NeedInfo)
References
(Depends on 1 open bug)
Details
(5 keywords)
I have seen this crash multiple times during fuzzing on Firefox 64.0a1, however was so far unable to reproduce and minimise a testcase. I hope the ASAN stack traces can help in tracking down the root cause.
The environment variable MOZ_CHAOSMODE=255 was set during fuzzing.
=================================================================
==26995==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a00004a388 at pc 0x7fdd39859498 bp 0x7ffd78a80610 sp 0x7ffd78a80608
READ of size 4 at 0x61a00004a388 thread T0 (Web Content)
#0 0x7fdd39859497 in mozilla::dom::WorkerPrivate::ParentWindowResumed() /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:1921:28
#1 0x7fdd397fd5b1 in mozilla::dom::workerinternals::RuntimeService::ResumeWorkersForWindow(nsPIDOMWindowInner*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:2267:21
#2 0x7fdd33fca1eb in nsGlobalWindowInner::Resume() /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:5905:3
#3 0x7fdd39ca0e07 in mozilla::dom::nsResumeTimeoutsEvent::Run() /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:159:14
#4 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#5 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#6 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#7 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#8 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#9 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#10 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#11 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#12 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#13 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#14 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#15 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#16 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#17 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#18 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#19 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#20 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#21 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#22 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#23 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#24 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#25 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#26 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#27 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#28 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#29 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#30 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#31 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#32 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#33 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#34 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#35 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#36 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#37 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#38 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#39 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#40 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#41 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#42 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#43 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#44 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#45 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#46 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#47 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#48 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#49 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#50 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#51 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#52 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#53 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#54 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#55 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#56 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#57 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#58 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#59 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#60 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#61 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#62 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#63 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#64 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#65 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#66 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#67 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#68 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#69 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#70 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#71 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#72 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#73 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#74 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#75 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#76 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#77 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#78 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#79 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#80 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#81 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#82 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#83 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#84 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#85 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#86 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#87 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#88 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#89 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#90 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#91 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#92 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#93 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#94 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#95 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#96 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#97 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#98 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#99 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#100 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#101 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#102 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#103 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#104 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#105 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#106 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#107 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#108 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#109 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#110 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#111 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#112 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#113 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#114 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#115 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#116 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#117 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#118 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#119 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#120 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#121 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#122 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#123 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#124 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#125 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#126 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#127 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#128 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#129 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#130 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#131 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#132 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#133 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#134 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#135 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#136 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#137 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#138 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#139 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#140 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#141 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#142 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#143 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#144 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#145 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#146 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#147 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#148 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#149 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#150 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#151 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#152 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#153 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#154 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#155 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#156 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#157 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#158 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#159 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#160 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#161 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#162 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#163 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#164 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#165 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#166 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#167 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#168 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#169 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#170 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#171 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#172 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#173 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#174 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#175 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#176 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#177 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#178 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#179 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#180 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#181 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#182 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#183 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#184 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#185 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#186 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#187 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#188 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#189 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#190 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#191 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#192 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#193 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#194 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#195 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#196 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#197 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#198 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#199 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#200 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#201 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#202 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#203 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#204 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#205 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#206 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#207 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#208 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#209 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#210 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#211 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#212 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#213 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#214 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#215 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#216 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#217 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#218 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#219 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#220 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#221 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#222 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#223 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#224 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#225 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#226 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#227 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#228 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#229 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#230 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#231 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#232 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#233 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#234 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#235 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#236 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#237 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#238 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#239 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#240 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#241 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#242 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#243 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#244 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#245 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#246 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#247 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#248 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#249 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#250 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#251 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#252 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#253 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#254 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#255 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#256 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#257 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#258 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#259 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#260 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#261 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#262 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#263 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#264 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#265 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#266 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#267 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#268 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#269 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#270 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#271 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#272 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#273 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#274 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#275 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#276 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#277 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#278 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#279 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#280 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#281 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#282 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#283 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#284 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#285 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#286 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#287 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#288 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#289 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#290 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#291 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#292 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#293 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#294 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#295 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#296 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#297 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#298 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#299 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
0x61a00004a388 is located 1288 bytes inside of 1320-byte region [0x61a000049e80,0x61a00004a3a8)
freed by thread T0 (Web Content) here:
#0 0x5593b78f5372 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
#1 0x7fdd398a2778 in operator delete /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:163:12
#2 0x7fdd398a2778 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/WorkerPrivate.h:123
#3 0x7fdd398a2778 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:47
#4 0x7fdd398a2778 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:418
#5 0x7fdd398a2778 in assign_assuming_AddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:72
#6 0x7fdd398a2778 in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:177
#7 0x7fdd398a2778 in ClearSelfAndParentEventTargetRef /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/WorkerPrivate.h:153
#8 0x7fdd398a2778 in mozilla::dom::(anonymous namespace)::TopLevelWorkerFinishedRunnable::Run() /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:301
#9 0x7fdd302c6746 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:188:22
#10 0x7fdd302c6287 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:72:15
#11 0x7fdd302c6746 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:188:22
#12 0x7fdd302c6287 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:72:15
#13 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#14 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#15 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#16 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#17 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#18 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#19 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#20 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#21 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#22 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#23 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#24 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#25 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#26 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#27 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#28 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#29 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#30 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#31 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#32 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#33 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#34 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#35 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
#36 0x7fdd3837a951 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:180:14
#37 0x7fdd3026ee85 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#38 0x7fdd302abe1f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1231:14
#39 0x7fdd302b44fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#40 0x7fdd302a99ba in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#41 0x7fdd302a99ba in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934
previously allocated by thread T0 (Web Content) here:
#0 0x5593b78f56b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x5593b7926acd in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
#2 0x7fdd39866bc2 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:139:12
#3 0x7fdd39866bc2 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2823
#4 0x7fdd3980aca1 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/workers/Worker.cpp:26:5
#5 0x7fdd366bf95a in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WorkerBinding.cpp:1015:52
#6 0x7fdd40353f4c in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:461:15
#7 0x7fdd40353f4c in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:478
#8 0x7fdd40353f4c in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:673
#9 0x7fdd40338c14 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3442:18
#10 0x7fdd4031d9fb in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:12
#11 0x7fdd40356568 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:806:15
#12 0x7fdd3e880250 in js::DirectEvalStringFromIon(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Handle<JS::Value>, JS::Handle<JSString*>, unsigned char*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:421:12
#13 0x142e879bfa7c (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:1921:28 in mozilla::dom::WorkerPrivate::ParentWindowResumed()
Shadow bytes around the buggy address:
0x0c3480001420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480001430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480001440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480001450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480001460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3480001470: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
0x0c3480001480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3480001490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c34800014a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c34800014b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c34800014c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26995==ABORTING
|
||
Updated•7 years ago
|
Group: core-security → dom-core-security
|
||
Comment 1•7 years ago
|
||
This looks actionable already, thank you very much! bfcache problems are not entirely surprising...
Is there a bug report already filed on the ridiculously nested media stream graph shutdown runnables that spin nested event loops? (In particular, there's bugs like bug 1407415 where media related things block PBackground that could be involved in the insanity, and those in turn could be related to Worker-related issues... although I would expect that to keep the worker alive longer than it should be, etc.)
Flags: needinfo?(nils)
|
||
Updated•7 years ago
|
|
||
Updated•7 years ago
|
Priority: -- → P1
|
||
Updated•7 years ago
|
Assignee: nobody → bugmail
|
|
||
Updated•7 years ago
|
Flags: needinfo?(bugmail)
|
|
||
Comment 3•7 years ago
|
||
I've dug into this further. Here's the un-brief brief. The tl;dr is that this is confusing but could make sense with the double-free :ytausky is looking into. My next step is to check-in with :ytausky on his similar investigations where he's currently using TSAN to catch potential races.
## Analysis ##
### Stack Reading and General Control Flow ###
- The crash is on a use-after-free of a WorkerPrivate instance coming out of a synchronous XHR's suspension of the window and thereby the worker.
- The nsResumeTimeoutsEvent runnable is on the stack which is dispatched by XMLHttpRequestMainThead::SendInternal once it has concluded its sync loop and is on its way off the stack. This means we're in a subsequent turn of an event loop at this point.
- The runnable invokes nsGlobalWindowInner::Resume which notifies children and a bunch of other things before invoking `nsGlobalWindowInner::ResumeWorkerForWindow` which outsources that to RuntimeService::ResumeWorkersForWindow.
- This method snapshots the current list of windows for the worker into an nsTArray<WorkerPrivate*> which is a concerning type signature because it means there are no strong references and if there's any re-entrancy in the method, crashes would be expected.
- There's no re-entrancy in the method or its callees.
- That means that it's likely the underlying registry of window-worker mappings is already out-of-date.
- The resumption of the worker re-enables the ThrottledEventQueue that holds runnables sent from the worker to the main thread.
- This includes the the TopLevelWorkerFinishedRunnable that the Worker dispatches when it terminates its primary runloop.
- But this is not quite as terrifying as it seems because WorkerPrivate::NotifyInternal will have at least propagated Closing state to mParentStatus if this was the worker closing itself.
- The window-worker mappings are maintained like so:
- RuntimeService::RegisterWorker adds the worker as part of the creation process in WorkerPrivate::Constructor. Note that it's RegisterWorker that actually creates the platform thread that backs the WorkerPrivate via `ScheduleWorker`, so a class of weird races are ruled out.
- RuntimeService::UnregisterWorker removes the worker from the map. It is invoked by TopLevelWorkerFinishedRunnable::Run() on the main thread *prior to invoking ClearSelfAndParentEventTargetRef* which is the method where the use-after-free occurs.
### Potential Edge Cases ###
- Pending/queued worker. In the event we hit the limit of workers for the domain (host, _not_ origin), we queue the workers. In the event the worker never ran, we ScheduleDeletion() from the parent (=> main) thread. The deletion still ends up delayed in the throttled event queue that is paused.
- Cycle Collection of a non-busy Worker (which forms a cycle) can result in the termination of the underlying Worker.
- Holy cow there's a ton of nested event loops and it looks like most of the stacks are actually truncated. This suggests it's possible that there's actually something very interesting and potentially re-entrant happening but that we're not being exposed to it.
- RuntimeService::CreateSharedWorkerFromLoadInfo is an alternate path to add the workerPrivate to the mWindowMap. However, both it and the normal RegisterWorker path check if the WorkerPrivate is already contained before adding it.
### Confusing Stuff ###
1. UnregisterWorker should be invoked strictly before the self-ref is dropped. This is literally the code at https://searchfox.org/mozilla-central/rev/7f7c353e969e61a6a85201cc8ad3c3de12ac30d8/dom/workers/WorkerPrivate.cpp#295:
runtime->UnregisterWorker(mFinishedWorker);
if (!mFinishedWorker->ProxyReleaseMainThreadObjects()) {
NS_WARNING("Failed to dispatch, going to leak!");
}
mFinishedWorker->ClearSelfAndParentEventTargetRef();
### Hypotheses ###
The general scenario is that for this to happen:
- The Worker binding returned from `new Worker(...)` must either have been forgotten and GC'ed or cut by cycle collection. Otherwise it would be holding a WorkerPrivate RefPtr.
#### Double Free ####
:ytausky has been investigating a double-free related to WorkerPrivate. This could be a similar/the same issue.
Note that WorkerPrivate does not have a thread-safe refcount, but that there are almost no instances of RefPtr<WorkerPrivate> in the tree, so it's hard to concoct a situation where that's a concern. (Also, misuse will be detected and exploded on MOZ_THREAD_SAFETY_OWNERSHIP_CHECKS_SUPPORTED builds which is either DEBUG or NIGHTLY_BUILD without MOZ_PROFILING. But I'd somewhat presume the ASAN fuzzer build isn't running with that.)
|
|
||
Comment 4•7 years ago
|
||
Nils, do you the inputs produced by the fuzzer, even if they don't cause the crash reliably?
|
|
||
Comment 5•7 years ago
|
||
Yaron: Since this is related to your current work load. Handing to you.
|
|
||
Updated•7 years ago
|
Assignee: bugmail → ytausky
|
||
Comment 6•6 years ago
|
||
Yaron, any chance you can take a look at this again? It has been sitting around for a few months now. Thanks!
Flags: needinfo?(ytausky)
|
|
||
Comment 7•6 years ago
|
||
This was deemed related to bug 1493591, which I marked as stalled since I couldn't figure out under what circumstances it happens. I think a refactoring of worker objects' lifetime is due anyway, because in their current form they have too many moving parts. Unfortunately I cannot get to it right now since I'm occupied with other security-relevant bugs.
Flags: needinfo?(ytausky)
|
||
Updated•6 years ago
|
Flags: sec-bounty?
|
||
Updated•6 years ago
|
Assignee: ytausky → perry
|
Assignee | |
Updated•6 years ago
|
Assignee: perry → echuang
Status: NEW → ASSIGNED
|
|
||
Comment 8•6 years ago
|
||
:ytausky, :echuang If this is really blocked by bug 1539508, then someone should work on that bug first before getting to this.
Flags: needinfo?(ytausky)
Flags: needinfo?(echuang)
|
|
||
Comment 9•6 years ago
|
||
I doubt that we will figure out exactly what happens here. We only have the stack traces, which :asuth analyzed above, but no reproduction case (and the reporter unfortunately didn't give more information). The hope was that once bug 1539508 is done, whatever it was that happened here will not be possible anymore, but there aren't any actions for this bug that are blocked by the other one. I'll have a second look tomorrow to see if there's something we missed the first time, but realistically speaking, unless we get new information, we can close this bug as INCOMPLETE.
Flags: needinfo?(ytausky)
Flags: needinfo?(echuang)
|
|
||
Comment 10•6 years ago
|
||
As mentioned earlier, closing.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
|
||
Comment 11•6 years ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.
Keywords: stalled
|
|
||
Comment 12•6 years ago
|
||
If this bug comes back to life we can resurrect the bounty flag on it.
Flags: sec-bounty? → sec-bounty-
|
||
Comment 13•5 years ago
|
||
Removing employee no longer with company from CC list of private bugs.
|
|
||
Updated•2 years ago
|
Group: dom-core-security
|
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•