Open Bug 1587488 Opened 4 years ago Updated 6 months ago

Assertion failure: mObservers.Length() == 0, at /builds/worker/workspace/build/src/hal/Hal.cpp:179

Categories

(Core :: Hardware Abstraction Layer (HAL), defect, P3)

Product:
Core
Component:
Hardware Abstraction Layer (HAL)
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox71 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

testcase.html
539 bytes, text/html
Details
tab.html
170 bytes, text/html
Details
frame.html
790 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev be9a6289486a. The stack doesn't appear related to IndexedDB but the testcase leverages it and it is required to reproduce.

The testcase includes 3 files and "testcase.html" must be used as the landing page.

Assertion failure: mObservers.Length() == 0, at /builds/worker/workspace/build/src/hal/Hal.cpp:179

rax = 0x00005595dbb48340   rdx = 0x00007f58c047dc1d
rcx = 0x0000000000000b40   rbx = 0x00007f58b1726f80
rsi = 0x00007f58cc1058b0   rdi = 0x00007f58cc104680
rbp = 0x00007ffc32672920   rsp = 0x00007ffc32672910
r8 = 0x00007f58cc1058b0    r9 = 0x00007f58cd26e780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007f58c2392300   r13 = 0x00007ffc32672a38
r14 = 0x0000000000000000   r15 = 0x00007ffc32672a28
rip = 0x00007f58bb0ce339
OS|Linux|0.0.0 Linux 5.0.0-29-generic #31~18.04.1-Ubuntu SMP Thu Sep 12 18:29:21 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::StaticAutoPtr<mozilla::hal::ScreenConfigurationObserversManager>::Assign(mozilla::hal::ScreenConfigurationObserversManager*)|hg:hg.mozilla.org/mozilla-central:xpcom/base/StaticPtr.h:be9a6289486a6f366e431782b84a0c0633f8fec2|93|0x41
0|1|libxul.so|mozilla::hal::Shutdown()|hg:hg.mozilla.org/mozilla-central:xpcom/base/StaticPtr.h:be9a6289486a6f366e431782b84a0c0633f8fec2|59|0x46
0|2|libxul.so|nsAppShell::~nsAppShell()|hg:hg.mozilla.org/mozilla-central:widget/gtk/nsAppShell.cpp:be9a6289486a6f366e431782b84a0c0633f8fec2|128|0x5
0|3|libxul.so|nsAppShell::~nsAppShell()|hg:hg.mozilla.org/mozilla-central:widget/gtk/nsAppShell.cpp:be9a6289486a6f366e431782b84a0c0633f8fec2|133|0x5
0|4|libxul.so|nsBaseAppShell::Release()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:be9a6289486a6f366e431782b84a0c0633f8fec2|21|0x44
0|5|libxul.so|nsWidgetGtk2ModuleDtor()|hg:hg.mozilla.org/mozilla-central:widget/gtk/nsWidgetFactory.cpp:be9a6289486a6f366e431782b84a0c0633f8fec2|70|0x6
0|6|libxul.so|mozilla::xpcom::StaticComponents::Shutdown()|s3:gecko-generated-sources:c8b4c5a81c3e0cf99b1fcfa5317c15efacefbf7451d5fc3cacfbeaa4878a07b623fe55201789d319533a66268975d37d85ab33eb315c05c2e4b02d82db8a7f1a/xpcom/components/StaticComponents.cpp:|11310|0x6d
0|7|libxul.so|nsComponentManagerImpl::Shutdown()|hg:hg.mozilla.org/mozilla-central:xpcom/components/nsComponentManager.cpp:be9a6289486a6f366e431782b84a0c0633f8fec2|944|0x5
0|8|libxul.so|mozilla::ShutdownXPCOM(nsIServiceManager*)|hg:hg.mozilla.org/mozilla-central:xpcom/build/XPCOMInit.cpp:be9a6289486a6f366e431782b84a0c0633f8fec2|724|0x5
0|9|libxul.so|XRE_TermEmbedding()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:be9a6289486a6f366e431782b84a0c0633f8fec2|223|0x7
0|10|libxul.so|mozilla::ipc::ScopedXREEmbed::Stop()|hg:hg.mozilla.org/mozilla-central:ipc/glue/ScopedXREEmbed.cpp:be9a6289486a6f366e431782b84a0c0633f8fec2|90|0x5
0|11|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:be9a6289486a6f366e431782b84a0c0633f8fec2|773|0x11
0|12|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:be9a6289486a6f366e431782b84a0c0633f8fec2|56|0x14
0|13|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:be9a6289486a6f366e431782b84a0c0633f8fec2|272|0x12
0|14|libc-2.27.so||||0x21b97
0|15|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:be9a6289486a6f366e431782b84a0c0633f8fec2|203|0x5
Flags: in-testsuite?
Attached file tab.html
Attached file frame.html
Priority: -- → P3
Blocks: fuzzing-indexeddb

Can't reproduce this locally with current nightly. As :jkratzer mentioned, this doesn't seem to be closely related to IndexedDB, even if it conincides with its use. Maybe HAL can make sense of it?

Component: Storage: IndexedDB → Hardware Abstraction Layer (HAL)
Priority: P3 → --

This can happen if the GTK widget doesn't unregister all its HAL observers before shutting down. The assertion is triggered by the HAL component being shut down with some observers still registered. I'll have a a look ASAP.

OS: Unspecified → Linux
Priority: -- → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.