Closed Bug 1601809 Opened 4 years ago Closed 4 years ago

Assertion failure: !mRawPtr, at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/AlreadyAddRefed.h:128

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1594632

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

testcase.html
226 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 3dc70a33491f. Testcase requires the dom.worklet.enabled and dom.paintWorklet.enabled prefs set to true.

Assertion failure: !mRawPtr, at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/AlreadyAddRefed.h:128

rax = 0x000055c009ecd280   rdx = 0x0000000000000000
rcx = 0x00007f42ee97f91f   rbx = 0x00007f42e093dd50
rsi = 0x00007f42fb4258b0   rdi = 0x00007f42fb424680
rbp = 0x00007ffcd6ffe900   rsp = 0x00007ffcd6ffe900
r8 = 0x00007f42fb4258b0    r9 = 0x00007f42fc58d780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007ffcd6ffe918   r13 = 0x00007ffcd6ffe920
r14 = 0x00007f42ebaf2206   r15 = 0x00007ffcd6ffea20
rip = 0x00007f42e97f14a7
OS|Linux|0.0.0 Linux 5.0.0-36-generic #39~18.04.1-Ubuntu SMP Tue Nov 12 11:09:50 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|already_AddRefed<nsIRunnable>::~already_AddRefed()|hg:hg.mozilla.org/mozilla-central:mfbt/AlreadyAddRefed.h:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|128|0x16
0|1|libxul.so|mozilla::WorkletImpl::NotifyWorkletFinished()|hg:hg.mozilla.org/mozilla-central:dom/worklet/WorkletImpl.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|92|0x15
0|2|libxul.so|mozilla::dom::Worklet::~Worklet()|hg:hg.mozilla.org/mozilla-central:dom/worklet/Worklet.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|444|0x30
0|3|libxul.so|mozilla::dom::Worklet::DeleteCycleCollectable()|hg:hg.mozilla.org/mozilla-central:dom/worklet/Worklet.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|425|0x11
0|4|libxul.so|SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|2429|0xd
0|5|libxul.so|SnowWhiteKiller::~SnowWhiteKiller()|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|2416|0xb
0|6|libxul.so|nsCycleCollector::FreeSnowWhite(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|2603|0x5
0|7|libxul.so|nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|3584|0xd
0|8|libxul.so|nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|3413|0xf
0|9|libxul.so|nsCycleCollector::ShutdownCollect()|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|3357|0x15
0|10|libxul.so|nsCycleCollector::Shutdown(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|3645|0x8
0|11|libxul.so|nsCycleCollector_shutdown(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|3960|0x14
0|12|libxul.so|mozilla::ShutdownXPCOM(nsIServiceManager*)|hg:hg.mozilla.org/mozilla-central:xpcom/build/XPCOMInit.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|711|0xa
0|13|libxul.so|XRE_TermEmbedding()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|227|0x7
0|14|libxul.so|mozilla::ipc::ScopedXREEmbed::Stop()|hg:hg.mozilla.org/mozilla-central:ipc/glue/ScopedXREEmbed.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|90|0x5
0|15|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|782|0x11
0|16|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|56|0x14
0|17|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|303|0x12
0|18|libc-2.27.so||||0x21b97
0|19|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:3dc70a33491f26ffcd6c7bdf4e9d7a8b2e052e4e|203|0x5
Flags: in-testsuite?

Regression from bug 1476514. When this early-return is taken (or the other for that matter), the runnable is leaked.

Flags: needinfo?(karlt)

Jason, you may like to ensure dom.paintWorklet.enabled does not get set, because we don't have any plans to ship this code.

I've modified the summary line for bug 1594632, to aim to make that easier to find.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(karlt)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: