Open Bug 1604498 Opened 3 years ago Updated 4 months ago

Assertion failure: !mTable (Tear-off objects remain in hashtable at shutdown.), at /builds/worker/workspace/build/src/dom/svg/SVGAttrTearoffTable.h:29


(Core :: SVG, defect, P5)




Tracking Status
firefox73 --- affected


(Reporter: jkratzer, Unassigned)


(Blocks 1 open bug)


(Keywords: assertion, testcase, Whiteboard: [fuzzblocker])


(3 files, 1 obsolete file)

Attached file testcase.html (obsolete) —

Testcase found while fuzzing mozilla-central rev 83fc8cf83221. Testcase must be served via a local webserver in order to reproduce. Furthermore, testcase may require a few attempts to trigger the assertion.

Flags: in-testsuite?

The priority flag is not set for this bug.
:TYLin, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(aethanyc)

I cannot reproduce this on my local m-c debug build with the testcase served via a local webserver.

Jason, is there any preferences required to set to reproduce this?

Flags: needinfo?(aethanyc) → needinfo?(jkratzer)
Attached file prefs-default-e10s.js
Flags: needinfo?(jkratzer)

:TYLin, I'm not sure exactly which pref is required but it reproduces for me consistently using the prefs attached here.

The priority flag is not set for this bug.
:heycam, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(cam)

Thanks! I can reproduce with the prefs attached in comment 4 by

python -m ffpuppet obj-firefox/dist/bin/firefox -p ~/Downloads/prefs-default-e10s.js -d -u http://localhost:8000/1604498.html --rr -l log

The minumum prefs that I can produce are (I can only reporduce for about 70% of the time, not always).

user_pref("datareporting.healthreport.service.enabled", false);
user_pref("datareporting.healthreport.service.firstRun", false);
user_pref("datareporting.healthreport.uploadEnabled", false);
user_pref("datareporting.policy.firstRunURL", "");
user_pref("dom.allow_scripts_to_close_windows", true);

The full stack is like:

#0  0x00007f70a3d5b4a7 in mozilla::SVGAttrTearoffTable<mozilla::SVGAnimatedLength, mozilla::dom::DOMSVGAnimatedLength>::~SVGAttrTearoffTable() (this=0x7f70ad6d6960 <mozilla::sSVGAnimatedLengthTearoffTable>)
    at /home/aethanyc/Projects/gecko/dom/svg/SVGAttrTearoffTable.h:29
#1  0x00007f70b75d3041 in __run_exit_handlers (status=0, listp=0x7f70b797b718 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108
#2  0x00007f70b75d313a in __GI_exit (status=<optimized out>) at exit.c:139
#3  0x00007f70b75b1b9e in __libc_start_main (main=0x55baac7a01f0 <main(int, char**, char**)>, argc=16, argv=0x7ffec9b1aad8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffec9b1aac8)
    at ../csu/libc-start.c:344
#4  0x000055baac7a002a in _start ()

So this looks like a shutdown issue, and the assertion only fired in debug build. P5 for now.

Flags: needinfo?(cam)
Priority: -- → P5
Whiteboard: [fuzzblocker]

Adding an updated testcase.

Testcase found while fuzzing mozilla-central rev bc1d41e88ae3 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build bc1d41e88ae3 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !mTable (Tear-off objects remain in hashtable at shutdown.), at /dom/svg/SVGAttrTearoffTable.h:30

    ==4125725==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdda6ad60b5 bp 0x7fff75fce4c0 sp 0x7fff75fce4c0 T4125725)
    ==4125725==The signal is caused by a WRITE memory access.
    ==4125725==Hint: address points to the zero page.
        #0 0x7fdda6ad60b5 in mozilla::SVGAttrTearoffTable<mozilla::SVGAnimatedTransformList, mozilla::dom::DOMSVGAnimatedTransformList>::~SVGAttrTearoffTable() /dom/svg/SVGAttrTearoffTable.h:30:5
        #1 0x7fddb8ee88a6 in __run_exit_handlers /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:108:8
        #2 0x7fddb8ee8a5f in exit /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:139:3
        #3 0x7fddb8ec6089 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:342:3
        #4 0x55cf8fad6fec in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15fec) (BuildId: cfa516c894c505553cab0e07ae8acf4fdb5aac53)
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/svg/SVGAttrTearoffTable.h:30:5 in mozilla::SVGAttrTearoffTable<mozilla::SVGAnimatedTransformList, mozilla::dom::DOMSVGAnimatedTransformList>::~SVGAttrTearoffTable()
Attached file testcase.html
Attachment #9116399 - Attachment is obsolete: true
Attachment #9288033 - Attachment description: Testcase for comment 49 → testcase.html

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jwatt, could you increase the severity?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jwatt)
Severity: normal → S3

So the DOMSVGAnimatedTransformList dtor is not called before the class's static SVGAttrTearoffTable has its dtor called.

S3 seems about right.

Flags: needinfo?(jwatt)

Given that this is a fuzzblocker and the assertion is clearly reachable, maybe it'd be worth downgrading the assertion to non-fatal for the time being?

(I assume the remain in hashtable at shutdown wording is alluding to a leak, which is not-great but also not-catastrophic.)

Flags: needinfo?(jwatt)

Oh, I guess it's potentially a bit more subtle than a leak, given the comment above the assertion. So downgrading the assertion might be a little iffy.

jkratzer, would you mind generating a pernosco trace for this?

Flags: needinfo?(jwatt) → needinfo?(jkratzer)

A pernosco session for this bug can be found here.

Flags: needinfo?(jkratzer)
You need to log in before you can comment on or make changes to this bug.