Assertion failure: !mTable (Tear-off objects remain in hashtable at shutdown.), at /builds/worker/workspace/build/src/dom/svg/SVGAttrTearoffTable.h:29
Categories
(Core :: SVG, defect, P5)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox73 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [fuzzblocker])
Attachments
(3 files, 1 obsolete file)
Testcase found while fuzzing mozilla-central rev 83fc8cf83221. Testcase must be served via a local webserver in order to reproduce. Furthermore, testcase may require a few attempts to trigger the assertion.
|
||
Comment 1•3 years ago
|
||
The priority flag is not set for this bug.
:TYLin, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Comment 2•3 years ago
|
||
I cannot reproduce this on my local m-c debug build with the testcase served via a local webserver.
Jason, is there any preferences required to set to reproduce this?
|
Reporter | |
Comment 3•3 years ago
|
||
|
|
Reporter | |
Comment 4•3 years ago
|
||
:TYLin, I'm not sure exactly which pref is required but it reproduces for me consistently using the prefs attached here.
|
|
||
Comment 5•3 years ago
|
||
The priority flag is not set for this bug.
:heycam, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Comment 6•3 years ago
|
||
Thanks! I can reproduce with the prefs attached in comment 4 by
python -m ffpuppet obj-firefox/dist/bin/firefox -p ~/Downloads/prefs-default-e10s.js -d -u http://localhost:8000/1604498.html --rr -l log
The minumum prefs that I can produce are (I can only reporduce for about 70% of the time, not always).
user_pref("datareporting.healthreport.service.enabled", false);
user_pref("datareporting.healthreport.service.firstRun", false);
user_pref("datareporting.healthreport.uploadEnabled", false);
user_pref("datareporting.policy.firstRunURL", "");
user_pref("dom.allow_scripts_to_close_windows", true);
The full stack is like:
#0 0x00007f70a3d5b4a7 in mozilla::SVGAttrTearoffTable<mozilla::SVGAnimatedLength, mozilla::dom::DOMSVGAnimatedLength>::~SVGAttrTearoffTable() (this=0x7f70ad6d6960 <mozilla::sSVGAnimatedLengthTearoffTable>)
at /home/aethanyc/Projects/gecko/dom/svg/SVGAttrTearoffTable.h:29
#1 0x00007f70b75d3041 in __run_exit_handlers (status=0, listp=0x7f70b797b718 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108
#2 0x00007f70b75d313a in __GI_exit (status=<optimized out>) at exit.c:139
#3 0x00007f70b75b1b9e in __libc_start_main (main=0x55baac7a01f0 <main(int, char**, char**)>, argc=16, argv=0x7ffec9b1aad8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffec9b1aac8)
at ../csu/libc-start.c:344
#4 0x000055baac7a002a in _start ()
So this looks like a shutdown issue, and the assertion only fired in debug build. P5 for now.
|
|
Reporter | |
Updated•8 months ago
|
|
|
Reporter | |
Comment 7•8 months ago
|
||
Adding an updated testcase.
Testcase found while fuzzing mozilla-central rev bc1d41e88ae3 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build bc1d41e88ae3 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !mTable (Tear-off objects remain in hashtable at shutdown.), at /dom/svg/SVGAttrTearoffTable.h:30
==4125725==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdda6ad60b5 bp 0x7fff75fce4c0 sp 0x7fff75fce4c0 T4125725)
==4125725==The signal is caused by a WRITE memory access.
==4125725==Hint: address points to the zero page.
#0 0x7fdda6ad60b5 in mozilla::SVGAttrTearoffTable<mozilla::SVGAnimatedTransformList, mozilla::dom::DOMSVGAnimatedTransformList>::~SVGAttrTearoffTable() /dom/svg/SVGAttrTearoffTable.h:30:5
#1 0x7fddb8ee88a6 in __run_exit_handlers /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:108:8
#2 0x7fddb8ee8a5f in exit /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:139:3
#3 0x7fddb8ec6089 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:342:3
#4 0x55cf8fad6fec in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15fec) (BuildId: cfa516c894c505553cab0e07ae8acf4fdb5aac53)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/svg/SVGAttrTearoffTable.h:30:5 in mozilla::SVGAttrTearoffTable<mozilla::SVGAnimatedTransformList, mozilla::dom::DOMSVGAnimatedTransformList>::~SVGAttrTearoffTable()
==4125725==ABORTING
|
|
Reporter | |
Comment 8•8 months ago
|
||
|
|
Reporter | |
Comment 9•8 months ago
|
||
|
|
Reporter | |
Updated•8 months ago
|
|
|
Reporter | |
Updated•8 months ago
|
|
|
||
Comment 10•8 months ago
|
||
This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jwatt, could you increase the severity?
For more information, please visit auto_nag documentation.
|
||
Updated•6 months ago
|
|
||
Comment 11•5 months ago
|
||
So the DOMSVGAnimatedTransformList dtor is not called before the class's static SVGAttrTearoffTable has its dtor called.
S3 seems about right.
|
||
Comment 12•4 months ago
|
||
Given that this is a fuzzblocker and the assertion is clearly reachable, maybe it'd be worth downgrading the assertion to non-fatal for the time being?
(I assume the remain in hashtable at shutdown wording is alluding to a leak, which is not-great but also not-catastrophic.)
|
|
||
Comment 13•4 months ago
|
||
Oh, I guess it's potentially a bit more subtle than a leak, given the comment above the assertion. So downgrading the assertion might be a little iffy.
jkratzer, would you mind generating a pernosco trace for this?
|
||
Comment 14•4 months ago
|
||
A pernosco session for this bug can be found here.
|
|
Reporter | |
Updated•4 months ago
|
Description
•