Closed Bug 1618675 Opened 4 years ago Closed 3 years ago

Assertion failure: !mSyncLoopTarget, at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestWorker.cpp:839

Categories

(Core :: DOM: Networking, defect, P2)

Product:
Core
Component:
DOM: Networking
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1612928
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox75 --- wontfix
firefox81 --- wontfix
firefox82 --- wontfix
firefox83 --- wontfix
firefox84 --- wontfix
firefox86 --- fixed

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [bugmon:bisected,confirmed][necko-triaged][fuzzblocker])

Attachments

(3 files, 5 obsolete files)

testcase.html
186 bytes, text/html
Details
worker.js
281 bytes, application/x-javascript
Details
prefs.js
8.61 KB, application/x-javascript
Details
Attached file testcase.html (obsolete) —

Testcase found while fuzzing mozilla-central rev 9e8d5431c412 (built with --enable-debug). Testcase must be served over HTTP in order to reproduce.

Assertion failure: !mSyncLoopTarget, at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestWorker.cpp:839

rax = 0x0000555b5df91340   rdx = 0x0000000000000000
rcx = 0x00007f89e3f8f71a   rbx = 0x00007f89d639d5b0
rsi = 0x00007f89ef9f28b0   rdi = 0x00007f89ef9f1680
rbp = 0x00007ffe635d5370   rsp = 0x00007ffe635d5320
r8 = 0x00007f89ef9f28b0    r9 = 0x00007f89f0b58780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x0000000000000000   r13 = 0x00007ffe635d5328
r14 = 0x00007ffe635d53a8   r15 = 0x00007f89d64b2fa0
rip = 0x00007f89e010397e
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::dom::Proxy::Teardown(bool)|hg:hg.mozilla.org/mozilla-central:dom/xhr/XMLHttpRequestWorker.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|816|0x0
0|1|libxul.so|AsyncTeardownRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/xhr/XMLHttpRequestWorker.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|350|0x13
0|2|libxul.so|mozilla::ThrottledEventQueue::Inner::ExecuteRunnable()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/ThrottledEventQueue.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|252|0x12
0|3|libxul.so|mozilla::ThrottledEventQueue::Inner::Executor::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/ThrottledEventQueue.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|80|0xd
0|4|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|1220|0xe
0|5|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|481|0x11
0|6|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|87|0xa
0|7|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:9e8d5431c4121a4bd70d440c98b50444aee60dd9|315|0x19
0|8|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:9e8d5431c4121a4bd70d440c98b50444aee60dd9|290|0x8
0|9|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|137|0xd
0|10|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|944|0x6
0|11|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|237|0x5
0|12|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:9e8d5431c4121a4bd70d440c98b50444aee60dd9|315|0x19
0|13|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:9e8d5431c4121a4bd70d440c98b50444aee60dd9|290|0x8
0|14|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|779|0x8
0|15|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|56|0x14
0|16|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|303|0x13
0|17|libc-2.27.so||||0x21b97
0|18|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:9e8d5431c4121a4bd70d440c98b50444aee60dd9|82|0x12
0|19|firefox-bin||||0x10ea0
0|20|ld-2.27.so||||0x10733
0|21|libdl-2.27.so||||0x202d80
0|22|libpthread-2.27.so||||0x219bb0
0|23|firefox-bin||||0x10ea0
0|24|firefox-bin|_start|||0x29
Flags: in-testsuite?
Attached file worker.js (obsolete) —
Attached file prefs-default-e10s.js (obsolete) —
Priority: -- → P2
Whiteboard: [bugmon:confirm] → [bugmon:confirm][necko-triaged]
Whiteboard: [bugmon:confirm][necko-triaged] → [bugmon:confirm][necko-triaged][fuzzblocker]
Attached file testcase.html (obsolete) —
Attachment #9129614 - Attachment is obsolete: true
Attached file prefs.j (obsolete) —
Attachment #9129615 - Attachment is obsolete: true
Attached file testcase.html
Attachment #9183901 - Attachment is obsolete: true
Attached file worker.js
Attachment #9183902 - Attachment is obsolete: true
Attached file prefs.js
Attachment #9129616 - Attachment is obsolete: true

Jens: Is there anyone available to take this issue? It has been around for awhile and is hit by fuzzers many times an hour. It would be great to get this fixed.

A Pernosco session is available here: https://pernos.co/debug/cUhFBS1vEABbzq7dyIP9ag/index.html

Flags: needinfo?(jstutte)
Flags: needinfo?(jstutte) → needinfo?(bugmail)

Bugmon Analysis:
The bug appears to have been fixed in the following build range:

Start: 28b7a2b995c32e55107c8b41722396bbbe219565 (20201217150734)
End: ad36a79133a39117d6982cbd2e948b55a9ae0675 (20201217150757)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=28b7a2b995c32e55107c8b41722396bbbe219565&tochange=ad36a79133a39117d6982cbd2e948b55a9ae0675

Whiteboard: [bugmon:confirm][necko-triaged][fuzzblocker] → [bugmon:bisected,confirmed][necko-triaged][fuzzblocker]
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bugmail)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.