Closed Bug 1634200 Opened 2 years ago Closed 1 year ago

Crash [@ mozilla::dom::CallbackObject::CallSetup::CallSetup] | Assertion failure: processorCtor

Categories

(Core :: Web Audio, defect, P2)

defect

Tracking

()

RESOLVED FIXED
81 Branch
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- wontfix
firefox77 --- wontfix
firefox79 --- wontfix
firefox80 --- wontfix
firefox81 --- fixed

People

(Reporter: jkratzer, Assigned: karlt)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase-wanted)

Attachments

(2 files)

Found while fuzzing mozilla-central rev 262c8adb5265. I don't currently have a testcase but will add one if one becomes available.

==10004==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f790af361c9 bp 0x7f78f00457c0 sp 0x7f78f0045460 T68)
==10004==The signal is caused by a READ memory access.
==10004==Hint: address points to the zero page.
    #0 0x7f790af361c8 in mozilla::dom::CallbackObject::CallSetup::CallSetup(mozilla::dom::CallbackObject*, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*, bool) /builds/worker/checkouts/gecko/dom/bindings/CallbackObject.cpp
    #1 0x7f790960a1dd in mozilla::dom::AudioWorkletProcessorConstructor::Construct(JS::Handle<JSObject*>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dom/bindings/AudioWorkletGlobalScopeBinding.cpp:27:13
    #2 0x7f790c5772a2 in mozilla::dom::AudioWorkletGlobalScope::ConstructProcessor(JSContext*, nsTSubstring<char16_t> const&, mozilla::NotNull<mozilla::dom::StructuredCloneHolder*>, mozilla::dom::UniqueMessagePortId&, JS::MutableHandle<JSObject*>) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioWorkletGlobalScope.cpp:337:60
    #3 0x7f790c57a852 in mozilla::dom::WorkletNodeEngine::ConstructProcessor(mozilla::AudioWorkletImpl*, nsTSubstring<char16_t> const&, mozilla::NotNull<mozilla::dom::StructuredCloneHolder*>, mozilla::dom::UniqueMessagePortId&, mozilla::AudioNodeTrack*) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioWorkletNode.cpp:256:16
    #4 0x7f790c5af7fb in operator() /builds/worker/checkouts/gecko/dom/media/webaudio/AudioWorkletNode.cpp:826:21
    #5 0x7f790c5af7fb in mozilla::detail::RunnableFunction<mozilla::dom::AudioWorkletNode::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::AudioContext&, nsTSubstring<char16_t> const&, mozilla::dom::AudioWorkletNodeOptions const&, mozilla::ErrorResult&)::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:557:5
    #6 0x7f790bee48b9 in mozilla::MediaTrackGraphImpl::RunMessagesInQueue() /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:1155:20
    #7 0x7f790beea583 in mozilla::MediaTrackGraphImpl::OneIterationImpl(long, long, mozilla::AudioMixer*) /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:1392:3
    #8 0x7f790bb35894 in mozilla::GraphRunner::Run() /builds/worker/checkouts/gecko/dom/media/GraphRunner.cpp:114:32
    #9 0x7f790528d4a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
    #10 0x7f7905297c0c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #11 0x7f79065a4b84 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:332:5
    #12 0x7f790648fe27 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #13 0x7f790648fe27 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #14 0x7f790648fe27 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #15 0x7f79052867c7 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:444:10
    #16 0x7f7929a9dcde in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #17 0x7f79296df6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #18 0x7f79286bd88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/dom/bindings/CallbackObject.cpp in mozilla::dom::CallbackObject::CallSetup::CallSetup(mozilla::dom::CallbackObject*, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*, bool)
Thread T68 (GraphRunner) created by T0 (Web Content) here:
    #0 0x55a6c45756aa in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7f7929a8e185 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f7929a7f0fe in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f7905289284 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:650:8
    #4 0x7f7905296771 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:620:12
    #5 0x7f790529aba3 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:139:57
    #6 0x7f790bb33fb0 in NS_NewNamedThread<12> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:65:10
    #7 0x7f790bb33fb0 in mozilla::GraphRunner::Create(mozilla::MediaTrackGraphImpl*) /builds/worker/checkouts/gecko/dom/media/GraphRunner.cpp:37:7
    #8 0x7f790bf00006 in mozilla::MediaTrackGraphImpl::MediaTrackGraphImpl(mozilla::MediaTrackGraph::GraphDriverType, mozilla::MediaTrackGraph::GraphRunType, int, unsigned int, void const*, mozilla::AbstractThread*) /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:2951:26
    #9 0x7f790bf018b0 in mozilla::MediaTrackGraph::GetInstance(mozilla::MediaTrackGraph::GraphDriverType, nsPIDOMWindowInner*, int, void const*) /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:3093:17
    #10 0x7f790c544e1b in mozilla::dom::AudioDestinationNode::AudioDestinationNode(mozilla::dom::AudioContext*, bool, bool, unsigned int, unsigned int) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioDestinationNode.cpp:329:28
    #11 0x7f790c5375a9 in mozilla::dom::AudioContext::AudioContext(nsPIDOMWindowInner*, bool, unsigned int, unsigned int, float) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioContext.cpp:185:22
    #12 0x7f790c539415 in mozilla::dom::AudioContext::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::AudioContextOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioContext.cpp:275:11
    #13 0x7f79095e5e0a in mozilla::dom::AudioContext_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/AudioContextBinding.cpp:844:58
    #14 0x7f7911510f1e in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:493:13
    #15 0x7f7911510f1e in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:509:8
    #16 0x7f7911510f1e in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:711:10
    #17 0x7f7911510604 in js::ConstructFromStack(JSContext*, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:738:10
    #18 0x7f79114ea652 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3313:16
    #19 0x7f79114d9c21 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:465:10
    #20 0x7f791150df2d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:620:13
    #21 0x7f791151009a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:648:10
    #22 0x7f7911510376 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:665:8
    #23 0x7f79116b2010 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2833:10
    #24 0x7f790ab09f66 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
    #25 0x7f790b5f6b5d in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #26 0x7f790b5f6584 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1073:43
    #27 0x7f790b5f7c87 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1271:17
    #28 0x7f790b5e5faf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:356:17
    #29 0x7f790b5e474d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:558:16
    #30 0x7f790b5e8cd6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1055:11
    #31 0x7f790dcb914e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1145:7
    #32 0x7f791084337b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5902:20
    #33 0x7f7910842525 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5645:7
    #34 0x7f7910847f5f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #35 0x7f7907c7bde0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1345:3
    #36 0x7f7907c7adac in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:905:14
    #37 0x7f7907c77080 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:725:9
    #38 0x7f7907c798b3 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:613:5
    #39 0x7f7907c7a93c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
    #40 0x7f7905527957 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:610:22
    #41 0x7f790552ab67 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:517:10
    #42 0x7f79091e1e4f in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10731:18
    #43 0x7f7909198186 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10663:9
    #44 0x7f79091bd33f in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7330:3
    #45 0x7f790928c504 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
    #46 0x7f790928c504 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1174:12
    #47 0x7f790928c504 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1220:13
    #48 0x7f7905254d7d in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #49 0x7f790528d4a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
    #50 0x7f7905297c0c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #51 0x7f79065a2dff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #52 0x7f790648fe27 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #53 0x7f790648fe27 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #54 0x7f790648fe27 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #55 0x7f790d6f2ff8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #56 0x7f79112acd96 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:909:20
    #57 0x7f790648fe27 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #58 0x7f790648fe27 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #59 0x7f790648fe27 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #60 0x7f79112ac44a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:740:34
    #61 0x55a6c45bdbd3 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #62 0x55a6c45bdbd3 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #63 0x7f79285bdb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

==10004==ABORTING

This includes the patch that increases the memory usage limit. We don't have the line number on the last stack-frame, and it's not small function...

I managed to get a working testcase but it's very unreliable. Trying to reduce it now but it'll likely take a long time.

It might be possible to record testcase runs with rr until a failure is captured, if that's quicker than reducing the testcase itself.

ni? Jason for (reduced) testcase or a more detailed stack

Flags: needinfo?(jkratzer)

A pernosco session of this bug has been uploaded to https://pernos.co/debug/PjX9dB1eP_A6TkxMM2XWMg/index.html. This session will expire in 7 days.

Flags: needinfo?(jkratzer)

It looks like processorCtor is nullptr here. I'm trying to find why it's reaching this point, but it's a bit hard because lots of the memory has been optimized out.

Here's a pernosco session with --enable-optimize="O0". If you need a --enable-debug build, please let me know.

https://pernos.co/debug/K8JtF5dsfhV8ubRnBbcl4Q/index.html

Thank you for the recording, Jason.

The scenario seems to be

  1. registerProcessor("audio_worklet_processor_0").
  2. Enter nested event loop via XMLHttpRequest
  3. shutdown/freeze window, via navigation.
  4. Return from nested event loop.
  5. new AudioWorkletNode("audio_worklet_processor_0").

At 3, WorkletImpl::mGlobalScope is cleared.

After 5, mGlobalScope is replaced with a new scope, which does not have the processor registered.

At the time of the AudioWorkletNode constructor call, aAudioContext->mParentObject is null.

I wonder whether the appropriate behavior in the constructor is to throw, or to no-op and pretend all is fine.

Assignee: nobody → karlt
Status: NEW → ASSIGNED

no-op and pretend all is fine sounds in line with the other nodes.

Priority: -- → P2

The severity field is not set for this bug.
:achronop, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(achronop)
Severity: normal → S3
Flags: needinfo?(achronop)
Blocks: audioworklet
Summary: Crash [@ mozilla::dom::CallbackObject::CallSetup::CallSetup] → Crash [@ mozilla::dom::CallbackObject::CallSetup::CallSetup] | Assertion failure: processorCtor
Depends on: 1655544

When the worklet has already received the notification to shut down, there
will be no further notfication to release another global.

Depends on D85974

Pushed by ktomlinson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b67ba5d335d8
don't create a new global when the Worklet is finished r=padenot
Attachment #9168081 - Attachment description: Bug 1634200 add crashtest with AudioWorkletNode after unload r?padenot → Bug 1634200 add crashtest with AudioWorkletNode after unload
Pushed by ktomlinson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0430442b4652
add crashtest with AudioWorkletNode after unload r=padenot
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
You need to log in before you can comment on or make changes to this bug.