Crash [@ mozilla::dom::CallbackObject::CallSetup::CallSetup] | Assertion failure: processorCtor
Categories
(Core :: Web Audio, defect, P2)
Tracking
()
People
(Reporter: jkratzer, Assigned: karlt)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase-wanted)
Attachments
(2 files)
Found while fuzzing mozilla-central rev 262c8adb5265. I don't currently have a testcase but will add one if one becomes available.
==10004==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f790af361c9 bp 0x7f78f00457c0 sp 0x7f78f0045460 T68)
==10004==The signal is caused by a READ memory access.
==10004==Hint: address points to the zero page.
#0 0x7f790af361c8 in mozilla::dom::CallbackObject::CallSetup::CallSetup(mozilla::dom::CallbackObject*, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*, bool) /builds/worker/checkouts/gecko/dom/bindings/CallbackObject.cpp
#1 0x7f790960a1dd in mozilla::dom::AudioWorkletProcessorConstructor::Construct(JS::Handle<JSObject*>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dom/bindings/AudioWorkletGlobalScopeBinding.cpp:27:13
#2 0x7f790c5772a2 in mozilla::dom::AudioWorkletGlobalScope::ConstructProcessor(JSContext*, nsTSubstring<char16_t> const&, mozilla::NotNull<mozilla::dom::StructuredCloneHolder*>, mozilla::dom::UniqueMessagePortId&, JS::MutableHandle<JSObject*>) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioWorkletGlobalScope.cpp:337:60
#3 0x7f790c57a852 in mozilla::dom::WorkletNodeEngine::ConstructProcessor(mozilla::AudioWorkletImpl*, nsTSubstring<char16_t> const&, mozilla::NotNull<mozilla::dom::StructuredCloneHolder*>, mozilla::dom::UniqueMessagePortId&, mozilla::AudioNodeTrack*) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioWorkletNode.cpp:256:16
#4 0x7f790c5af7fb in operator() /builds/worker/checkouts/gecko/dom/media/webaudio/AudioWorkletNode.cpp:826:21
#5 0x7f790c5af7fb in mozilla::detail::RunnableFunction<mozilla::dom::AudioWorkletNode::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::AudioContext&, nsTSubstring<char16_t> const&, mozilla::dom::AudioWorkletNodeOptions const&, mozilla::ErrorResult&)::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:557:5
#6 0x7f790bee48b9 in mozilla::MediaTrackGraphImpl::RunMessagesInQueue() /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:1155:20
#7 0x7f790beea583 in mozilla::MediaTrackGraphImpl::OneIterationImpl(long, long, mozilla::AudioMixer*) /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:1392:3
#8 0x7f790bb35894 in mozilla::GraphRunner::Run() /builds/worker/checkouts/gecko/dom/media/GraphRunner.cpp:114:32
#9 0x7f790528d4a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
#10 0x7f7905297c0c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
#11 0x7f79065a4b84 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:332:5
#12 0x7f790648fe27 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#13 0x7f790648fe27 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#14 0x7f790648fe27 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#15 0x7f79052867c7 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:444:10
#16 0x7f7929a9dcde in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#17 0x7f79296df6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#18 0x7f79286bd88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/dom/bindings/CallbackObject.cpp in mozilla::dom::CallbackObject::CallSetup::CallSetup(mozilla::dom::CallbackObject*, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*, bool)
Thread T68 (GraphRunner) created by T0 (Web Content) here:
#0 0x55a6c45756aa in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
#1 0x7f7929a8e185 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f7929a7f0fe in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f7905289284 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:650:8
#4 0x7f7905296771 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:620:12
#5 0x7f790529aba3 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:139:57
#6 0x7f790bb33fb0 in NS_NewNamedThread<12> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:65:10
#7 0x7f790bb33fb0 in mozilla::GraphRunner::Create(mozilla::MediaTrackGraphImpl*) /builds/worker/checkouts/gecko/dom/media/GraphRunner.cpp:37:7
#8 0x7f790bf00006 in mozilla::MediaTrackGraphImpl::MediaTrackGraphImpl(mozilla::MediaTrackGraph::GraphDriverType, mozilla::MediaTrackGraph::GraphRunType, int, unsigned int, void const*, mozilla::AbstractThread*) /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:2951:26
#9 0x7f790bf018b0 in mozilla::MediaTrackGraph::GetInstance(mozilla::MediaTrackGraph::GraphDriverType, nsPIDOMWindowInner*, int, void const*) /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:3093:17
#10 0x7f790c544e1b in mozilla::dom::AudioDestinationNode::AudioDestinationNode(mozilla::dom::AudioContext*, bool, bool, unsigned int, unsigned int) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioDestinationNode.cpp:329:28
#11 0x7f790c5375a9 in mozilla::dom::AudioContext::AudioContext(nsPIDOMWindowInner*, bool, unsigned int, unsigned int, float) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioContext.cpp:185:22
#12 0x7f790c539415 in mozilla::dom::AudioContext::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::AudioContextOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioContext.cpp:275:11
#13 0x7f79095e5e0a in mozilla::dom::AudioContext_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/AudioContextBinding.cpp:844:58
#14 0x7f7911510f1e in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:493:13
#15 0x7f7911510f1e in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:509:8
#16 0x7f7911510f1e in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:711:10
#17 0x7f7911510604 in js::ConstructFromStack(JSContext*, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:738:10
#18 0x7f79114ea652 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3313:16
#19 0x7f79114d9c21 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:465:10
#20 0x7f791150df2d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:620:13
#21 0x7f791151009a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:648:10
#22 0x7f7911510376 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:665:8
#23 0x7f79116b2010 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2833:10
#24 0x7f790ab09f66 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
#25 0x7f790b5f6b5d in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#26 0x7f790b5f6584 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1073:43
#27 0x7f790b5f7c87 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1271:17
#28 0x7f790b5e5faf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:356:17
#29 0x7f790b5e474d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:558:16
#30 0x7f790b5e8cd6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1055:11
#31 0x7f790dcb914e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1145:7
#32 0x7f791084337b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5902:20
#33 0x7f7910842525 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5645:7
#34 0x7f7910847f5f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#35 0x7f7907c7bde0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1345:3
#36 0x7f7907c7adac in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:905:14
#37 0x7f7907c77080 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:725:9
#38 0x7f7907c798b3 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:613:5
#39 0x7f7907c7a93c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
#40 0x7f7905527957 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:610:22
#41 0x7f790552ab67 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:517:10
#42 0x7f79091e1e4f in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10731:18
#43 0x7f7909198186 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10663:9
#44 0x7f79091bd33f in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7330:3
#45 0x7f790928c504 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
#46 0x7f790928c504 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1174:12
#47 0x7f790928c504 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1220:13
#48 0x7f7905254d7d in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
#49 0x7f790528d4a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
#50 0x7f7905297c0c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
#51 0x7f79065a2dff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#52 0x7f790648fe27 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#53 0x7f790648fe27 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#54 0x7f790648fe27 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#55 0x7f790d6f2ff8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#56 0x7f79112acd96 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:909:20
#57 0x7f790648fe27 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#58 0x7f790648fe27 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#59 0x7f790648fe27 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#60 0x7f79112ac44a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:740:34
#61 0x55a6c45bdbd3 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#62 0x55a6c45bdbd3 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#63 0x7f79285bdb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
==10004==ABORTING
Comment 1•4 years ago
|
||
This includes the patch that increases the memory usage limit. We don't have the line number on the last stack-frame, and it's not small function...
Reporter | ||
Comment 2•4 years ago
|
||
I managed to get a working testcase but it's very unreliable. Trying to reduce it now but it'll likely take a long time.
Comment 3•4 years ago
|
||
It might be possible to record testcase runs with rr
until a failure is captured, if that's quicker than reducing the testcase itself.
ni? Jason for (reduced) testcase or a more detailed stack
Reporter | ||
Comment 4•4 years ago
|
||
A pernosco session of this bug has been uploaded to https://pernos.co/debug/PjX9dB1eP_A6TkxMM2XWMg/index.html. This session will expire in 7 days.
Comment 5•4 years ago
|
||
It looks like processorCtor
is nullptr
here. I'm trying to find why it's reaching this point, but it's a bit hard because lots of the memory has been optimized out.
Reporter | ||
Comment 6•4 years ago
|
||
Here's a pernosco session with --enable-optimize="O0". If you need a --enable-debug build, please let me know.
Assignee | ||
Comment 7•4 years ago
•
|
||
Thank you for the recording, Jason.
The scenario seems to be
registerProcessor("audio_worklet_processor_0")
.- Enter nested event loop via XMLHttpRequest
- shutdown/freeze window, via navigation.
- Return from nested event loop.
new AudioWorkletNode("audio_worklet_processor_0")
.
At 3, WorkletImpl::mGlobalScope
is cleared.
After 5, mGlobalScope
is replaced with a new scope, which does not have the processor registered.
At the time of the AudioWorkletNode
constructor call, aAudioContext->mParentObject
is null.
I wonder whether the appropriate behavior in the constructor is to throw, or to no-op and pretend all is fine.
Assignee | ||
Updated•4 years ago
|
Comment 8•4 years ago
|
||
no-op and pretend all is fine
sounds in line with the other nodes.
Updated•4 years ago
|
Comment 9•4 years ago
|
||
The severity field is not set for this bug.
:achronop, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 10•4 years ago
|
||
Assignee | ||
Comment 11•4 years ago
|
||
When the worklet has already received the notification to shut down, there
will be no further notfication to release another global.
Depends on D85974
Comment 12•4 years ago
|
||
Updated•4 years ago
|
Comment 13•4 years ago
|
||
Comment 14•4 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/b67ba5d335d8
https://hg.mozilla.org/mozilla-central/rev/0430442b4652
Assignee | ||
Comment 15•4 years ago
|
||
A safe crash in an unusual situation.
I don't see any reports at https://crash-stats.mozilla.org/search/?proto_signature=~ConstructProcessor&version=79.0&date=%3E%3D2020-07-31T00%3A52%3A00.000Z&date=%3C2020-08-07T00%3A52%3A00.000Z&_facets=signature&page=1&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature
Not intending to uplift.
Description
•