Closed Bug 1655519 Opened 4 years ago Closed 2 years ago

Assertion failure: !Exists(), at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1375

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox81 --- wontfix
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- wontfix
firefox87 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- wontfix
firefox104 --- wontfix

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.zip
1.88 KB, application/zip
Details
Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev 798bdad605b9 (built with --enable-debug).

Assertion failure: !Exists(), at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1375

==25689==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f2155a6a097 bp 0x7f21414bd310 sp 0x7f21414bd2f0 T34)
==25689==The signal is caused by a WRITE memory access.
==25689==Hint: address points to the zero page.
    #0 0x7f2155a6a096 in mozilla::MozPromiseRequestHolder<mozilla::MozPromise<bool, nsresult, false> >::Track(already_AddRefed<mozilla::MozPromise<bool, nsresult, false>::Request>) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1375:5
    #1 0x7f215b766384 in mozilla::MozPromise<bool, nsresult, false>::ThenCommand<mozilla::MozPromise<bool, nsresult, false>::ThenValue<mozilla::MediaDecoderStateMachine*, void (mozilla::MediaDecoderStateMachine::*)(), void (mozilla::MediaDecoderStateMachine::*)(nsresult)> >::Track(mozilla::MozPromiseRequestHolder<mozilla::MozPromise<bool, nsresult, false> >&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:937:22
    #2 0x7f215b75fdf9 in mozilla::MediaDecoderStateMachine::StartMediaSink() /builds/worker/checkouts/gecko/dom/media/MediaDecoderStateMachine.cpp:3373:11
    #3 0x7f215b745879 in mozilla::MediaDecoderStateMachine::MaybeStartPlayback() /builds/worker/checkouts/gecko/dom/media/MediaDecoderStateMachine.cpp:2964:3
    #4 0x7f215b76b04a in mozilla::MediaDecoderStateMachine::ResumeMediaSink() /builds/worker/checkouts/gecko/dom/media/MediaDecoderStateMachine.cpp:3814:3
    #5 0x7f215b9789a2 in applyImpl<mozilla::MediaDecoderStateMachine, void (mozilla::MediaDecoderStateMachine::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
    #6 0x7f215b9789a2 in apply<mozilla::MediaDecoderStateMachine, void (mozilla::MediaDecoderStateMachine::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
    #7 0x7f215b9789a2 in mozilla::detail::RunnableMethodImpl<mozilla::MediaDecoderStateMachine*, void (mozilla::MediaDecoderStateMachine::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
    #8 0x7f2154d725db in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:228:35
    #9 0x7f2154d7fa81 in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:158:20
    #10 0x7f2154dafc56 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:299:14
    #11 0x7f2154da0a6c in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #12 0x7f2154dab95c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #13 0x7f2156163e02 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:302:20
    #14 0x7f2156043057 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #15 0x7f2156043057 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #16 0x7f2156043057 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #17 0x7f2154d99417 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:447:10
    #18 0x7f217a251d3e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #19 0x7f2179e936da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #20 0x7f2178e71a3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1375:5 in mozilla::MozPromiseRequestHolder<mozilla::MozPromise<bool, nsresult, false> >::Track(already_AddRefed<mozilla::MozPromise<bool, nsresult, false>::Request>)
Thread T34 (MediaDe~hine #1) created by T0 (file:// Content) here:
    #0 0x558bf4708a1a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7f217a2421e5 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f217a23315e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f2154d9c0f7 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:659:8
    #4 0x7f2154daa5ba in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:629:12
    #5 0x7f2154db575a in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:161:57
    #6 0x7f2154dae51d in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:152:10
    #7 0x7f2154dae51d in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:115:17
    #8 0x7f2154db0d4e in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:350:5
    #9 0x7f2154d7e786 in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, unsigned int, mozilla::AbstractThread::DispatchReason) /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:65:26
    #10 0x7f2154dbde4a in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchReason) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskQueue.h:86:14
    #11 0x7f2154d71ff3 in mozilla::AutoTaskDispatcher::DispatchTaskGroup(mozilla::UniquePtr<mozilla::AutoTaskDispatcher::PerThreadTaskGroup, mozilla::DefaultDelete<mozilla::AutoTaskDispatcher::PerThreadTaskGroup> >) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:276:20
    #12 0x7f2154d7120b in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:122:7
    #13 0x7f2154d73608 in mozilla::Maybe<mozilla::AutoTaskDispatcher>::reset() /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:652:19
    #14 0x7f2154d6dafc in AfterProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/AbstractThread.cpp:130:5
    #15 0x7f2154d6dafc in non-virtual thunk to mozilla::XPCOMThreadWrapper::AfterProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/checkouts/gecko/xpcom/threads/AbstractThread.cpp
    #16 0x7f2154da0fdd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1258:3
    #17 0x7f2154dab95c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #18 0x7f215616230f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #19 0x7f2156043057 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #20 0x7f2156043057 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #21 0x7f2156043057 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #22 0x7f215d382ab8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #23 0x7f2160f4ba06 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #24 0x7f2156043057 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #25 0x7f2156043057 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #26 0x7f2156043057 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #27 0x7f2160f4afef in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #28 0x558bf4750f53 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #29 0x558bf4750f53 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #30 0x7f2178d71b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
```f
Flags: in-testsuite?
Crash Signature: [@ mozilla::MozPromiseRequestHolder<T>::Track ]
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200804022706-fdfd1e91d204. The bug appears to have been introduced in the following build range: > Start: 7aa8f1610d722da028996799b60f03c9666994b5 (20200225155114) > End: 8b5b34d3b4f8876e35f48b50108b0fef64a1f6dd (20200225160946) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7aa8f1610d722da028996799b60f03c9666994b5&tochange=8b5b34d3b4f8876e35f48b50108b0fef64a1f6dd

While trying to collect a rr trace of this bug I frequently hit bug 1655517 which already has a Pernosco session available. I'm not sure if these issues are related or not.

status-firefox81: affectedwontfix
status-firefox84: --- → wontfix
status-firefox85: --- → affected
status-firefox86: --- → affected
See Also: → 1655517

Bugmon Analysis
Unable to reproduce bug 1655519 using build mozilla-central 20201205093858-7ce95b6cde26. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Setting regressed_by field after analyzing regression range found by bugmon.

Regressed by: 1617863

Set release status flags based on info from the regressing bug 1617863

status-firefox101: --- → affected
status-firefox102: --- → affected
status-firefox103: --- → affected
status-firefox-esr91: --- → affected

:sg, since you are the author of the regressor, bug 1617863, could you take a look?
For more information, please visit auto_nag documentation.

Flags: needinfo?(simon.giesecke)

Set release status flags based on info from the regressing bug 1617863

status-firefox104: --- → affected
Severity: normal → S3

The attached test case no longer triggers the issue. This was last reported by fuzzers targeting m-c 20211027-b5086513fe50.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: