Assertion failure: window, at /builds/worker/checkouts/gecko/dom/media/webaudio/AudioWorkletNode.cpp:613
Categories
(Core :: Web Audio, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | wontfix |
| firefox79 | --- | wontfix |
| firefox80 | --- | wontfix |
| firefox81 | --- | fixed |
People
(Reporter: jkratzer, Assigned: karlt)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 798bdad605b9 (built with --enable-debug). Testcase must be served over HTTP in order to reproduce.
Assertion failure: window, at /builds/worker/checkouts/gecko/dom/media/webaudio/AudioWorkletNode.cpp:613
==12224==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7fb1487571 bp 0x7fffab559c60 sp 0x7fffab559c00 T12224)
==12224==The signal is caused by a WRITE memory access.
==12224==Hint: address points to the zero page.
#0 0x7f7fb1487570 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
#1 0x7f7fb1487570 in mozilla::dom::AudioWorkletNode::InitializeParameters(nsTArray<mozilla::dom::NamedAudioParamTimeline>*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioWorkletNode.cpp:613:3
#2 0x7f7fb1487dbf in mozilla::dom::AudioWorkletNode::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::AudioContext&, nsTSubstring<char16_t> const&, mozilla::dom::AudioWorkletNodeOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioWorkletNode.cpp:790:21
#3 0x7f7faf712400 in mozilla::dom::AudioWorkletNode_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/AudioWorkletNodeBinding.cpp:771:62
#4 0x7f7fb376f3f1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:485:13
#5 0x7f7fb3783138 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:501:8
#6 0x7f7fb3770c35 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:703:10
#7 0x7f7fb3763b02 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3323:16
#8 0x7f7fb375a316 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:457:10
#9 0x7f7fb376ebc6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#10 0x7f7fb377072f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
#11 0x7f7fb377090f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:8
#12 0x7f7fb3b4c717 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1688:10
#13 0x7f7fb3912419 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:128:8
#14 0x7f7fb3a01ce1 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:1696:12
#15 0x7f7fb376f3f1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:485:13
#16 0x7f7fb376ec69 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:577:12
#17 0x7f7fb377072f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
#18 0x7f7fb377090f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:8
#19 0x7f7fb3880d87 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2837:10
#20 0x7f7fafbb05fa in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:28:8
#21 0x7f7fad46568c in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:91:12
#22 0x7f7fad464783 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:104:12
#23 0x7f7fad464783 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:211:18
#24 0x7f7fad452c9a in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:646:17
#25 0x7f7fad453939 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:461:3
#26 0x7f7fae7c8ad7 in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1367:28
#27 0x7f7fad553cb8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1271:24
#28 0x7f7fad55941a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#29 0x7f7fade65474 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
#30 0x7f7faddd6733 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#31 0x7f7faddd664d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#32 0x7f7faddd664d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#33 0x7f7fb1e1b358 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#34 0x7f7fb362c1f3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#35 0x7f7fade66247 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#36 0x7f7faddd6733 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#37 0x7f7faddd664d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#38 0x7f7faddd664d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#39 0x7f7fb362bce7 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#40 0x564af2c7dfb8 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#41 0x564af2c7dfb8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#42 0x7f7fc8c11b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
UndefinedBehaviorSanitizer can not provide additional info.
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200804091327-7cb90fa4f485.
The bug appears to have been introduced in the following build range:
> Start: 415fb53b1cf1da1935d6567ec98817652f7aee75 (20200110022450)
> End: 9b02e25673b40f410cfeab51a9d7b13fad09d86f (20200110023434)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=415fb53b1cf1da1935d6567ec98817652f7aee75&tochange=9b02e25673b40f410cfeab51a9d7b13fad09d86f
|
||
Comment 2•4 years ago
|
||
We should probably just null-check the global at the beginning of the ctor.
|
Assignee | |
Comment 3•4 years ago
|
||
This scenario was indentified in https://phabricator.services.mozilla.com/D63353?id=230758#inline-381460.
At that time I thought a null parent would be fine, but I'm not sure.
If the parent is null, then AudioParamMap_Binding::Wrap() would create the wrapper in the realm of the current global.
I expect the AudioParamMap should have the same associated global as the node being created. Using the node as the parent object would provide that.
An automated test for this will also hit bug 1634200, so I'll attach a test to that bug.
|
|
Assignee | |
Comment 4•4 years ago
|
||
|
|
Assignee | |
Comment 5•4 years ago
|
||
so that the AudioParamMap has the same associated global as its node.
Pushed by ktomlinson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c48293a61cbf use associated AudioWorkletNode for AudioParamMap parent object r=padenot
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 8•4 years ago
|
||
|
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 9•4 years ago
|
||
Bugmon Analysis: Bug marked as FIXED but still reproduces on mozilla-central 20200806033456-6e35e01646d7.
|
|
Assignee | |
Comment 10•4 years ago
|
||
This assertion was removed from https://hg.mozilla.org/mozilla-central/rev/c48293a61cbf#l3.13, so I assume a different bug was reproducing on 6e35e01646d7. 6e35e01646d7 does not include https://hg.mozilla.org/mozilla-central/rev/b67ba5d335d8, so I would expect this testcase to reproduce bug 1634200. I'm not reproducing any crash with this testcase on b67ba5d335d8.
If the testcase is still causing a crash after b67ba5d335d8, are you able to provide the new stack, please?
|
|
Assignee | |
Comment 11•4 years ago
|
||
Debug only assertion with no unpleasant consequences expected on failure. Not intending to uplift fix.
|
|
Reporter | |
Comment 12•4 years ago
|
||
(In reply to Karl Tomlinson (:karlt) from comment #10)
This assertion was removed from https://hg.mozilla.org/mozilla-central/rev/c48293a61cbf#l3.13, so I assume a different bug was reproducing on 6e35e01646d7. 6e35e01646d7 does not include https://hg.mozilla.org/mozilla-central/rev/b67ba5d335d8, so I would expect this testcase to reproduce bug 1634200. I'm not reproducing any crash with this testcase on b67ba5d335d8.
If the testcase is still causing a crash after b67ba5d335d8, are you able to provide the new stack, please?
Karl, you are correct. Bugmon was reproducing the assertion from bug 1634200. Using the latest debug build, no crash/assertion is detected.
|
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 13•4 years ago
|
||
Bugmon Analysis: Bug marked as FIXED but still reproduces on mozilla-central 20200806033456-6e35e01646d7.
|
|
Reporter | |
Comment 14•4 years ago
|
||
Removing the bugmon keyword to prevent this from being analyzed again.
|
||
Updated•4 years ago
|
|
||
Comment 15•3 years ago
|
||
:karlt, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
|
||
Comment 16•3 years ago
|
||
(Answering for Karl who is on PTO).
I put something, but in the grand scheme of things, this was buggy when AudioWorklet shipped, and it was then fixed. This regression became visible when shipping AudioWorklet (release: bug 1616725, nightly: bug 1616723), but this particular code path was introduced in bug 1598114.
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
Description
•