Closed Bug 1677555 Opened 4 years ago Closed 3 years ago

Hit MOZ_CRASH(already mutably borrowed) at /builds/worker/checkouts/gecko/third_party/rust/atomic_refcell/src/lib.rs:161

Categories

(Core :: CSS Parsing and Computation, defect)

defect
Not set
normal

Tracking

()

VERIFIED FIXED
90 Branch
Tracking Status
firefox-esr78 --- fixed
firefox85 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- verified

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev e22423381bcd (built with --enable-debug).

Hit MOZ_CRASH(already mutably borrowed) at /builds/worker/checkouts/gecko/third_party/rust/atomic_refcell/src/lib.rs:161

    #0 0x7f182882eda5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
    #1 0x7f182882eda5 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:17:3
    #2 0x7f182882ed54 in mozglue_static::panic_hook::h6e70bafc479dc06d /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:89:9
    #3 0x7f182882e67b in core::ops::function::Fn::call::h01fce3a141895069 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
    #4 0x7f18297e9b77 in std::panicking::rust_panic_with_hook::haa1ed36ada4ffb03 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/panicking.rs:573:17
    #5 0x7f1829716625 in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::h445ee16c9838728e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:498:9
    #6 0x7f18297165af in std::sys_common::backtrace::__rust_end_short_backtrace::h613a89b08fa40f2a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:153:18
    #7 0x7f18297165ee in std::panicking::begin_panic::h7ce7183ddd8984f2 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:497:12
    #8 0x7f18297167dc in atomic_refcell::AtomicBorrowRef::do_panic::h972137edb65bdb13 /builds/worker/checkouts/gecko/third_party/rust/atomic_refcell/src/lib.rs:161:13
    #9 0x7f182929740b in atomic_refcell::AtomicBorrowRef::new::hcbbb98423fa17100 /builds/worker/checkouts/gecko/third_party/rust/atomic_refcell/src/lib.rs:130:13
    #10 0x7f182929740b in atomic_refcell::AtomicRefCell$LT$T$GT$::borrow::he0ba69b2beee81d3 /builds/worker/checkouts/gecko/third_party/rust/atomic_refcell/src/lib.rs:88:21
    #11 0x7f182929740b in style::shared_lock::SharedRwLock::read::_$u7b$$u7b$closure$u7d$$u7d$::h1d3fe2b2188dfdd3 /builds/worker/checkouts/gecko/servo/components/style/shared_lock.rs:115:61
    #12 0x7f182929740b in core::option::Option$LT$T$GT$::map::h24b6f333f1576308 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/option.rs:437:29
    #13 0x7f182929740b in style::shared_lock::SharedRwLock::read::he833709358a5513b /builds/worker/checkouts/gecko/servo/components/style/shared_lock.rs:115:31
    #14 0x7f1829114b93 in Servo_StyleSet_RemoveStyleSheet /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:1887:17
    #15 0x7f1824f9e3b3 in mozilla::ServoStyleSet::RemoveStyleSheet(mozilla::StyleSheet&) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:601:3
    #16 0x7f1824f9e0cb in mozilla::ServoStyleSet::ShellDetachedFromDocument() /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:150:7
    #17 0x7f182237ace6 in mozilla::dom::Document::DeletePresShell() /builds/worker/checkouts/gecko/dom/base/Document.cpp:6486:14
    #18 0x7f182501ae45 in mozilla::PresShell::Destroy() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:1406:16
    #19 0x7f18250973a2 in nsDocumentViewer::DestroyPresShell() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:3787:15
    #20 0x7f1825090f53 in nsDocumentViewer::Destroy() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1752:5
    #21 0x7f18220df97e in mozilla::image::SVGDocumentWrapper::DestroyViewer() /builds/worker/checkouts/gecko/image/SVGDocumentWrapper.cpp:57:14
    #22 0x7f18220df7ac in mozilla::image::SVGDocumentWrapper::~SVGDocumentWrapper() /builds/worker/checkouts/gecko/image/SVGDocumentWrapper.cpp:47:3
    #23 0x7f18220df48b in mozilla::image::SVGDocumentWrapper::Release() /builds/worker/checkouts/gecko/image/SVGDocumentWrapper.cpp:40:1
    #24 0x7f18220edb64 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
    #25 0x7f18220edb64 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
    #26 0x7f18220edb64 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
    #27 0x7f18220edb64 in mozilla::image::VectorImage::~VectorImage() /builds/worker/checkouts/gecko/image/VectorImage.cpp:362:1
    #28 0x7f18220ed7ce in mozilla::image::VectorImage::Release() /builds/worker/checkouts/gecko/image/VectorImage.cpp:342:1
    #29 0x7f1822126316 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
    #30 0x7f1822126316 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
    #31 0x7f1822126316 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
    #32 0x7f1822126316 in imgRequest::~imgRequest() /builds/worker/checkouts/gecko/image/imgRequest.cpp:85:1
    #33 0x7f1822125b5c in imgRequest::Release() /builds/worker/checkouts/gecko/image/imgRequest.cpp:51:1
    #34 0x7f182213bf1f in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
    #35 0x7f182213bf1f in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
    #36 0x7f182213bf1f in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
    #37 0x7f182213bf1f in ~RequestBehaviour /builds/worker/checkouts/gecko/image/imgRequestProxy.cpp:41:7
    #38 0x7f182213bf1f in RequestBehaviour::~RequestBehaviour() /builds/worker/checkouts/gecko/image/imgRequestProxy.cpp:41:7
    #39 0x7f182212f854 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:460:5
    #40 0x7f182212f854 in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:302:7
    #41 0x7f182212f854 in ~UniquePtr /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:253:18
    #42 0x7f182212f854 in imgRequestProxy::~imgRequestProxy() /builds/worker/checkouts/gecko/image/imgRequestProxy.cpp:163:1
    #43 0x7f18221303f8 in imgRequestProxy::~imgRequestProxy() /builds/worker/checkouts/gecko/image/imgRequestProxy.cpp:124:37
    #44 0x7f182212e97a in imgRequestProxy::Release() /builds/worker/checkouts/gecko/image/imgRequestProxy.cpp:93:1
    #45 0x7f1824fe5f6c in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
    #46 0x7f1824fe5f6c in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
    #47 0x7f1824fe5f6c in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
    #48 0x7f1824fe5f6c in ~StyleImageRequestCleanupTask /builds/worker/checkouts/gecko/layout/style/nsStyleStruct.cpp:195:3
    #49 0x7f1824fe5f6c in StyleImageRequestCleanupTask::~StyleImageRequestCleanupTask() /builds/worker/checkouts/gecko/layout/style/nsStyleStruct.cpp:192:43
    #50 0x7f18207cad27 in mozilla::Runnable::Release() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:68:1
    #51 0x7f1824fcfccd in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
    #52 0x7f1824fcfccd in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
    #53 0x7f1824fcfccd in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
    #54 0x7f1824fcfccd in Gecko_LoadData_Drop /builds/worker/checkouts/gecko/layout/style/nsStyleStruct.cpp:213:3
    #55 0x7f182924863d in _$LT$style..gecko..url..LoadData$u20$as$u20$core..ops..drop..Drop$GT$::drop::hd4b48bf9099f089d /builds/worker/checkouts/gecko/servo/components/style/gecko/url.rs:187:18
    #56 0x7f182924863d in core::ptr::drop_in_place::h5288ae44589a32da /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #57 0x7f182924863d in core::ptr::drop_in_place::h96287336e640aa53 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #58 0x7f182924863d in core::ptr::drop_in_place::h1f0d70ab33a7e321 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #59 0x7f182924863d in core::ptr::drop_in_place::h9e542266822b7451 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #60 0x7f182924863d in core::ptr::drop_in_place::hab202ed5fd9c6783 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #61 0x7f182924863d in servo_arc::Arc$LT$T$GT$::drop_slow::had87ec1b9cb14716 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:359:42
    #62 0x7f18291b003a in _$LT$servo_arc..Arc$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h2126e4c3259b3268 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:545:13
    #63 0x7f18291b003a in core::ptr::drop_in_place::h0c3ee10b73a2687e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #64 0x7f18291b003a in core::ptr::drop_in_place::hcd03ad4b08c0805f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #65 0x7f18291b003a in core::ptr::drop_in_place::h2b6ee3f8a20950ef /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #66 0x7f18291b003a in core::ptr::drop_in_place::ha680feda4630b499 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #67 0x7f18291b003a in core::ptr::drop_in_place::h645136a99eb219b7 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #68 0x7f18291b003a in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h33d7fdb62f89a4ef /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec.rs:2447:13
    #69 0x7f18291b003a in core::ptr::drop_in_place::hd999d0d5c712e744 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #70 0x7f18291b003a in _$LT$style_traits..owned_slice..OwnedSlice$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h059a2704c0056d6b /builds/worker/checkouts/gecko/servo/components/style_traits/owned_slice.rs:52:67
    #71 0x7f18291b003a in core::ptr::drop_in_place::h4c9e4741a8faf7d4 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #72 0x7f18291b003a in core::ptr::drop_in_place::h1ea157d999ab6876 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #73 0x7f18291b003a in core::ptr::drop_in_place::h57735c91c83a2f63 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184:1
    #74 0x7f182948c757 in style::properties::declaration_block::PropertyDeclarationBlock::update::h635549c271a069b8 /builds/worker/checkouts/gecko/servo/components/style/properties/declaration_block.rs:654:21
    #75 0x7f182914125a in geckoservo::glue::set_property_to_declarations::_$u7b$$u7b$closure$u7d$$u7d$::h7540e9a3566a4368 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:4452:9
    #76 0x7f182914125a in geckoservo::glue::write_locked_arc::hde564c7dbee91737 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:2076:5
    #77 0x7f182914125a in geckoservo::glue::set_property_to_declarations::h830335f1913f3c31 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:4451:5
    #78 0x7f182914125a in geckoservo::glue::set_property::h50093cf52c7ce1e6 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:4493:5
    #79 0x7f1829141a50 in Servo_DeclarationBlock_SetPropertyById /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:4564:5
    #80 0x7f1824fc731a in operator() /builds/worker/checkouts/gecko/layout/style/nsDOMCSSDeclaration.cpp:322:16
    #81 0x7f1824fc731a in ModifyDeclaration<(lambda at /builds/worker/checkouts/gecko/layout/style/nsDOMCSSDeclaration.cpp:321:7)> /builds/worker/checkouts/gecko/layout/style/nsDOMCSSDeclaration.cpp:296:13
    #82 0x7f1824fc731a in nsDOMCSSDeclaration::ParsePropertyValue(nsCSSPropertyID, nsTSubstring<char> const&, bool, nsIPrincipal*) /builds/worker/checkouts/gecko/layout/style/nsDOMCSSDeclaration.cpp:319:10
    #83 0x7f1824fc78e0 in nsDOMCSSDeclaration::SetProperty(nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/layout/style/nsDOMCSSDeclaration.cpp:223:9
    #84 0x7f1822cefda5 in mozilla::dom::CSSStyleDeclaration_Binding::setProperty(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/CSSStyleDeclarationBinding.cpp:423:24
    #85 0x7f18236d4f2a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3229:13
    #86 0x7f182668d9b1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:507:13
    #87 0x7f182668d0e8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:12
    #88 0x7f182668ec93 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
    #89 0x7f1826682993 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:668:10
    #90 0x7f1826682993 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3337:16
    #91 0x7f18266798c4 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:477:13
    #92 0x7f182668d0b9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:636:13
    #93 0x7f182668ec93 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
    #94 0x7f182668eecf in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:681:8
    #95 0x7f1826c73d4b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2830:10
    #96 0x7f182340598c in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:57:8
    #97 0x7f1823a6a576 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #98 0x7f1823a6a2bd in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1073:43
    #99 0x7f1823a6af62 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1270:17
    #100 0x7f1823a60232 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:354:5
    #101 0x7f1823a60232 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:352:17
    #102 0x7f1823a5f7e3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:554:16
    #103 0x7f1823a622f0 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1093:11
    #104 0x7f1823a64f36 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #105 0x7f18225039c3 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1315:17
    #106 0x7f182220aeca in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4072:28
    #107 0x7f182220ad53 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4042:10
    #108 0x7f18223800a3 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7369:3
    #109 0x7f18223f1476 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
    #110 0x7f18223f1476 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
    #111 0x7f18223f1476 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
    #112 0x7f18207bbc02 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #113 0x7f18207c1c1f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:450:16
    #114 0x7f18207c028a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:720:26
    #115 0x7f18207bf334 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:579:15
    #116 0x7f18207bf4e7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:36
    #117 0x7f18207c5476 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:120:37
    #118 0x7f18207c5476 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #119 0x7f18207d69f7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:14
    #120 0x7f18207dc73a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #121 0x7f18210d1d46 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #122 0x7f18210418f3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #123 0x7f182104180d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #124 0x7f182104180d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #125 0x7f1824d49608 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #126 0x7f1826552c93 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #127 0x7f18210d2b09 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #128 0x7f18210418f3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #129 0x7f182104180d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #130 0x7f182104180d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #131 0x7f1826552878 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #132 0x564888ef0a27 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #133 0x564888ef0a27 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
    #134 0x7f1834d8d0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Woah, this one is a gnarly one, nice!

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201116210217-6b97acd45602.
Failed to bisect testcase (Start build crashes!):

Start: fdd07df83c87f12725f4b97c80e644fd11673977 (20191119043902)
End: e22423381bcd757b7ab1e58b0f915cd2e9a6a729 (20201116101121)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Crash Signature: [@ atomic_refcell::AtomicBorrowRef::do_panic ]
Keywords: crash

In this particular case the issue wouldn't end up in any sort of memory
corruption if we didn't safely crash, but these are quite tricky to
reason about, so it's better to avoid the reentrancy altogether if
possible.

I tried to convert the fuzzer test-case in a crashtest but failed (as
in, it didn't crash without the patch under the test harness).

Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4c53c4da7ece Always release imgRequestProxy async. r=tnikkel
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d0340cd144b7 Always release imgRequestProxy async. r=tnikkel
Flags: needinfo?(emilio)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210526160253-4973f32229d6.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Flags: in-testsuite? → in-testsuite-

Is this something we should consider backporting to ESR78? It grafts cleanly as-landed.

Flags: needinfo?(emilio)

Comment on attachment 9223468 [details]
Bug 1677555 - Always release imgRequestProxy async. r=tnikkel

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Relatively high-volume crash, simple fix.
  • User impact if declined: crashes
  • Fix Landed on Version: 90
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Pretty straight-forward patch.
  • String or UUID changes made by this patch: none
Flags: needinfo?(emilio)
Attachment #9223468 - Flags: approval-mozilla-esr78?

If you think it's high-volume enough, then sure.

Comment on attachment 9223468 [details]
Bug 1677555 - Always release imgRequestProxy async. r=tnikkel

Approved for 78.12esr.

Attachment #9223468 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+

:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)

Sorry, bug in the bot.

Flags: needinfo?(emilio)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: