Closed Bug 1691716 Opened 3 years ago Closed 3 years ago

Assertion failure: !Failed(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h:583 [@ mozilla::gmp::ChromiumCDMParent::SetServerCertificate]

Categories

(Core :: Audio/Video, defect, P2)

defect

Tracking

()

RESOLVED FIXED
88 Branch
Tracking Status
firefox-esr78 --- wontfix
firefox86 --- wontfix
firefox87 --- wontfix
firefox88 --- fixed

People

(Reporter: jkratzer, Assigned: bryce)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

Testcase found while fuzzing mozilla-central rev e958c1008b99 (built with --enable-debug).

I've uploaded a pernosco session for this bug:
https://pernos.co/debug/RZxw9vavBG8V31X1Gf959Q/index.html

Assertion failure: !Failed(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h:583

    #0 0x7f95293fe0be in mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::AssertReportedOrSuppressed() /home/jkratzer/source/mozilla-central/objdir-ff-debug-pernosco/dist/include/mozilla/ErrorResult.h:583:5
    #1 0x7f95293fe014 in mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::~TErrorResult() /home/jkratzer/source/mozilla-central/objdir-ff-debug-pernosco/dist/include/mozilla/ErrorResult.h:183:7
    #2 0x7f95293f3bd7 in mozilla::ErrorResult::~ErrorResult() /home/jkratzer/source/mozilla-central/objdir-ff-debug-pernosco/dist/include/mozilla/ErrorResult.h:693:7
    #3 0x7f952f5df855 in mozilla::gmp::ChromiumCDMParent::RejectPromiseWithStateError(unsigned int, nsTString<char> const&) /home/jkratzer/source/mozilla-central/dom/media/gmp/ChromiumCDMParent.cpp:469:1
    #4 0x7f952f5df7a0 in mozilla::gmp::ChromiumCDMParent::RejectPromiseShutdown(unsigned int) /home/jkratzer/source/mozilla-central/dom/media/gmp/ChromiumCDMParent.cpp:461:3
    #5 0x7f952f5dfb3a in mozilla::gmp::ChromiumCDMParent::SetServerCertificate(unsigned int, nsTArray<unsigned char> const&) /home/jkratzer/source/mozilla-central/dom/media/gmp/ChromiumCDMParent.cpp:160:5
    #6 0x7f952f62fa78 in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<unsigned int, nsTArray<unsigned char> >::applyImpl<mozilla::gmp::ChromiumCDMParent, void (mozilla::gmp::ChromiumCDMParent::*)(unsigned int, nsTArray<unsigned char> const&), StoreCopyPassByConstLRef<unsigned int>, StoreCopyPassByConstLRef<nsTArray<unsigned char> >, 0ul, 1ul>(mozilla::gmp::ChromiumCDMParent*, void (mozilla::gmp::ChromiumCDMParent::*)(unsigned int, nsTArray<unsigned char> const&), mozilla::Tuple<StoreCopyPassByConstLRef<unsigned int>, StoreCopyPassByConstLRef<nsTArray<unsigned char> > >&, std::integer_sequence<unsigned long, 0ul, 1ul>) /home/jkratzer/source/mozilla-central/objdir-ff-debug-pernosco/dist/include/nsThreadUtils.h:1148:12
    #7 0x7f952f62f9ac in decltype(applyImpl(fp, fp0, *(this).mArguments, std::integer_sequence<unsigned long, 0ul, 1ul>{})) mozilla::detail::RunnableMethodArguments<unsigned int, nsTArray<unsigned char> >::apply<mozilla::gmp::ChromiumCDMParent, void (mozilla::gmp::ChromiumCDMParent::*)(unsigned int, nsTArray<unsigned char> const&)>(mozilla::gmp::ChromiumCDMParent*, void (mozilla::gmp::ChromiumCDMParent::*)(unsigned int, nsTArray<unsigned char> const&)) /home/jkratzer/source/mozilla-central/objdir-ff-debug-pernosco/dist/include/nsThreadUtils.h:1154:12
    #8 0x7f952f62f75f in mozilla::detail::RunnableMethodImpl<RefPtr<mozilla::gmp::ChromiumCDMParent>, void (mozilla::gmp::ChromiumCDMParent::*)(unsigned int, nsTArray<unsigned char> const&), true, (mozilla::RunnableKind)0, unsigned int, nsTArray<unsigned char> >::Run() /home/jkratzer/source/mozilla-central/objdir-ff-debug-pernosco/dist/include/nsThreadUtils.h:1201:13
    #9 0x7f952957cab3 in nsThread::ProcessNextEvent(bool, bool*) /home/jkratzer/source/mozilla-central/xpcom/threads/nsThread.cpp:1152:16
    #10 0x7f9529583056 in NS_ProcessNextEvent(nsIThread*, bool) /home/jkratzer/source/mozilla-central/xpcom/threads/nsThreadUtils.cpp:548:10
    #11 0x7f952a75615f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/jkratzer/source/mozilla-central/ipc/glue/MessagePump.cpp:302:20
    #12 0x7f952a5dd056 in MessageLoop::RunInternal() /home/jkratzer/source/mozilla-central/ipc/chromium/src/base/message_loop.cc:335:10
    #13 0x7f952a5dcfd4 in MessageLoop::RunHandler() /home/jkratzer/source/mozilla-central/ipc/chromium/src/base/message_loop.cc:328:3
    #14 0x7f952a5dcf92 in MessageLoop::Run() /home/jkratzer/source/mozilla-central/ipc/chromium/src/base/message_loop.cc:310:3
    #15 0x7f9529578b14 in nsThread::ThreadFunc(void*) /home/jkratzer/source/mozilla-central/xpcom/threads/nsThread.cpp:391:10
    #16 0x7f954296444d in _pt_root /home/jkratzer/source/mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #17 0x7f9542ec9608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #18 0x7f9542a92292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Assignee: nobody → bvandyk
Severity: -- → S3
Priority: -- → P2

Similar to bug 1642735 -- we need to suppress the exception if we can't keep passing it up the stack. Fix incoming.

Keywords: regression
Regressed by: 1615035
See Also: → 1642735
Has Regression Range: --- → yes

My assumption is the path leading to this is racy, but to make sure, do you have a reliable repro? I'm fairly confident in my fix, but it wouldn't hurt to have a test too.

Flags: needinfo?(jkratzer)

(In reply to Bryce Seager van Dyk (:bryce) from comment #3)

My assumption is the path leading to this is racy, but to make sure, do you have a reliable repro? I'm fairly confident in my fix, but it wouldn't hurt to have a test too.

:bryce, I do have a somewhat reliable repro but not one that would be suitable (raw fuzzer output) for landing as a test. I have tested against the patch above and can no longer reproduce the issue.

Flags: needinfo?(jkratzer)

Thanks for checking! Good to know it does fix the case even if we don't land the case in central.

Pushed by bvandyk@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c833495ba8ec
Stop ChromiumCDMParent triggering assert during early return of RejectPromise. r=jbauman
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
Keywords: bugmon
Whiteboard: [bugmon:confirm]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: