Closed Bug 1697539 Opened 4 years ago Closed 3 years ago

Assertion failure: !mProxy->mSyncLoopTarget, at /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestWorker.cpp:1314

Categories

(Core :: DOM: Networking, defect, P2)

Product:
Core
Component:
DOM: Networking
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
98 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- wontfix
firefox96 --- wontfix
firefox97 --- wontfix
firefox98 --- verified

People

(Reporter: jkratzer, Assigned: kershaw)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed][necko-triage])

Attachments

(3 files)

testcase.zip
965 bytes, application/zip
Details
Bug 1697539 - Throw an "InvalidStateError" if the state is not opened, r=smaug
48 bytes, text/x-phabricator-request
Details | Review
Bug 1697539 - Test case, r=smaug
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev 056c2a428e2d (built with --enable-debug --enable-fuzzing).

Assertion failure: !mProxy->mSyncLoopTarget, at /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestWorker.cpp:1314

    #0 0x7f65b92b1398 in mozilla::dom::SendRunnable::RunOnMainThread(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestWorker.cpp:1314:3
    #1 0x7f65b92b0be5 in mozilla::dom::WorkerThreadProxySyncRunnable::MainThreadRun() /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestWorker.cpp:1188:3
    #2 0x7f65b90e000d in mozilla::dom::WorkerMainThreadRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:584:20
    #3 0x7f65b4e082cc in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
    #4 0x7f65b4e02e01 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15
    #5 0x7f65b4ddb88f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:472:16
    #6 0x7f65b4dd9e00 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:760:26
    #7 0x7f65b4dd8bc4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:611:15
    #8 0x7f65b4dd8d77 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:395:36
    #9 0x7f65b4ddf6a6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:133:37
    #10 0x7f65b4ddf6a6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #11 0x7f65b4df0b97 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1158:16
    #12 0x7f65b4df75aa in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #13 0x7f65b571da96 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #14 0x7f65b5688ee3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #15 0x7f65b5688dfd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #16 0x7f65b5688dfd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #17 0x7f65b9505788 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #18 0x7f65bad5da33 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #19 0x7f65b571e97c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #20 0x7f65b5688ee3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #21 0x7f65b5688dfd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #22 0x7f65b5688dfd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #23 0x7f65bad5d608 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #24 0x564504536fa6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #25 0x564504536fa6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #26 0x7f65c9eee0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210310215846-db7158dfb86d.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 4fd5c458be4c3bc2d1f22bd575667104a5d173fe (20200312035749)
End: 056c2a428e2ded0b5d372aac48887dcc259cfbed (20210310093927)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Severity: -- → S3
Priority: -- → P2
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][necko-triage]
No longer blocks: domino
Depends on: domino
Blocks: domino
No longer depends on: domino
Flags: needinfo?(kershaw)

See the simplified test case below. This assertion is triggered because xhr.send is called again inside a sync xhr event loop.

  const xhr = new XMLHttpRequest({})
  xhr.addEventListener('readystatechange', (e) => {
    e.originalTarget.send('...')
  }, {})
  xhr.open('POST', 'FOOBAR', false)
  xhr.send()

The same test case works fine on main thread, since there is a check in XMLHttpRequestMainThread::SendInternal to avoid this. However, the same check is missing in XMLHttpRequestWorker::Send.
Adding the same check can fix the problem in this bug.

Flags: needinfo?(kershaw)
Assignee: nobody → kershaw
Status: NEW → ASSIGNED
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7a69785c9c46 Throw an "InvalidStateError" if the state is not opened, r=smaug https://hg.mozilla.org/integration/autoland/rev/582cebc1d4f0 Test case, r=smaug

https://hg.mozilla.org/mozilla-central/rev/7a69785c9c46
https://hg.mozilla.org/mozilla-central/rev/582cebc1d4f0

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox98: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220111093827-d2b119ce8d41.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox98: fixedverified
Keywords: bugmon

:kershaw, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(kershaw)

Sorry, bug in the bot.

Flags: needinfo?(kershaw)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: