Closed Bug 1729559 Opened 3 years ago Closed 1 year ago

Assertion failure: timeout->mFiringIndex > mLastFiringIndex, at /dom/base/TimeoutManager.cpp:889

Categories

(Core :: DOM: Core & HTML, defect)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
117 Branch
Tracking Status
firefox117 --- fixed

People

(Reporter: jkratzer, Assigned: jesup, NeedInfo)

References

(Blocks 1 open bug)

Details

(Whiteboard: [bugmon:confirm])

Attachments

(2 files)

Found while fuzzing mozilla-central rev 295a38fd9261 (built with: --enable-debug --enable-fuzzing).

I have a testcase but it has not been minimized and does not reproduce consistently. In lieu of a testcase, I've included a pernosco session here. If you would still like to see the testcase, please NI me.

https://pernos.co/debug/bt9mtHypqApEHL5hYRDufg/index.html

Assertion failure: timeout->mFiringIndex > mLastFiringIndex, at /dom/base/TimeoutManager.cpp:889

    ==374707==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7a7e448ee4 bp 0x7ffc5d3ffd90 sp 0x7ffc5d3ffce0 T374707)
    ==374707==The signal is caused by a WRITE memory access.
    ==374707==Hint: address points to the zero page.
        #0 0x7f7a7e448ee4 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /dom/base/TimeoutManager.cpp:889:9
        #1 0x7f7a7e447b52 in mozilla::dom::TimeoutExecutor::MaybeExecute() /dom/base/TimeoutExecutor.cpp:179:11
        #2 0x7f7a7e449172 in mozilla::dom::TimeoutExecutor::Run() /dom/base/TimeoutExecutor.cpp:234:5
        #3 0x7f7a7c699ae8 in IdleRunnableWrapper::Run() /xpcom/threads/nsThreadUtils.cpp:310:22
        #4 0x7f7a7c69a50e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:502:16
        #5 0x7f7a7c6757df in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:805:26
        #6 0x7f7a7c674579 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
        #7 0x7f7a7c6746c3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:425:36
        #8 0x7f7a7c69db06 in operator() /xpcom/threads/TaskController.cpp:135:37
        #9 0x7f7a7c69db06 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #10 0x7f7a7c688fbf in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1148:16
        #11 0x7f7a7c68fd0a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:466:10
        #12 0x7f7a7d0e02c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #13 0x7f7a7d0008a7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #14 0x7f7a7d0007b2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #15 0x7f7a7d0007b2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #16 0x7f7a80f939a8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #17 0x7f7a82e16cd3 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:917:20
        #18 0x7f7a7d0e11ba in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #19 0x7f7a7d0008a7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #20 0x7f7a7d0007b2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #21 0x7f7a7d0007b2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #22 0x7f7a82e1630e in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:749:34
        #23 0x5638459e7ab6 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #24 0x5638459e7ab6 in main /browser/app/nsBrowserApp.cpp:327:18
        #25 0x7f7a91e4a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #26 0x5638459c48bc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x158bc)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/base/TimeoutManager.cpp:889:9 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool)
    ==374707==ABORTING

Randell, is TimeoutManager your area of interests?

Flags: needinfo?(rjesup)
Keywords: testcase
Depends on: domino
Blocks: domino
No longer depends on: domino

(In reply to Hsin-Yi Tsai [:hsinyi] from comment #3)

Randell, is TimeoutManager your area of interests?

Yes, and @bwc (fyi)

Flags: needinfo?(rjesup) → needinfo?(docfaraday)

Actually, this is really for me and smaug

Flags: needinfo?(docfaraday)
Flags: needinfo?(rjesup)

Let me know if we should raise/downgrade the severity level.

Severity: -- → S3
Assignee: nobody → rjesup
Status: NEW → ASSIGNED

I believe this is just a buggy debug-only assert, which is trying to check spec compliance. The deferral code subtly broke one of the assumptions around FiringIndex; we're supposed to set it when we try to run a timer, and instead if we're deferring timers we set it when we defer. This may cause breakage with recursive timers if the timing is right, I suspect.

https://treeherder.mozilla.org/jobs?repo=try&revision=0f1adb557b091b58dca2c4ec6a5423dc9a40be29

Pushed by rjesup@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/31c4f78f20c4 Only set mFiringIndex for timers when they actually attempt to fire r=smaug
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 117 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: