Assertion failure: timeout->mFiringIndex > mLastFiringIndex, at /dom/base/TimeoutManager.cpp:889
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox117 | --- | fixed |
People
(Reporter: jkratzer, Assigned: jesup, NeedInfo)
References
(Blocks 1 open bug)
Details
(Whiteboard: [bugmon:confirm])
Attachments
(2 files)
Found while fuzzing mozilla-central rev 295a38fd9261 (built with: --enable-debug --enable-fuzzing).
I have a testcase but it has not been minimized and does not reproduce consistently. In lieu of a testcase, I've included a pernosco session here. If you would still like to see the testcase, please NI me.
https://pernos.co/debug/bt9mtHypqApEHL5hYRDufg/index.html
Assertion failure: timeout->mFiringIndex > mLastFiringIndex, at /dom/base/TimeoutManager.cpp:889
==374707==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7a7e448ee4 bp 0x7ffc5d3ffd90 sp 0x7ffc5d3ffce0 T374707)
==374707==The signal is caused by a WRITE memory access.
==374707==Hint: address points to the zero page.
#0 0x7f7a7e448ee4 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /dom/base/TimeoutManager.cpp:889:9
#1 0x7f7a7e447b52 in mozilla::dom::TimeoutExecutor::MaybeExecute() /dom/base/TimeoutExecutor.cpp:179:11
#2 0x7f7a7e449172 in mozilla::dom::TimeoutExecutor::Run() /dom/base/TimeoutExecutor.cpp:234:5
#3 0x7f7a7c699ae8 in IdleRunnableWrapper::Run() /xpcom/threads/nsThreadUtils.cpp:310:22
#4 0x7f7a7c69a50e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:502:16
#5 0x7f7a7c6757df in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:805:26
#6 0x7f7a7c674579 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
#7 0x7f7a7c6746c3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:425:36
#8 0x7f7a7c69db06 in operator() /xpcom/threads/TaskController.cpp:135:37
#9 0x7f7a7c69db06 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#10 0x7f7a7c688fbf in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1148:16
#11 0x7f7a7c68fd0a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:466:10
#12 0x7f7a7d0e02c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#13 0x7f7a7d0008a7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
#14 0x7f7a7d0007b2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#15 0x7f7a7d0007b2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#16 0x7f7a80f939a8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
#17 0x7f7a82e16cd3 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:917:20
#18 0x7f7a7d0e11ba in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#19 0x7f7a7d0008a7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
#20 0x7f7a7d0007b2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#21 0x7f7a7d0007b2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#22 0x7f7a82e1630e in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:749:34
#23 0x5638459e7ab6 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#24 0x5638459e7ab6 in main /browser/app/nsBrowserApp.cpp:327:18
#25 0x7f7a91e4a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#26 0x5638459c48bc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x158bc)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/base/TimeoutManager.cpp:889:9 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool)
==374707==ABORTING
Reporter | ||
Comment 1•3 years ago
|
||
Comment hidden (obsolete) |
Reporter | ||
Updated•3 years ago
|
Assignee | ||
Comment 4•3 years ago
|
||
(In reply to Hsin-Yi Tsai [:hsinyi] from comment #3)
Randell, is TimeoutManager your area of interests?
Yes, and @bwc (fyi)
Assignee | ||
Comment 5•3 years ago
|
||
Actually, this is really for me and smaug
Assignee | ||
Updated•3 years ago
|
Comment 6•3 years ago
|
||
Let me know if we should raise/downgrade the severity level.
Assignee | ||
Comment 7•1 year ago
|
||
Updated•1 year ago
|
Assignee | ||
Comment 8•1 year ago
|
||
I believe this is just a buggy debug-only assert, which is trying to check spec compliance. The deferral code subtly broke one of the assumptions around FiringIndex; we're supposed to set it when we try to run a timer, and instead if we're deferring timers we set it when we defer. This may cause breakage with recursive timers if the timing is right, I suspect.
https://treeherder.mozilla.org/jobs?repo=try&revision=0f1adb557b091b58dca2c4ec6a5423dc9a40be29
Assignee | ||
Comment 9•1 year ago
|
||
Comment 10•1 year ago
|
||
Comment 11•1 year ago
|
||
bugherder |
Description
•