Open
Bug 1736084
Opened 3 years ago
Updated 7 months ago
Assertion failure: !mOwnerContent, at /builds/worker/checkouts/gecko/dom/base/nsFrameLoader.cpp:213
Categories
(Core :: DOM: Core & HTML, defect, P2)
Core
DOM: Core & HTML
Tracking
()
ASSIGNED
People
(Reporter: tsmith, Assigned: peterv)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
4.36 KB,
application/x-zip-compressed
|
Details |
Found while fuzzing m-c 20211012-691a703f1fa2 (--enable-debug --enable-fuzzing)
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 29d6504debf5 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
Result: Assertion failure: !mOwnerContent, at src/dom/base/nsFrameLoader.cpp:213
#0 0x7fe3e136b2b8 in nsFrameLoader::~nsFrameLoader() src/dom/base/nsFrameLoader.cpp:213:3
#1 0x7fe3e1387f2b in DeleteCycleCollectable src/dom/base/nsFrameLoader.cpp:172:1
#2 0x7fe3e1387f2b in nsFrameLoader::cycleCollection::DeleteCycleCollectable(void*) src/dom/base/nsFrameLoader.h:132:3
#3 0x7fe3df44c4e8 in SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&) src/xpcom/base/nsCycleCollector.cpp:2426:29
#4 0x7fe3df440c73 in SnowWhiteKiller::~SnowWhiteKiller() src/xpcom/base/nsCycleCollector.cpp:2413:7
#5 0x7fe3df4400fa in nsCycleCollector::FreeSnowWhite(bool) src/xpcom/base/nsCycleCollector.cpp:2603:3
#6 0x7fe3df444a1b in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3392:5
#7 0x7fe3df447319 in nsCycleCollector_collectSlice(js::SliceBudget&, bool) src/xpcom/base/nsCycleCollector.cpp:3923:21
#8 0x7fe3e13a9ae6 in nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp
#9 0x7fe3e13aa5e6 in mozilla::CCGCScheduler::CCRunnerFired(mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:1546:9
#10 0x7fe3df50b6c2 in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
#11 0x7fe3df50b6c2 in mozilla::IdleTaskRunner::Run() src/xpcom/threads/IdleTaskRunner.cpp:109:14
#12 0x7fe3df50c041 in mozilla::TimedOut(nsITimer*, void*) src/xpcom/threads/IdleTaskRunner.cpp:127:11
#13 0x7fe3df558ddc in operator() src/xpcom/threads/nsTimerImpl.cpp:635:36
#14 0x7fe3df558ddc in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at src/xpcom/threads/nsTimerImpl.cpp:635:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:636:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
#15 0x7fe3df558ddc in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at src/xpcom/threads/nsTimerImpl.cpp:632:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:635:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:636:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
#16 0x7fe3df558ddc in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at src/xpcom/threads/nsTimerImpl.cpp:631:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:632:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:635:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:636:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
#17 0x7fe3df558ddc in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at src/xpcom/threads/nsTimerImpl.cpp:630:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:631:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:632:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:635:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:636:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
#18 0x7fe3df558ddc in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at src/xpcom/threads/nsTimerImpl.cpp:630:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:631:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:632:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:635:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:636:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
#19 0x7fe3df558ddc in match<(lambda at src/xpcom/threads/nsTimerImpl.cpp:630:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:631:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:632:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:635:7), (lambda at src/xpcom/threads/nsTimerImpl.cpp:636:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
#20 0x7fe3df558ddc in nsTimerImpl::Fire(int) src/xpcom/threads/nsTimerImpl.cpp:629:22
#21 0x7fe3df52b795 in nsTimerEvent::Run() src/xpcom/threads/TimerThread.cpp:265:11
#22 0x7fe3df5483be in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:467:16
#23 0x7fe3df52294f in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:770:26
#24 0x7fe3df5215b8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:606:15
#25 0x7fe3df521833 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:390:36
#26 0x7fe3df54bae9 in operator() src/xpcom/threads/TaskController.cpp:126:37
#27 0x7fe3df54bae9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#28 0x7fe3df5367cf in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1151:16
#29 0x7fe3df53d8ca in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
#30 0x7fe3dffad364 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:107:5
#31 0x7fe3dfecd887 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#32 0x7fe3dfecd792 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#33 0x7fe3dfecd792 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#34 0x7fe3e3e6a778 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#35 0x7fe3e5d18f93 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:917:20
#36 0x7fe3dffae2aa in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#37 0x7fe3dfecd887 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#38 0x7fe3dfecd792 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#39 0x7fe3dfecd792 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#40 0x7fe3e5d185ce in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:749:34
#41 0x558d572dcb46 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#42 0x558d572dcb46 in main src/browser/app/nsBrowserApp.cpp:327:18
#43 0x7fe3f4ddb0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?
|
||
Comment 1•3 years ago
|
||
Hi Olli, is this something you can look into?
Severity: -- → S3
Flags: needinfo?(bugs)
|
Reporter | |
Comment 2•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/Bpurq0i1pAHTOLfgZBBC1g/index.html
|
||
Comment 3•3 years ago
|
||
Bugmon Analysis
Bugmon was unable to identify a testcase that reproduces this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
||
Comment 4•3 years ago
|
||
I have a bit too many things in my todo list, so I won't be able to get to this any time soon.
Flags: needinfo?(bugs)
|
||
Comment 6•3 years ago
|
||
The assertion was added in Bug 1689601. Perhaps Peter can take a look?
Flags: needinfo?(htsai) → needinfo?(peterv)
|
Assignee | |
Updated•3 years ago
|
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Flags: needinfo?(peterv)
|
||
Updated•3 years ago
|
Priority: -- → P3
| Comment hidden (Intermittent Failures Robot) |
| Comment hidden (offtopic) |
| Comment hidden (offtopic) |
|
||
Comment 10•2 years ago
|
||
We've seen a recent resurgence of this bug. Marking as fuzzblocker. Please prioritize accordingly.
Whiteboard: [fuzzblocker]
|
||
Updated•2 years ago
|
Severity: S3 → S2
Priority: P3 → --
|
|
||
Comment 11•2 years ago
|
||
Hsin-Yi, it looks like Peter hasn't had a chance to look at this in the last year, and it is now a fuzz blocker. Maybe somebody else could look into this nsFrameLoader issue? Thanks.
Flags: needinfo?(htsai)
|
|
||
Comment 12•2 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #11)
Hsin-Yi, it looks like Peter hasn't had a chance to look at this in the last year, and it is now a fuzz blocker. Maybe somebody else could look into this nsFrameLoader issue? Thanks.
Hey Andrew, thanks for ensuring this not fall off our radar. Peter and I had noticed the severity bumping up several weeks ago, and we have planned a higher priority for this. I'll follow up on this.
Flags: needinfo?(htsai)
|
|
Assignee | |
Comment 13•2 years ago
|
||
I have been looking sporadically at this bug, I'm making progress but just haven't figured out completely what's going on.
|
||
Updated•1 year ago
|
|
|
||
Comment 14•7 months ago
|
||
Adjusting the severity according to the test case. We plan to give another look this or next weeks to see if we can relax the assertions.
Severity: S2 → S3
Priority: -- → P2
|
||
Comment 15•7 months ago
|
||
This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:peterv, could you consider increasing the severity?
For more information, please visit BugBot documentation.
Flags: needinfo?(peterv)
|
|
||
Updated•7 months ago
|
Flags: needinfo?(peterv)
|
|
Reporter | |
Updated•7 months ago
|
Whiteboard: [fuzzblocker]
You need to log in
before you can comment on or make changes to this bug.
Description
•