Assertion failure: unheld, at /dom/locks/LockRequestParent.cpp:20
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox96 | --- | verified |
People
(Reporter: jkratzer, Assigned: saschanaz)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 300fc6bd088e (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 300fc6bd088e --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
Assertion failure: unheld, at /dom/locks/LockRequestParent.cpp:20
==809133==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f0ba9123918 bp 0x7f0ae444fbb0 sp 0x7f0ae444fb70 T809338)
==809133==The signal is caused by a WRITE memory access.
==809133==Hint: address points to the zero page.
#0 0x7f0ba9123918 in mozilla::dom::locks::LockRequestParent::Recv__delete__(bool) /dom/locks/LockRequestParent.cpp:20:3
#1 0x7f0ba5d31f5f in mozilla::dom::locks::PLockRequestParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PLockRequestParent.cpp:182:61
#2 0x7f0ba607e8bc in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundParent.cpp:3358:32
#3 0x7f0ba5983b2f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:2043:25
#4 0x7f0ba5980421 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /ipc/glue/MessageChannel.cpp:1968:9
#5 0x7f0ba59818a5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1827:3
#6 0x7f0ba59824dd in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1855:14
#7 0x7f0ba4ef6459 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1169:16
#8 0x7f0ba4efd57a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
#9 0x7f0ba598abc4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
#10 0x7f0ba58a8f87 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
#11 0x7f0ba58a8e92 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#12 0x7f0ba58a8e92 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#13 0x7f0ba4ef20cb in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
#14 0x7f0bbb019a07 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#15 0x7f0bbbd8d608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#16 0x7f0bbb955292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/locks/LockRequestParent.cpp:20:3 in mozilla::dom::locks::LockRequestParent::Recv__delete__(bool)
==809133==ABORTING
|
Reporter | |
Comment 1•3 years ago
|
||
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211111045525-300fc6bd088e.
Failed to bisect testcase (Unable to launch the start build!):
Start: cadd17ae918b22f2b2d3db0d78137ebbb7544f64 (20201112033232)
End: 300fc6bd088e8568d61395252c1b0bcb6fa9c4b5 (20211111045525)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
|
|
Assignee | |
Comment 3•3 years ago
|
||
That makes LockRequestParent::Recv__delete__ explicitly for active lock requests.
|
||
Updated•3 years ago
|
Pushed by krosylight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4c52dfe7ab4b Destruct stolen lock requests r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/31610 for changes under testing/web-platform/tests
|
||
Comment 6•3 years ago
|
||
| bugherder | ||
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 8•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211112092317-b16763f1da6b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 9•2 years ago
|
||
:saschanaz, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
|
||
Updated•2 years ago
|
|
|
||
Comment 10•2 years ago
|
||
Set release status flags based on info from the regressing bug 1725942
Description
•