Closed Bug 1741181 Opened 3 years ago Closed 3 years ago

Assertion failure: mLockCount > 0, at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Document.h:1471

Categories

(Core :: DOM: Core & HTML, defect)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
96 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox94 --- unaffected
firefox95 --- wontfix
firefox96 --- verified

People

(Reporter: jkratzer, Assigned: saschanaz)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(4 files)

Testcase found while fuzzing mozilla-central rev 0ea31fd939c8 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 0ea31fd939c8 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
Assertion failure: mLockCount > 0, at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Document.h:1471

    ==902999==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f764cc87682 bp 0x7fff3ada8490 sp 0x7fff3ada8470 T902999)
    ==902999==The signal is caused by a WRITE memory access.
    ==902999==Hint: address points to the zero page.
        #0 0x7f764cc87682 in UpdateLockCount /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Document.h:1471:5
        #1 0x7f764cc87682 in mozilla::dom::locks::LockManagerChild::NotifyBFCacheOnMainThread(nsPIDOMWindowInner*, bool) /dom/locks/LockManagerChild.cpp:32:25
        #2 0x7f764950db6a in mozilla::ipc::IProtocol::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason) /ipc/glue/ProtocolUtils.cpp:596:3
        #3 0x7f764988a124 in mozilla::dom::locks::PLockRequestChild::Send__delete__(mozilla::dom::locks::PLockRequestChild*, bool const&) /builds/worker/workspace/obj-build/ipc/ipdl/PLockRequestChild.cpp:83:12
        #4 0x7f764cc85cda in mozilla::dom::Lock::ResolvedCallback(JSContext*, JS::Handle<JS::Value>) /dom/locks/Lock.cpp:53:5
        #5 0x7f764cfef4d3 in mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::ResolvedCallback(JSContext*, JS::Handle<JS::Value>) /dom/promise/Promise.cpp:385:12
        #6 0x7f764cfef9f3 in mozilla::dom::NativeHandlerCallback(JSContext*, unsigned int, JS::Value*) /dom/promise/Promise.cpp:338:29
        #7 0x7f764f4c853f in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:387:13
        #8 0x7f764f4c7c4b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:474:12
        #9 0x7f764f4c971e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:534:10
        #10 0x7f764f4c9921 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:551:8
        #11 0x7f764f56ba81 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.h:106:10
        #12 0x7f764f79d237 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2211:10
        #13 0x7f764f4c853f in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:387:13
        #14 0x7f764f4c7c4b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:474:12
        #15 0x7f764f4c971e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:534:10
        #16 0x7f764f4c9921 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:551:8
        #17 0x7f764f681b61 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #18 0x7f764ae9f38c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
        #19 0x7f7648939415 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:89:12
        #20 0x7f764893874b in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:102:12
        #21 0x7f764893874b in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #22 0x7f7648923348 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:674:17
        #23 0x7f764892416c in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
        #24 0x7f7649d268a5 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1499:28
        #25 0x7f7648a4eb8a in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1212:24
        #26 0x7f7648a5599a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #27 0x7f76494e2cc6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #28 0x7f7649402307 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #29 0x7f7649402212 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #30 0x7f7649402212 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #31 0x7f764d38eb28 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #32 0x7f764f34ba33 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:917:20
        #33 0x7f76494e3bba in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #34 0x7f7649402307 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #35 0x7f7649402212 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #36 0x7f7649402212 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #37 0x7f764f34b06b in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:749:34
        #38 0x55abe289fe49 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #39 0x55abe289fe49 in main /browser/app/nsBrowserApp.cpp:327:18
        #40 0x7f765e4420b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #41 0x55abe287b5dc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x155dc)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Document.h:1471:5 in UpdateLockCount
    ==902999==ABORTING
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211115093917-0ea31fd939c8.
The bug appears to have been introduced in the following build range:

Start: eed6f4952eb0fd89b51d1dd7201c0aea31300fbd (20211105220210)
End: 1863bc09aef91f72fa72f01c1fcd70c64804d8d3 (20211106004518)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=eed6f4952eb0fd89b51d1dd7201c0aea31300fbd&tochange=1863bc09aef91f72fa72f01c1fcd70c64804d8d3

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Flags: needinfo?(krosylight)
Attached file 1741181.html

Another testcase.

.appending an active iframe replaces Document and the lock manager becomes confused because of that. Currently lock manager has no way to learn if such replacement happened.

This can cause a bad situation:

  1. A lock is acquired, mLockCount = 1
  2. The document object is replaced, mLockCount = 0
  3. A new lock is acquired, mLockCount = 1
  4. The lock in step 1 is resolved, mLockCount = 0
  5. Navigation happens. Since mLockCount = 0 it's bfcached, but the lock in step 3 is still held

:smaug, do you have an idea how to solve this? Navigator::Invalidate does not happen immediately, not sure what the best solution is.

Flags: needinfo?(bugs)

Maybe can simply move the count variable to WindowInner, since it doesn't change during that.

Assignee: nobody → krosylight
Flags: needinfo?(krosylight)
Flags: needinfo?(bugs)

Wait, it seems my investigation is missing something and I think such move is not a good thing. Will investigate more.

:saschanaz, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(krosylight)
Flags: needinfo?(krosylight)
Regressed by: 1736563
Has Regression Range: --- → yes
Severity: -- → S3
Pushed by krosylight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/81f65c87139d NotifyRequestDestroy() only when the manager is alive r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/31712 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch

Bugmon Analysis
Bug marked as FIXED but still reproduces on mozilla-central 20211123094249-71332992f78f.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

:sashanaz, it looks like your minimized testcase 1741181.html no longer reproduces. However, my initial testcase still does.

Flags: needinfo?(krosylight)
Upstream PR was closed without merging

Thank you for double check! I found that my repro had a different stack trace.

Flags: needinfo?(krosylight)
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/31729 for changes under testing/web-platform/tests

Set release status flags based on info from the regressing bug 1736563

Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → FIXED

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211125043756-0bfe7aadbc81.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: