Closed Bug 1743471 Opened 3 years ago Closed 3 years ago

Assertion failure: !aCreated, at /dom/locks/LockManagerChild.cpp:39

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
96 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox94 --- unaffected
firefox95 --- disabled
firefox96 --- verified

People

(Reporter: jkratzer, Assigned: saschanaz)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase
4.20 KB, application/octet-stream
Details
Bug 1743471 - Remove assertion for existence of WindowGlobalChild r=smaug
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev d03f87555639 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build d03f87555639 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip --no-harness --repeat 10

Assertion failure: !aCreated, at /dom/locks/LockManagerChild.cpp:39

    ==3618484==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc2ad0bb072 bp 0x7fffc0350210 sp 0x7fffc0350200 T3618484)
    ==3618484==The signal is caused by a WRITE memory access.
    ==3618484==Hint: address points to the zero page.
        #0 0x7fc2ad0bb072 in mozilla::dom::locks::LockManagerChild::NotifyBFCacheOnMainThread(nsPIDOMWindowInner*, bool) /dom/locks/LockManagerChild.cpp:39:3
        #1 0x7fc2ad3d07ef in mozilla::dom::WorkerProxyToMainThreadRunnable::Run() /dom/workers/WorkerRunnable.cpp:652:3
        #2 0x7fc2a8e5eb0a in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /xpcom/threads/ThrottledEventQueue.cpp:254:22
        #3 0x7fc2a8e5bd71 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /xpcom/threads/ThrottledEventQueue.cpp:81:15
        #4 0x7fc2a8e5ce9e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:468:16
        #5 0x7fc2a8e36676 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:771:26
        #6 0x7fc2a8e35338 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:607:15
        #7 0x7fc2a8e355b3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:391:36
        #8 0x7fc2a8e60496 in operator() /xpcom/threads/TaskController.cpp:124:37
        #9 0x7fc2a8e60496 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #10 0x7fc2a8e4b0a3 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1183:16
        #11 0x7fc2a8e5236a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #12 0x7fc2a98e9f26 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #13 0x7fc2a9809567 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #14 0x7fc2a9809472 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #15 0x7fc2a9809472 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #16 0x7fc2ad7c8a88 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #17 0x7fc2af786d13 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:864:20
        #18 0x7fc2a98eae1a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #19 0x7fc2a9809567 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #20 0x7fc2a9809472 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #21 0x7fc2a9809472 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #22 0x7fc2af78634b in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:701:34
        #23 0x5583c40cfec9 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #24 0x5583c40cfec9 in main /browser/app/nsBrowserApp.cpp:327:18
        #25 0x7fc2bf16b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #26 0x5583c40ab65c in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x1565c)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/locks/LockManagerChild.cpp:39:3 in mozilla::dom::locks::LockManagerChild::NotifyBFCacheOnMainThread(nsPIDOMWindowInner*, bool)
    ==3618484==ABORTING
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211129215324-408b89a2e02c.
The bug appears to have been introduced in the following build range:

Start: eed6f4952eb0fd89b51d1dd7201c0aea31300fbd (20211105220210)
End: 1863bc09aef91f72fa72f01c1fcd70c64804d8d3 (20211106004518)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=eed6f4952eb0fd89b51d1dd7201c0aea31300fbd&tochange=1863bc09aef91f72fa72f01c1fcd70c64804d8d3

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

WebLock is enabled only in Nightly now.

status-firefox95: --- → disabled
Flags: needinfo?(krosylight)

Web Locks is enabled by default, but does not affect version 95, yes.

Assignee: nobody → krosylight
Flags: needinfo?(krosylight)

So this is very rare and it took quite a lot of page refresh for grizzly to catch the failure on my machine. Impressive!

Pushed by krosylight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/88b2d16b6ef9 Remove assertion for existence of WindowGlobalChild r=smaug

https://hg.mozilla.org/mozilla-central/rev/88b2d16b6ef9

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox96: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch

:saschanaz, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(krosylight)
Flags: needinfo?(krosylight)
Regressed by: 1738905
Has Regression Range: --- → yes
Keywords: regression

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211130214422-15c1262d6e8f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox96: fixedverified
Keywords: bugmon

Set release status flags based on info from the regressing bug 1738905

status-firefox94: --- → unaffected
status-firefox-esr91: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: