Closed Bug 1748342 Opened 3 years ago Closed 3 years ago

Assertion failure: data, at /xpcom/base/nsCycleCollector.cpp:3756

Categories

(Core :: DOM: File, defect, P3)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
98 Branch
Tracking Status
firefox-esr91 --- wontfix
firefox96 --- wontfix
firefox97 --- wontfix
firefox98 --- verified

People

(Reporter: jkratzer, Assigned: smaug)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Testcase found while fuzzing mozilla-central rev 1cb2015e6fbc (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 1cb2015e6fbc --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: data, at /xpcom/base/nsCycleCollector.cpp:3756

    ==1204417==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb2ed263ea6 bp 0x7fb2e4ac17e0 sp 0x7fb2e4ac17c0 T1204467)
    ==1204417==The signal is caused by a WRITE memory access.
    ==1204417==Hint: address points to the zero page.
        #0 0x7fb2ed263ea6 in NS_CycleCollectorSuspect3 /xpcom/base/nsCycleCollector.cpp:3756:3
        #1 0x7fb2f0b6bdb6 in incr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:248:7
        #2 0x7fb2f0b6bdb6 in incr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:234:12
        #3 0x7fb2f0b6bdb6 in mozilla::DOMEventTargetHelper::AddRef() /dom/events/DOMEventTargetHelper.cpp:86:1
        #4 0x7fb2f0c310c8 in AddRef /dom/file/FileReader.cpp:78:1
        #5 0x7fb2f0c310c8 in non-virtual thunk to mozilla::dom::FileReader::AddRef() /dom/file/FileReader.cpp
        #6 0x7fb2ed37aff9 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:489:7
        #7 0x7fb2ed37aff9 in copyConstruct<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:222:34
        #8 0x7fb2ed37aff9 in copyConstruct<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:224:7
        #9 0x7fb2ed37aff9 in Variant /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:653:5
        #10 0x7fb2ed37aff9 in mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback>::operator=(mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> const&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:665:32
        #11 0x7fb2ed37a761 in nsTimerImpl::Fire(int) /xpcom/threads/nsTimerImpl.cpp:615:24
        #12 0x7fb2ed34c56e in nsTimerEvent::Run() /xpcom/threads/TimerThread.cpp:265:11
        #13 0x7fb2ed358119 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1177:16
        #14 0x7fb2ed35f2ba in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #15 0x7fb2ede02e54 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
        #16 0x7fb2edd210b7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #17 0x7fb2edd20fc2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #18 0x7fb2edd20fc2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #19 0x7fb2ed353d4b in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
        #20 0x7fb3017cc997 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #21 0x7fb302540608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
        #22 0x7fb302108292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /xpcom/base/nsCycleCollector.cpp:3756:3 in NS_CycleCollectorSuspect3
    ==1204417==ABORTING
Attached file Testcase
Crash Signature: [@ mozilla::DOMEventTargetHelper::AddRef | nsTimerImpl::Fire ]
Keywords: crash
Attachment #9257393 - Attachment mime type: application/octet-stream → text/html

Based on the code this looks pretty obvious.
Investigating...

Severity: -- → S3
Priority: -- → P3

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220104034109-8bc2581b2c7b.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 1d89f3cb5bb3e5a37b0249977838c4a98c162c80 (20210105043131)
End: 1cb2015e6fbc11f3a03137692fe60b111b94693a (20220103092929)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Assignee: nobody → bugs
Pushed by opettay@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9043bc3441b0 don't start FileReader's timer if the worker is shutting down, r=dom-worker-reviewers,jesup
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220112213002-38711fbec2b1.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

:smaug, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(bugs)

Bug in the bot.

Flags: needinfo?(bugs)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: