Assertion failure: data, at /xpcom/base/nsCycleCollector.cpp:3756
Categories
(Core :: DOM: File, defect, P3)
Tracking
()
People
(Reporter: jkratzer, Assigned: smaug)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 1cb2015e6fbc (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 1cb2015e6fbc --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: data, at /xpcom/base/nsCycleCollector.cpp:3756
==1204417==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb2ed263ea6 bp 0x7fb2e4ac17e0 sp 0x7fb2e4ac17c0 T1204467)
==1204417==The signal is caused by a WRITE memory access.
==1204417==Hint: address points to the zero page.
#0 0x7fb2ed263ea6 in NS_CycleCollectorSuspect3 /xpcom/base/nsCycleCollector.cpp:3756:3
#1 0x7fb2f0b6bdb6 in incr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:248:7
#2 0x7fb2f0b6bdb6 in incr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:234:12
#3 0x7fb2f0b6bdb6 in mozilla::DOMEventTargetHelper::AddRef() /dom/events/DOMEventTargetHelper.cpp:86:1
#4 0x7fb2f0c310c8 in AddRef /dom/file/FileReader.cpp:78:1
#5 0x7fb2f0c310c8 in non-virtual thunk to mozilla::dom::FileReader::AddRef() /dom/file/FileReader.cpp
#6 0x7fb2ed37aff9 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:489:7
#7 0x7fb2ed37aff9 in copyConstruct<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:222:34
#8 0x7fb2ed37aff9 in copyConstruct<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:224:7
#9 0x7fb2ed37aff9 in Variant /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:653:5
#10 0x7fb2ed37aff9 in mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback>::operator=(mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> const&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:665:32
#11 0x7fb2ed37a761 in nsTimerImpl::Fire(int) /xpcom/threads/nsTimerImpl.cpp:615:24
#12 0x7fb2ed34c56e in nsTimerEvent::Run() /xpcom/threads/TimerThread.cpp:265:11
#13 0x7fb2ed358119 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1177:16
#14 0x7fb2ed35f2ba in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
#15 0x7fb2ede02e54 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
#16 0x7fb2edd210b7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
#17 0x7fb2edd20fc2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#18 0x7fb2edd20fc2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#19 0x7fb2ed353d4b in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
#20 0x7fb3017cc997 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#21 0x7fb302540608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#22 0x7fb302108292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /xpcom/base/nsCycleCollector.cpp:3756:3 in NS_CycleCollectorSuspect3
==1204417==ABORTING
Reporter | ||
Comment 1•3 years ago
|
||
Comment 2•3 years ago
|
||
Got a crash from the testcase : https://crash-stats.mozilla.org/report/index/a685975d-fb8d-4056-a640-61b7c0220104
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 3•3 years ago
|
||
Based on the code this looks pretty obvious.
Investigating...
Updated•3 years ago
|
Comment 4•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220104034109-8bc2581b2c7b.
Failed to bisect testcase (Testcase reproduces on start build!):
Start: 1d89f3cb5bb3e5a37b0249977838c4a98c162c80 (20210105043131)
End: 1cb2015e6fbc11f3a03137692fe60b111b94693a (20220103092929)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 5•3 years ago
|
||
Comment 7•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Comment 8•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220112213002-38711fbec2b1.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 9•2 years ago
|
||
:smaug, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Description
•