Assertion failure: !mProxy->mSyncLoopTarget, at src/dom/xhr/XMLHttpRequestWorker.cpp:1313
Categories
(Core :: DOM: Workers, defect, P2)
Tracking
()
People
(Reporter: tsmith, Assigned: jstutte)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Found while fuzzing m-c 20220113-afb99f2fbec3 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip --xvfb
Assertion failure: !mProxy->mSyncLoopTarget, at src/dom/xhr/XMLHttpRequestWorker.cpp:1313
#0 0x7feebe231fe7 in mozilla::dom::SendRunnable::RunOnMainThread(mozilla::ErrorResult&) src/dom/xhr/XMLHttpRequestWorker.cpp:1313:3
#1 0x7feebe231862 in mozilla::dom::WorkerThreadProxySyncRunnable::MainThreadRun() src/dom/xhr/XMLHttpRequestWorker.cpp:1191:3
#2 0x7feebe0586dd in mozilla::dom::WorkerMainThreadRunnable::Run() src/dom/workers/WorkerRunnable.cpp:589:20
#3 0x7feeb98129ea in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() src/xpcom/threads/ThrottledEventQueue.cpp:254:22
#4 0x7feeb980fc51 in mozilla::ThrottledEventQueue::Inner::Executor::Run() src/xpcom/threads/ThrottledEventQueue.cpp:81:15
#5 0x7feeb9810d7e in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:468:16
#6 0x7feeb97eabd6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:771:26
#7 0x7feeb97e9898 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:607:15
#8 0x7feeb97e9b13 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:391:36
#9 0x7feeb9813e29 in operator() src/xpcom/threads/TaskController.cpp:127:37
#10 0x7feeb9813e29 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#11 0x7feeb97ff4d3 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1195:16
#12 0x7feeb98065ba in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
#13 0x7feeba2a9964 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:107:5
#14 0x7feeba1c9d37 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#15 0x7feeba1c9c42 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#16 0x7feeba1c9c42 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#17 0x7feebe461dc8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#18 0x7feec04baa23 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:870:20
#19 0x7feeba2aa8aa in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#20 0x7feeba1c9d37 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#21 0x7feeba1c9c42 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#22 0x7feeba1c9c42 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#23 0x7feec04ba05c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:707:34
#24 0x5609b580b029 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#25 0x5609b580b029 in main src/browser/app/nsBrowserApp.cpp:327:18
#26 0x7feece5880b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#27 0x5609b57e67bc in _start (/home/worker/builds/m-c-20220113215749-fuzzing-debug/firefox-bin+0x157bc)
|
Reporter | |
Comment 1•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/wW4FfwCjRcbG0BShZcNTzg/index.html
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220121214138-00753e705770.
Failed to bisect testcase (Testcase reproduces on start build!):
Start: ae04412110021c5bfe5d89ca075528aaddf53b2a (20210123100021)
End: afb99f2fbec3d8dd7e10978354a73bc29c3765d7 (20220113215749)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
|
|
Assignee | |
Comment 3•2 years ago
|
||
Looking at the testcase and pernosco, it seems we manage to call xhr.send twice asynchronously and at the second call the first is still in flight.
From the XMLHttpRequestMainThread::SendInternal implementation, it seems we check for this condition and ThrowInvalidStateError.
But the assert here is triggered before we get there. I assume we should anticipate this state check here to avoid overwriting the sync loop target ?
|
|
Assignee | |
Comment 4•2 years ago
•
|
||
I am preparing a patch but bug 1751474 and bug 1751673 make me wait before I can commit and moz-phab the minimal change set again.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 5•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Pushed by jstutte@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f6b8cd8e56e3 Add CanSend to XHRMainThread and check it before touching our state. r=dom-worker-reviewers,smaug
|
||
Comment 7•2 years ago
|
||
| bugherder | ||
|
||
Updated•2 years ago
|
|
|
||
Comment 8•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220127094620-7dff1a12e1a4.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 9•2 years ago
|
||
:jstutte, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Description
•