Closed Bug 1752902 Opened 4 years ago Closed 4 years ago

Assertion failure: !IsNull() (Cannot compute with a null value), at /builds/worker/workspace/obj-build/dist/include/mozilla/TimeStamp.h:470

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
98 Branch
Tracking Flags:
Tracking Status
firefox98 --- fixed

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
3.90 KB, application/octet-stream
Details

Testcase found while fuzzing mozilla-central rev 49a9d19fd713 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 49a9d19fd713 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: !IsNull() (Cannot compute with a null value), at /builds/worker/workspace/obj-build/dist/include/mozilla/TimeStamp.h:470

    ==1649455==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8179f7209e bp 0x7fffb9696910 sp 0x7fffb9696910 T1649455)
    ==1649455==The signal is caused by a WRITE memory access.
    ==1649455==Hint: address points to the zero page.
        #0 0x7f8179f7209e in operator+= /builds/worker/workspace/obj-build/dist/include/mozilla/TimeStamp.h:470:5
        #1 0x7f8179f7209e in mozilla::TimeStamp::operator+(mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) const /builds/worker/workspace/obj-build/dist/include/mozilla/TimeStamp.h:461:12
        #2 0x7f817d36e977 in mozilla::dom::RequestedFrameRefreshObserver::NotifyCaptureStateChange() /dom/html/HTMLCanvasElement.cpp:150:39
        #3 0x7f817d36f4a9 in mozilla::WatchManager<mozilla::dom::RequestedFrameRefreshObserver>::PerCallbackWatcher::Notify()::'lambda'()::operator()() const /builds/worker/workspace/obj-build/dist/include/mozilla/StateWatching.h:251:38
        #4 0x7f817d36f2bc in mozilla::detail::RunnableFunction<mozilla::WatchManager<mozilla::dom::RequestedFrameRefreshObserver>::PerCallbackWatcher::Notify()::'lambda'()>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #5 0x7f817999d57f in mozilla::SimpleTaskQueue::DrainTasks() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:44:10
        #6 0x7f81799af467 in nsThread::DrainDirectTasks() /xpcom/threads/nsThread.cpp:1399:16
        #7 0x7f81799ae472 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1217:3
        #8 0x7f81799b535a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #9 0x7f817a4555d4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #10 0x7f817a37a387 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #11 0x7f817a37a292 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #12 0x7f817a37a292 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #13 0x7f817e6443b8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #14 0x7f81806a3bb3 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
        #15 0x7f817a45651a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #16 0x7f817a37a387 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #17 0x7f817a37a292 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #18 0x7f817a37a292 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #19 0x7f81806a31ec in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:707:34
        #20 0x55e9f365d029 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #21 0x55e9f365d029 in main /browser/app/nsBrowserApp.cpp:327:18
        #22 0x7f818e8960b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #23 0x55e9f36387bc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x157bc)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/TimeStamp.h:470:5 in operator+=
    ==1649455==ABORTING
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220131212843-788ab1920ef8.
The bug appears to have been introduced in the following build range:

Start: 8788a0099e9c9ed22bad025f70045c1c1d1eae06 (20220124132056)
End: a6403a590e5c14f36557ee630c2d3121a958128a (20220124161517)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8788a0099e9c9ed22bad025f70045c1c1d1eae06&tochange=a6403a590e5c14f36557ee630c2d3121a958128a

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

(In reply to Bugmon [:jkratzer for issues] from comment #2)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220131212843-788ab1920ef8.
The bug appears to have been introduced in the following build range:

Start: 8788a0099e9c9ed22bad025f70045c1c1d1eae06 (20220124132056)
End: a6403a590e5c14f36557ee630c2d3121a958128a (20220124161517)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8788a0099e9c9ed22bad025f70045c1c1d1eae06&tochange=a6403a590e5c14f36557ee630c2d3121a958128a

Hi Kelsey and Andreas,
Bug 1344524, listed in the potential regression window, looks related. Can you take a look first? Thank you.

Flags: needinfo?(jgilbert)

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220131094559-49a9d19fd713) but not with tip (mozilla-central 20220205014840-e8991d00a1d1.)
The bug appears to have been fixed in the following build range:

Start: 6123fcc0963099422bbffd76d5e8316a56df6b14 (20220202202743)
End: 2abaeed5247f15ea79a4be205551bae3587f9507 (20220202224844)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6123fcc0963099422bbffd76d5e8316a56df6b14&tochange=2abaeed5247f15ea79a4be205551bae3587f9507
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Yeah, that seems likely to be bug 1344524.

See Also: → 1344524

This was fixed by D137294, and that bug fixed mochitest coverage of this path too.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jgilbert)
Resolution: --- → DUPLICATE
Depends on: 1752351
No longer duplicate of bug: 1752351
Keywords: regression
Regressed by: 1344524
Resolution: DUPLICATE → FIXED
See Also: 1344524
Target Milestone: --- → 98 Branch

Set release status flags based on info from the regressing bug 1344524

status-firefox118: --- → affected
status-firefox119: --- → affected
status-firefox120: --- → affected
status-firefox-esr115: --- → affected

Set release status flags based on info from the regressing bug 1344524

status-firefox118: --- → affected
status-firefox119: --- → affected
status-firefox120: --- → affected
status-firefox-esr115: --- → affected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: