Open Bug 1755778 Opened 2 years ago Updated 1 year ago

Assertion failure: NS_IsMainThread() (Main thread is not available for dispatch.), at /dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:133

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
413 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev ae6487188557 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build ae6487188557 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --repeat 10 --relaunch 1 --no-harness

Assertion failure: NS_IsMainThread() (Main thread is not available for dispatch.), at /dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:133

    ==3705503==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f49d9bc7928 bp 0x7f49ce566e30 sp 0x7f49ce566e00 T3705664)
    ==3705503==The signal is caused by a WRITE memory access.
    ==3705503==Hint: address points to the zero page.
        #0 0x7f49d9bc7928 in WebCore::HRTFDatabaseLoader::ProxyRelease() /dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:133:5
        #1 0x7f49d9bc7cb6 in WebCore::databaseLoaderEntry(void*) /dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:158:11
        #2 0x7f49ebda7a57 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #3 0x7f49ecb1b608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
        #4 0x7f49ec6e3292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:133:5 in WebCore::HRTFDatabaseLoader::ProxyRelease()
    ==3705503==ABORTING
Attached file Testcase 

    
    

    
  
S4 based on content processes in release builds exiting before reaching the phase of shutdown where the main thread is no longer available.

Still value in fixing to facilitate fuzzing of debug builds.


Severity: -- → S4

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220216214005-d0676cb0864b.

The bug appears to have been introduced in the following build range:




Start: d1c894f81d2a11efc998f4294fe137cb371c1d2b (20211213201156)

End: 6c0d753b10f45d377d10f02992567641e9526fa9 (20211213215115)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d1c894f81d2a11efc998f4294fe137cb371c1d2b&tochange=6c0d753b10f45d377d10f02992567641e9526fa9




Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
Testcase crashes using the initial build (mozilla-central 20220216094238-ae6487188557) but not with tip (mozilla-central 20230113234514-9af5d0877b6b.)


Unable to bisect testcase (Testcase reproduces on start build!):




Start: 60998033086a179f73edd702599f93ab75ff443e (20220115094536)

End: ae64871885570edcdd3057d5ae758197b1dd5db4 (20220216094238)

BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)




Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: