Open Bug 1755778 Opened 2 years ago Updated 9 months ago

Assertion failure: NS_IsMainThread() (Main thread is not available for dispatch.), at /dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:133


(Core :: Web Audio, defect)





(Reporter: jkratzer, Unassigned)


(Blocks 1 open bug)


(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])


(1 file)

Testcase found while fuzzing mozilla-central rev ae6487188557 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build ae6487188557 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --repeat 10 --relaunch 1 --no-harness
Assertion failure: NS_IsMainThread() (Main thread is not available for dispatch.), at /dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:133

    ==3705503==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f49d9bc7928 bp 0x7f49ce566e30 sp 0x7f49ce566e00 T3705664)
    ==3705503==The signal is caused by a WRITE memory access.
    ==3705503==Hint: address points to the zero page.
        #0 0x7f49d9bc7928 in WebCore::HRTFDatabaseLoader::ProxyRelease() /dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:133:5
        #1 0x7f49d9bc7cb6 in WebCore::databaseLoaderEntry(void*) /dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:158:11
        #2 0x7f49ebda7a57 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #3 0x7f49ecb1b608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
        #4 0x7f49ec6e3292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:133:5 in WebCore::HRTFDatabaseLoader::ProxyRelease()
Attached file Testcase

S4 based on content processes in release builds exiting before reaching the phase of shutdown where the main thread is no longer available.
Still value in fixing to facilitate fuzzing of debug builds.

Severity: -- → S4

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220216214005-d0676cb0864b.
The bug appears to have been introduced in the following build range:

Start: d1c894f81d2a11efc998f4294fe137cb371c1d2b (20211213201156)
End: 6c0d753b10f45d377d10f02992567641e9526fa9 (20211213215115)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Testcase crashes using the initial build (mozilla-central 20220216094238-ae6487188557) but not with tip (mozilla-central 20230113234514-9af5d0877b6b.)

Unable to bisect testcase (Testcase reproduces on start build!):

Start: 60998033086a179f73edd702599f93ab75ff443e (20220115094536)
End: ae64871885570edcdd3057d5ae758197b1dd5db4 (20220216094238)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.