Open Bug 1755794 Opened 2 years ago Updated 1 year ago

Hit MOZ_CRASH(mozilla::LinkedList<nsSHistory>::~LinkedList() [T = nsSHistory] has a buggy user: it should have removed all this list's elements before the list's destruction) at /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:444

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
1.81 MB, application/octet-stream
Details

Testcase found while fuzzing mozilla-central rev 1f245c0744d0 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 1f245c0744d0 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Hit MOZ_CRASH(mozilla::LinkedList<nsSHistory>::~LinkedList() [T = nsSHistory] has a buggy user: it should have removed all this list's elements before the list's destruction) at /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:444

    ==855905==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fcb881aaf36 bp 0x7ffe020d6af0 sp 0x7ffe020d6ae0 T855905)
    ==855905==The signal is caused by a WRITE memory access.
    ==855905==Hint: address points to the zero page.
        #0 0x7fcb881aaf36 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7fcb881aaf36 in mozilla::LinkedList<nsSHistory>::~LinkedList() /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:440:7
        #2 0x7fcb98748a26 in __run_exit_handlers /build/glibc-eX1tMB/glibc-2.31/stdlib/exit.c:108:8
        #3 0x7fcb98748bdf in exit /build/glibc-eX1tMB/glibc-2.31/stdlib/exit.c:139:3
        #4 0x7fcb987260b9 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:342:3
        #5 0x55df655524bc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x154bc)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    ==855905==ABORTING
Attached file Testcase 

    
    

    
  
Bugmon Analysis

Testcase crashes using the initial build (mozilla-central 20220216161716-1f245c0744d0) but not with tip (mozilla-central 20220216214005-d0676cb0864b.)

Unable to bisect testcase (End build crashes!):




Start: 1f245c0744d051d4382f2ee21dc6acadf04152d7 (20220216161716)

End: d0676cb0864b870062fed21bc900d6fbb3cf5670 (20220216214005)

BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.




Keywords: bugmon
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
mccr8, does this look actionable to you?


Flags: needinfo?(continuation)
See Also:  → 1661862

    
    

    
  
Well, there's a test case, so it seems actionable. My guess would be that this (and bug 1661862, which is a similar-looking frequent intermittent)  are some kind of leak.


Flags: needinfo?(continuation)
Severity: -- → S3
Priority: -- → P3

    
    

    
  
I've got semi-reliable STR, and I was able to catch this in r and submit it to pernosco.


My STR were:

(1) Start a debug build of Firefox (I'm using a --enable-debug --enable-optimize="-O1" build)

(2) Visit https://www.msn.com/en-us/weather/forecast

(3) Click "Hourly" (the second 'tab' at the top-left of the temperature-graph-over-the-day section)

(4) Quit Firefox.


ACTUAL RESULTS:

I get a bunch of "Leaked URLs:" printed to my terminal, all seeming to be MSN or ad-related, and then I get this shutdown-crash:




Hit MOZ_CRASH(mozilla::LinkedList<nsSHistory>::~LinkedList() [T = nsSHistory] has a buggy user: it should have removed all this list's elements before the list's destruction) at $OBJ/dist/include/mozilla/LinkedList.h:466




Here's some of the leaked URLs that are listed, for what it's worth.  The full list is in my pernosco trace.  Notably, some of the URLs seem to be duplicates, which is interesting.


Leaked URLs:
  https://www.msn.com/en-us/weather/forecast
  https://msn.com/
  https://www.msn.com/en-us/weather/forecast
  https://tag.idsync.analytics.yahoo.com/sp-frame.html?referrer=
[...]
  https://www.bing.com/th?id=ORMS.0b9be4ae250768c34e07d9c89321fc61&pid=Wdp&w=612&h=304&qlt=60&c=1&rs=1
  https://www.msn.com/en-us/weather/forecast
  https://www.msn.com/en-us/weather/forecast
[...]



My pernosco trace: https://pernos.co/debug/9zdmsTPtKcSabCz0PHPCRw/index.html



    
    

    
  
The problematic linked-list here is:


// List of all SHistory objects, used for content viewer cache eviction
static LinkedList<nsSHistory> gSHistoryList;



https://searchfox.org/mozilla-central/rev/911d1ebfb02cce4ff20f7ef965def04becfee710/docshell/shistory/nsSHistory.cpp#74


As I understand it, we don't explicitly remove stuff from LinkedList; rather, entries automatically remove themselves when they're destroyed (via the ~LinkedListElement() destructor).


So this crash is really just indicating that some nsSHistory objects are being leaked or kept alive (i.e. I agree with comment 4).



    
    

    
  
In bug 1661862, I'm basically removing this assertion, but I expect whatever underlying leak is happening here will remain.



          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: