Assertion failure: !aGCThing, at src/xpcom/base/CycleCollectedJSRuntime.cpp:1531
Categories
(Core :: XPCOM, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox99 | --- | unaffected |
| firefox100 | + | fixed |
| firefox101 | + | verified |
People
(Reporter: tsmith, Assigned: saschanaz)
References
(Depends on 1 open bug, Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
|
277 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-release+
|
Details | Review |
Found while fuzzing m-c 20220406-b617178ef491 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !aGCThing, at src/xpcom/base/CycleCollectedJSRuntime.cpp:1531
#0 0x7f828aaae9d1 in AssertNoGcThing(JS::GCCellPtr, char const*, void*) src/xpcom/base/CycleCollectedJSRuntime.cpp:1531:3
#1 0x7f828aaae8ef in mozilla::CycleCollectedJSRuntime::AssertNoObjectsToTrace(void*) src/xpcom/base/CycleCollectedJSRuntime.cpp:1537:13
#2 0x7f828aad96f0 in nsCycleCollector::CollectWhite() src/xpcom/base/nsCycleCollector.cpp:3077:21
#3 0x7f828aadb03b in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3440:26
#4 0x7f828aadacdd in nsCycleCollector::ShutdownCollect() src/xpcom/base/nsCycleCollector.cpp:3351:20
#5 0x7f828aadc096 in nsCycleCollector::Shutdown(bool) src/xpcom/base/nsCycleCollector.cpp:3646:5
#6 0x7f828aadda92 in nsCycleCollector_shutdown(bool) src/xpcom/base/nsCycleCollector.cpp:3962:18
#7 0x7f828ac1afe1 in mozilla::ShutdownXPCOM(nsIServiceManager*) src/xpcom/build/XPCOMInit.cpp:721:3
#8 0x7f829195f3ac in XRE_TermEmbedding() src/toolkit/xre/nsEmbedFunctions.cpp:226:3
#9 0x7f828b7a7abe in mozilla::ipc::ScopedXREEmbed::Stop() src/ipc/glue/ScopedXREEmbed.cpp:90:5
#10 0x7f829195fa42 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:16
#11 0x558475a7a2f7 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#12 0x558475a7a2f7 in main src/browser/app/nsBrowserApp.cpp:327:18
#13 0x7f82a0f240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#14 0x558475a55a7c in _start (/home/worker/builds/m-c-20220406154100-fuzzing-debug/firefox-bin+0x15a7c)
|
Reporter | |
Comment 1•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/tmfTJV0kYm_bQuHqQU62Gg/index.html
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220412035701-0bcad14b3c3a.
The bug appears to have been introduced in the following build range:
Start: 0d1d9fa72512cf8da0bc8c0fdd63f3fb3ff0a468 (20220322200148)
End: 39b9b2ea812745fc89d98d71c5601758d83342e1 (20220322213301)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0d1d9fa72512cf8da0bc8c0fdd63f3fb3ff0a468&tochange=39b9b2ea812745fc89d98d71c5601758d83342e1
|
|
Reporter | |
Comment 3•3 years ago
|
||
Hey Matthew do you think bug 1759597 is at fault here?
|
||
Updated•3 years ago
|
|
|
||
Comment 4•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220422212846-93ecd130a241.
The bug appears to have been introduced in the following build range:
Start: 0d1d9fa72512cf8da0bc8c0fdd63f3fb3ff0a468 (20220322200148)
End: 39b9b2ea812745fc89d98d71c5601758d83342e1 (20220322213301)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0d1d9fa72512cf8da0bc8c0fdd63f3fb3ff0a468&tochange=39b9b2ea812745fc89d98d71c5601758d83342e1
|
||
Updated•3 years ago
|
|
||
Comment 5•3 years ago
|
||
Given that we're in RC week for Fx100 already with WritableStreams due to ship in it, it would be good if we could get an answer Pretty Soon Now about the severity of this bug.
|
Assignee | |
Comment 7•3 years ago
•
|
||
There's another issue caught in the testcase:
let a = new AbortController()
a.abort()
let b = new File(['ó ¬a'], 'a', {})
let c = new WritableStream()
await b.stream().tee()[0].pipeTo(c, { 'signal': a.signal })
This should reject immediately but it does not 🤔
|
|
Assignee | |
Comment 8•3 years ago
|
||
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 10•3 years ago
|
||
Comment on attachment 9274133 [details]
Bug 1764222 - Use NS_IMPL_CYCLE_COLLECTION_WITH_JS_MEMBERS for piping classes r=smaug
Beta/Release Uplift Approval Request
- User impact if declined: Potential memory leak can happen when using
ReadableStream.pipeToAPI. - Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just a corrected cycle collection macro use.
- String changes made/needed:
- Is Android affected?: Yes
|
|
||
Comment 11•3 years ago
|
||
Comment on attachment 9274133 [details]
Bug 1764222 - Use NS_IMPL_CYCLE_COLLECTION_WITH_JS_MEMBERS for piping classes r=smaug
Approved for 100.0rc2
|
|
||
Comment 12•3 years ago
|
||
| bugherder uplift | ||
|
||
Comment 13•3 years ago
|
||
| bugherder | ||
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Comment 14•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220428214715-6d8eefa22059.
|
|
||
Comment 15•3 years ago
|
||
Jason, why does the bot keep resetting the status for Fx100? The patch was uplifted in comment 12.
|
|
||
Comment 16•3 years ago
|
||
Bugmon is confused here. It believes that FX100 is beta and can't find a commit to that branch. I've fixed this on the bugmon side and will re-enable it. It should verify FX100 once central points to 102.
Description
•