1764222 - Assertion failure: !aGCThing, at src/xpcom/base/CycleCollectedJSRuntime.cpp:1531

Status: VERIFIED FIXED

(Core :: XPCOM, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20220406-b617178ef491 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !aGCThing, at src/xpcom/base/CycleCollectedJSRuntime.cpp:1531

#0 0x7f828aaae9d1 in AssertNoGcThing(JS::GCCellPtr, char const*, void*) src/xpcom/base/CycleCollectedJSRuntime.cpp:1531:3
#1 0x7f828aaae8ef in mozilla::CycleCollectedJSRuntime::AssertNoObjectsToTrace(void*) src/xpcom/base/CycleCollectedJSRuntime.cpp:1537:13
#2 0x7f828aad96f0 in nsCycleCollector::CollectWhite() src/xpcom/base/nsCycleCollector.cpp:3077:21
#3 0x7f828aadb03b in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3440:26
#4 0x7f828aadacdd in nsCycleCollector::ShutdownCollect() src/xpcom/base/nsCycleCollector.cpp:3351:20
#5 0x7f828aadc096 in nsCycleCollector::Shutdown(bool) src/xpcom/base/nsCycleCollector.cpp:3646:5
#6 0x7f828aadda92 in nsCycleCollector_shutdown(bool) src/xpcom/base/nsCycleCollector.cpp:3962:18
#7 0x7f828ac1afe1 in mozilla::ShutdownXPCOM(nsIServiceManager*) src/xpcom/build/XPCOMInit.cpp:721:3
#8 0x7f829195f3ac in XRE_TermEmbedding() src/toolkit/xre/nsEmbedFunctions.cpp:226:3
#9 0x7f828b7a7abe in mozilla::ipc::ScopedXREEmbed::Stop() src/ipc/glue/ScopedXREEmbed.cpp:90:5
#10 0x7f829195fa42 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:16
#11 0x558475a7a2f7 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#12 0x558475a7a2f7 in main src/browser/app/nsBrowserApp.cpp:327:18
#13 0x7f82a0f240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#14 0x558475a55a7c in _start (/home/worker/builds/m-c-20220406154100-fuzzing-debug/firefox-bin+0x15a7c)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/tmfTJV0kYm_bQuHqQU62Gg/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220412035701-0bcad14b3c3a.
The bug appears to have been introduced in the following build range:

Start: 0d1d9fa72512cf8da0bc8c0fdd63f3fb3ff0a468 (20220322200148)
End: 39b9b2ea812745fc89d98d71c5601758d83342e1 (20220322213301)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0d1d9fa72512cf8da0bc8c0fdd63f3fb3ff0a468&tochange=39b9b2ea812745fc89d98d71c5601758d83342e1

Comment 3

[Tyson Smith [:tsmith]]

Hey Matthew do you think bug 1759597 is at fault here?

Comment 4

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220422212846-93ecd130a241.
The bug appears to have been introduced in the following build range:

Start: 0d1d9fa72512cf8da0bc8c0fdd63f3fb3ff0a468 (20220322200148)
End: 39b9b2ea812745fc89d98d71c5601758d83342e1 (20220322213301)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0d1d9fa72512cf8da0bc8c0fdd63f3fb3ff0a468&tochange=39b9b2ea812745fc89d98d71c5601758d83342e1

Comment 5

[Ryan VanderMeulen [:RyanVM]]

Given that we're in RC week for Fx100 already with WritableStreams due to ship in it, it would be good if we could get an answer Pretty Soon Now about the severity of this bug.

Comment 6

[Kagami Rosylight [:saschanaz] (they/them)]

Matthew is off this week.

Comment 7

[Kagami Rosylight [:saschanaz] (they/them)]

There's another issue caught in the testcase:

let a = new AbortController()
a.abort()
let b = new File(['ó ¬—a'], 'a', {})
let c = new WritableStream()
await b.stream().tee()[0].pipeTo(c, { 'signal': a.signal })

This should reject immediately but it does not 🤔

Comment 8

[Kagami Rosylight [:saschanaz] (they/them)]

Attachment: Bug 1764222 - Use NS_IMPL_CYCLE_COLLECTION_WITH_JS_MEMBERS for piping classes r=smaug

Comment 9

[Pulsebot]

Pushed by krosylight@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/43da2bfe6c43
Use NS_IMPL_CYCLE_COLLECTION_WITH_JS_MEMBERS for piping classes r=smaug

Comment 10

[Kagami Rosylight [:saschanaz] (they/them)]

Comment on attachment 9274133 [details]
Bug 1764222 - Use NS_IMPL_CYCLE_COLLECTION_WITH_JS_MEMBERS for piping classes r=smaug

Beta/Release Uplift Approval Request

• User impact if declined: Potential memory leak can happen when using ReadableStream.pipeTo API.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Just a corrected cycle collection macro use.
• String changes made/needed:
• Is Android affected?: Yes

Comment 11

[Dianna Smith [:diannaS]]

Comment on attachment 9274133 [details]
Bug 1764222 - Use NS_IMPL_CYCLE_COLLECTION_WITH_JS_MEMBERS for piping classes r=smaug

Approved for 100.0rc2

Comment 12

[Dianna Smith [:diannaS]]

https://hg.mozilla.org/releases/mozilla-release/rev/1c7f7adc90e2

Comment 13

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/43da2bfe6c43

Comment 14

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220428214715-6d8eefa22059.

Comment 15

[Ryan VanderMeulen [:RyanVM]]

Jason, why does the bot keep resetting the status for Fx100? The patch was uplifted in comment 12.

Comment 16

[Jason Kratzer [:jkratzer]]

Bugmon is confused here. It believes that FX100 is beta and can't find a commit to that branch. I've fixed this on the bugmon side and will re-enable it. It should verify FX100 once central points to 102.