1765178 - Assertion failure: Request::mDisconnected, at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:524

Status: NEW

(Core :: Audio/Video: Playback, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 0d591d3bc997 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 0d591d3bc997 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip --no-harness

Assertion failure: Request::mDisconnected, at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:524

    =================================================================
    ==3923449==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f7eb724ae91 bp 0x7f7ea12b7bf0 sp 0x7f7ea12b7be0 T7)
    ==3923449==The signal is caused by a WRITE memory access.
    ==3923449==Hint: address points to the zero page.
        #0 0x7f7eb724ae91 in mozilla::MozPromise<bool, mozilla::MediaResult, true>::ThenValueBase::AssertIsDead() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:524:9
        #1 0x7f7eb76014b6 in mozilla::MozPromise<bool, mozilla::MediaResult, true>::AssertIsDead() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1115:13
        #2 0x7f7eb76a04e6 in mozilla::MozPromise<RefPtr<mozilla::MediaDataDecoder>, mozilla::MediaResult, true>::AssertIsDead() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1115:13
        #3 0x7f7eb2480a56 in mozilla::MozPromise<bool, nsresult, false>::AssertIsDead() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1115:13
        #4 0x7f7eb247b96a in mozilla::MozPromise<bool, nsresult, false>::ThenValueBase::ResolveOrRejectRunnable::~ResolveOrRejectRunnable() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:481:23
        #5 0x7f7eb247bb88 in mozilla::MozPromise<bool, nsresult, false>::ThenValueBase::ResolveOrRejectRunnable::~ResolveOrRejectRunnable() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:479:34
        #6 0x7f7eb15733a5 in Release /xpcom/threads/nsThreadUtils.cpp:61:1
        #7 0x7f7eb15733a5 in Release /xpcom/threads/nsThreadUtils.cpp:83:1
        #8 0x7f7eb15733a5 in mozilla::CancelableRunnable::Release() /xpcom/threads/nsThreadUtils.cpp:86:1
        #9 0x7f7eb157895d in ~nsCOMPtr_base /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:328:7
        #10 0x7f7eb157895d in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskQueue.h:73:3
        #11 0x7f7eb247a761 in mozilla::MozPromise<bool, nsresult, false>::ThenValueBase::Dispatch(mozilla::MozPromise<bool, nsresult, false>*) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:577:24
        #12 0x7f7eb2479aa9 in mozilla::MozPromise<bool, nsresult, false>::DispatchAll() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1137:18
        #13 0x7f7eb247cbbd in void mozilla::MozPromise<bool, nsresult, false>::Private::Resolve<bool const&>(bool const&, char const*) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1221:5
        #14 0x7f7eb2479be9 in mozilla::MozPromise<bool, nsresult, false>::DispatchAll() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1142:7
        #15 0x7f7eb247cbbd in void mozilla::MozPromise<bool, nsresult, false>::Private::Resolve<bool const&>(bool const&, char const*) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1221:5
        #16 0x7f7eb2d79651 in mozilla::MozPromise<bool, nsresult, false>::ChainTo(already_AddRefed<mozilla::MozPromise<bool, nsresult, false>::Private>, char const*) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1077:7
        #17 0x7f7eb7a1eb7a in InvokeCallbackMethod<true, (lambda at /dom/media/ipc/RemoteDecoderManagerChild.cpp:418:13), RefPtr<mozilla::MozPromise<bool, nsresult, false> > ((lambda at /dom/media/ipc/RemoteDecoderManagerChild.cpp:418:13)::*)(mozilla::MozPromise<mozilla::Tuple<nsresult, mozilla::ipc::Endpoint<mozilla::PRemoteDecoderManagerChild> >, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue &&) const, mozilla::MozPromise<mozilla::Tuple<nsresult, mozilla::ipc::Endpoint<mozilla::PRemoteDecoderManagerChild> >, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue, RefPtr<mozilla::MozPromise<bool, nsresult, false>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:648:10
        #18 0x7f7eb7a1eb7a in mozilla::MozPromise<mozilla::Tuple<nsresult, mozilla::ipc::Endpoint<mozilla::PRemoteDecoderManagerChild> >, mozilla::ipc::ResponseRejectReason, true>::ThenValue<mozilla::RemoteDecoderManagerChild::LaunchRDDProcessIfNeeded()::$_6::operator()() const::'lambda'(mozilla::MozPromise<mozilla::Tuple<nsresult, mozilla::ipc::Endpoint<mozilla::PRemoteDecoderManagerChild> >, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue&&)>::DoResolveOrRejectInternal(mozilla::MozPromise<mozilla::Tuple<nsresult, mozilla::ipc::Endpoint<mozilla::PRemoteDecoderManagerChild> >, mozilla::ipc::ResponseRejectReason, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:914:7
        #19 0x7f7eb2dbc60e in mozilla::MozPromise<mozilla::Tuple<nsresult, mozilla::ipc::Endpoint<mozilla::PRemoteDecoderManagerChild> >, mozilla::ipc::ResponseRejectReason, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:487:21
        #20 0x7f7eb154676b in mozilla::SimpleTaskQueue::DrainTasks() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:44:10
        #21 0x7f7eb1563132 in nsThread::DrainDirectTasks() /xpcom/threads/nsThread.cpp:1384:16
        #22 0x7f7eb1561543 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1202:3
        #23 0x7f7eb156b13c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #24 0x7f7eb2c7da31 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
        #25 0x7f7eb2af6121 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #26 0x7f7eb2af6121 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #27 0x7f7eb2af6121 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #28 0x7f7eb1559887 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:378:10
        #29 0x7f7ed470d02e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #30 0x7f7ed6824608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
        #31 0x7f7ed63eb162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:524:9 in mozilla::MozPromise<bool, mozilla::MediaResult, true>::ThenValueBase::AssertIsDead()
    Thread T7 (RemVidChild) created by T0 (Isolated Web Co) here:
        #0 0x5584099a023c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
        #1 0x7f7ed46fd0b4 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7f7ed46ee35e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7f7eb155cb05 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:604:18
        #4 0x7f7eb1568f5f in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /xpcom/threads/nsThreadManager.cpp:531:12
        #5 0x7f7eb1574c31 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadUtils.cpp:161:57
        #6 0x7f7eb7a10da2 in NS_NewNamedThread<12UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
        #7 0x7f7eb7a10da2 in mozilla::RemoteDecoderManagerChild::Init() /dom/media/ipc/RemoteDecoderManagerChild.cpp:95:19
        #8 0x7f7eb8ba1927 in mozilla::dom::ContentChild::InitXPCOM(mozilla::dom::XPCOMInitData&&, mozilla::dom::ipc::StructuredCloneData const&, bool) /dom/ipc/ContentChild.cpp:1423:3
        #9 0x7f7eb8ba08cb in mozilla::dom::ContentChild::RecvSetXPCOMProcessAttributes(mozilla::dom::XPCOMInitData&&, mozilla::dom::ipc::StructuredCloneData const&, mozilla::widget::FullLookAndFeel&&, mozilla::dom::SystemFontList&&, mozilla::Maybe<mozilla::UniquePtr<int, mozilla::detail::FileHandleDeleter> >&&, unsigned long const&, nsTArray<mozilla::UniquePtr<int, mozilla::detail::FileHandleDeleter> >&&, bool const&) /dom/ipc/ContentChild.cpp:690:3
        #10 0x7f7eb8e681a4 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:11781:56
        #11 0x7f7eb2c74a69 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1707:25
        #12 0x7f7eb2c72562 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) /ipc/glue/MessageChannel.cpp:1632:9
        #13 0x7f7eb2c73b21 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1528:14
        #14 0x7f7eb157aa52 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
        #15 0x7f7eb154105d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:780:26
        #16 0x7f7eb153e558 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:612:15
        #17 0x7f7eb153ec89 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
        #18 0x7f7eb1587661 in operator() /xpcom/threads/TaskController.cpp:124:37
        #19 0x7f7eb1587661 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #20 0x7f7eb15613d7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
        #21 0x7f7eb156b13c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #22 0x7f7eb2c7c13f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #23 0x7f7eb2af6121 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #24 0x7f7eb2af6121 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #25 0x7f7eb2af6121 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #26 0x7f7eb997e127 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #27 0x7f7ebe81c64f in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
        #28 0x7f7eb2af6121 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #29 0x7f7eb2af6121 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #30 0x7f7eb2af6121 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #31 0x7f7ebe81b873 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:729:34
        #32 0x5584099ea47d in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #33 0x5584099ea8b0 in main /browser/app/nsBrowserApp.cpp:327:18
        #34 0x7f7ed62f00b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    ==3923449==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220418213528-a1be0e0a7515.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: a916ade0ae2974b91b8ffc318272e82cb2c3b4b7 (20210420095122)
End: 0d591d3bc99786bdb3cb057203a3831110d00800 (20220418091627)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Comment 3

[Karl Tomlinson (:karlt)]

Switching from .wav to .mp4 with vp09 and mp4a.
Canvas use in testcase looks independent.
On "RemVidChild" thread.

Looks like a runnable for MozPromise chaining after a Then() handler attached to a PBackgroundChild::SendEnsureRDDProcessAndCreateBridge() promise is being dispatched to a TaskQueue that has shut down.

I'm finding it difficult to identify the precise task queue involved from the stack. I expect its not RemoteDecoderManagerChild::GetManagerThread() because that is running the task. Perhaps it is the event target on which RemoteDecoderManagerChild::LaunchRDDProcessIfNeeded() was invoked.

Comment 4

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220418091627-0d591d3bc997) but not with tip (mozilla-central 20220506222931-d6ef5a49cd7d.)
Unable to bisect testcase (Start build didn't crash!):

Start: 0d591d3bc99786bdb3cb057203a3831110d00800 (20220418091627)
End: d6ef5a49cd7d213f4381d7ab3e02e9f1bde81a1d (20220506222931)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 5

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/HN7HU92MQ-Fk3k3c4S1ERA/index.html