Assertion failure: !aGCThing, at src/xpcom/base/CycleCollectedJSRuntime.cpp:1529
Categories
(Core :: WebRTC, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox-esr102 | --- | fixed |
| firefox100 | --- | unaffected |
| firefox101 | --- | unaffected |
| firefox102 | --- | wontfix |
| firefox103 | --- | verified |
People
(Reporter: tsmith, Assigned: mccr8)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
|
237 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr102+
|
Details | Review |
Found while fuzzing m-c 20220515-338c1afa1635 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !aGCThing, at src/xpcom/base/CycleCollectedJSRuntime.cpp:1529
#0 0x7f060f56f561 in AssertNoGcThing(JS::GCCellPtr, char const*, void*) src/xpcom/base/CycleCollectedJSRuntime.cpp:1529:3
#1 0x7f060f56f47f in mozilla::CycleCollectedJSRuntime::AssertNoObjectsToTrace(void*) src/xpcom/base/CycleCollectedJSRuntime.cpp:1535:13
#2 0x7f060f59584f in nsCycleCollector::CollectWhite() src/xpcom/base/nsCycleCollector.cpp:3077:21
#3 0x7f060f5970eb in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3440:26
#4 0x7f060f596ddd in nsCycleCollector::ShutdownCollect() src/xpcom/base/nsCycleCollector.cpp:3351:20
#5 0x7f060f5980d6 in nsCycleCollector::Shutdown(bool) src/xpcom/base/nsCycleCollector.cpp:3646:5
#6 0x7f060f599af2 in nsCycleCollector_shutdown(bool) src/xpcom/base/nsCycleCollector.cpp:3962:18
#7 0x7f060f6d0b13 in mozilla::ShutdownXPCOM(nsIServiceManager*) src/xpcom/build/XPCOMInit.cpp:712:3
#8 0x7f06164c71fc in XRE_TermEmbedding() src/toolkit/xre/nsEmbedFunctions.cpp:223:3
#9 0x7f061027248e in mozilla::ipc::ScopedXREEmbed::Stop() src/ipc/glue/ScopedXREEmbed.cpp:90:5
#10 0x7f06164c7895 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:737:16
#11 0x555b84755e90 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#12 0x555b84755e90 in main src/browser/app/nsBrowserApp.cpp:329:18
#13 0x7f0625b8a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#14 0x555b8472bc3c in _start (/home/worker/builds/m-c-20220515094927-fuzzing-debug/firefox-bin+0x15c3c) (BuildId: a3c3f38575613f8bfa5bd34a05d62cc5a64c66fd)
|
Reporter | |
Comment 1•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/u1oP9EfGHG7Dl7eu8bQ0Bw/index.html
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220518214245-11b3a2e731a9.
The bug appears to have been introduced in the following build range:
Start: 5492a8c99f4aeae1b9bbc4024fb03e97a42809f6 (20220509141323)
End: 1b2d1b77ad1554cc67079059a381201bffbc55fd (20220509153556)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5492a8c99f4aeae1b9bbc4024fb03e97a42809f6&tochange=1b2d1b77ad1554cc67079059a381201bffbc55fd
|
||
Comment 3•2 years ago
|
||
Byron, it looks like this may have been regressed by Bug 1586109. Do you mind having a look?
|
||
Comment 4•2 years ago
|
||
Set release status flags based on info from the regressing bug 1586109
|
|
||
Updated•2 years ago
|
|
|
||
Comment 5•2 years ago
|
||
Set release status flags based on info from the regressing bug 1586109
| Comment hidden (Intermittent Failures Robot) |
|
||
Comment 7•2 years ago
|
||
I have no idea what this assertion is meant to check...
|
Assignee | |
Comment 8•2 years ago
|
||
This means that a cycle collected thing needs to not contain any JS pointers (looking by calling the Trace method) after it is unlinked.
|
|
Assignee | |
Comment 9•2 years ago
|
||
I haven't looked through everything, but it looks like RTCRtpTransceiver is missing a call to NS_IMPL_CYCLE_COLLECTION_UNLINK_PRESERVED_WRAPPER
|
|
Assignee | |
Comment 10•2 years ago
|
||
You should also be able to double check what the class is that is hitting the assert by figuring out what pinfo->mParticipant is in CollectWhite, in a debugger. I started the Pernosco trace up so hopefully that will be available at some point.
|
||
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 11•2 years ago
|
||
|
||
Comment 12•2 years ago
|
||
Pushed by amccreight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/79ce93d0a0aa Unlink preserved wrapper in RTCRtpTransceiver. r=bwc
|
||
Comment 13•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 14•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220619215938-31a47343b91e.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 15•2 years ago
|
||
Comment on attachment 9281874 [details]
Bug 1770075 - Unlink preserved wrapper in RTCRtpTransceiver.
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: I'm not really sure what the implications of this are, but it seems simple enough that we should probably just uplift it.
- User impact if declined: I'm not sure. Maybe crashes, maybe nothing.
- Fix Landed on Version: 103
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It just clears a field when an object is in the process of being destroyed.
|
|
||
Comment 16•2 years ago
|
||
Comment on attachment 9281874 [details]
Bug 1770075 - Unlink preserved wrapper in RTCRtpTransceiver.
Approved for 102.1esr.
|
|
||
Comment 17•2 years ago
|
||
| bugherder uplift | ||
Description
•