1771007 - Assertion failure: !_owningThread || _owningThread->IsCurrentThread() (WeakPtr accessed from multiple threads), at /builds/worker/workspace/obj-build/dist/include/mozilla/WeakPtr.h:194

Status: VERIFIED FIXED

(Core :: Graphics: Canvas2D, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev a8d14b452547 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build a8d14b452547 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !_owningThread || _owningThread->IsCurrentThread() (WeakPtr accessed from multiple threads), at /builds/worker/workspace/obj-build/dist/include/mozilla/WeakPtr.h:194

    ==638553==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd0d31dd620 bp 0x7ffc246d12e0 sp 0x7ffc246d12c0 T638553)
    ==638553==The signal is caused by a WRITE memory access.
    ==638553==Hint: address points to the zero page.
        #0 0x7fd0d31dd620 in AssertThreadSafety /builds/worker/workspace/obj-build/dist/include/mozilla/WeakPtr.h:194:31
        #1 0x7fd0d31dd620 in mozilla::WeakPtr<mozilla::gfx::DrawTargetWebgl::SharedContext, (mozilla::detail::WeakPtrDestructorBehavior)0>::~WeakPtr() /builds/worker/workspace/obj-build/dist/include/mozilla/WeakPtr.h:313:7
        #2 0x7fd0d31dd6a2 in ~SourceSurfaceWebgl /dom/canvas/SourceSurfaceWebgl.cpp:19:1
        #3 0x7fd0d31dd6a2 in mozilla::gfx::SourceSurfaceWebgl::~SourceSurfaceWebgl() /dom/canvas/SourceSurfaceWebgl.cpp:14:43
        #4 0x7fd0d1193348 in mozilla::SupportsThreadSafeWeakPtr<mozilla::gfx::SourceSurface>::Release() const /builds/worker/workspace/obj-build/dist/include/mozilla/ThreadSafeWeakPtr.h:179:7
        #5 0x7fd0d12b18ac in detail::ProxyReleaseEvent<mozilla::gfx::SourceSurface>::Run() /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:37:5
        #6 0x7fd0d019e30e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:475:16
        #7 0x7fd0d0178cc3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:788:26
        #8 0x7fd0d0177873 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:620:15
        #9 0x7fd0d0177ae3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:398:36
        #10 0x7fd0d01a1b09 in operator() /xpcom/threads/TaskController.cpp:127:37
        #11 0x7fd0d01a1b09 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #12 0x7fd0d018d56f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
        #13 0x7fd0d0193b6d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #14 0x7fd0d4c101e8 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /dom/xhr/XMLHttpRequestMainThread.cpp:3073:29)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
        #15 0x7fd0d4c101e8 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool, mozilla::ErrorResult&) /dom/xhr/XMLHttpRequestMainThread.cpp:3072:10
        #16 0x7fd0d4c0f0ea in mozilla::dom::XMLHttpRequestMainThread::Send(mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /dom/xhr/XMLHttpRequestMainThread.cpp
        #17 0x7fd0d2bda21f in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/XMLHttpRequestBinding.cpp:1349:24
        #18 0x7fd0d31158dc in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3271:13
        #19 0x7fd0d85ab740 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:420:13
        #20 0x7fd0d85aaf4a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:507:12
        #21 0x7fd0d85a2326 in CallFromStack /js/src/vm/Interpreter.cpp:578:10
        #22 0x7fd0d85a2326 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3314:16
        #23 0x7fd0d85995c2 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
        #24 0x7fd0d85aae46 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:539:13
        #25 0x7fd0d85ac478 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:605:8
        #26 0x7fd0d7271211 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #27 0x7fd0d2ed0b30 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50:8
        #28 0x7fd0d1c983e2 in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
        #29 0x7fd0d1c98184 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /dom/base/TimeoutHandler.cpp:167:29
        #30 0x7fd0d1978972 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /dom/base/nsGlobalWindowInner.cpp:6418:38
        #31 0x7fd0d1ca9f5a in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /dom/base/TimeoutManager.cpp:903:44
        #32 0x7fd0d1c95ce0 in mozilla::dom::TimeoutExecutor::MaybeExecute() /dom/base/TimeoutExecutor.cpp:179:11
        #33 0x7fd0d1c96289 in Notify /dom/base/TimeoutExecutor.cpp:246:5
        #34 0x7fd0d1c96289 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /dom/base/TimeoutExecutor.cpp
        #35 0x7fd0d01aff2c in operator() /xpcom/threads/nsTimerImpl.cpp:656:44
        #36 0x7fd0d01aff2c in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
        #37 0x7fd0d01aff2c in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:655:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
        #38 0x7fd0d01aff2c in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:655:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
        #39 0x7fd0d01aff2c in match<(lambda at /xpcom/threads/nsTimerImpl.cpp:655:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
        #40 0x7fd0d01aff2c in nsTimerImpl::Fire(int) /xpcom/threads/nsTimerImpl.cpp:654:22
        #41 0x7fd0d018179e in nsTimerEvent::Run() /xpcom/threads/TimerThread.cpp:263:11
        #42 0x7fd0d01a09cd in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /xpcom/threads/ThrottledEventQueue.cpp:254:22
        #43 0x7fd0d019d2b1 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /xpcom/threads/ThrottledEventQueue.cpp:81:15
        #44 0x7fd0d019e30e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:475:16
        #45 0x7fd0d0178cc3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:788:26
        #46 0x7fd0d0177873 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:620:15
        #47 0x7fd0d0177ae3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:398:36
        #48 0x7fd0d01a1b09 in operator() /xpcom/threads/TaskController.cpp:127:37
        #49 0x7fd0d01a1b09 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #50 0x7fd0d018d56f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
        #51 0x7fd0d0193b6d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #52 0x7fd0d0d540f4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #53 0x7fd0d0c7cb97 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #54 0x7fd0d0c7caa2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #55 0x7fd0d0c7caa2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #56 0x7fd0d4ea7068 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #57 0x7fd0d6feb7ab in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:874:20
        #58 0x7fd0d0d5503a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #59 0x7fd0d0c7cb97 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #60 0x7fd0d0c7caa2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #61 0x7fd0d0c7caa2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #62 0x7fd0d6feadcc in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:733:34
        #63 0x55e568a66e90 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #64 0x55e568a66e90 in main /browser/app/nsBrowserApp.cpp:338:18
        #65 0x7fd0e66e8082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #66 0x55e568a3cc3c in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15c3c) (BuildId: 84ed5f2846741362991b3c63588716ec37be5b9c)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/WeakPtr.h:194:31 in AssertThreadSafety
    ==638553==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220524214448-3d57939c6779.
The bug appears to have been introduced in the following build range:

Start: 1d31a009897964e94d43db5961ff68538d5e8ddb (20220520153703)
End: f0c4c97a8e6aa34214f287cb499321b6a0186c2f (20220520152255)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1d31a009897964e94d43db5961ff68538d5e8ddb&tochange=f0c4c97a8e6aa34214f287cb499321b6a0186c2f

Comment 3

[Jason Kratzer [:jkratzer]]

This issue is having a negative impact on our WebGL fuzzing efforts. Marking as a fuzzblocker. Please prioritize accordingly.

Comment 4

[Lee Salzman [:lsalzman]]

Attachment: Bug 1771007 - Avoid sending SourceSurfaceWebgl off-thread. r?jrmuizel

BorrowSnapshot can be called by OffScreenCanvas in various places that may send
a SourceSurfaceWebgl to the main thread. If it did not originate from the main
thread, then this can cause multiple threads to use it. In general we want to
avoid this. For now, override BorrowSnapshot and make it always force a Skia
snapshot that can be safely shared between threads instead of SourceSurfaceWebgl.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

:lsalzman, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Comment 6

[Pulsebot]

Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e9b3a413f85b
Avoid sending SourceSurfaceWebgl off-thread. r=jrmuizel,gfx-reviewers

Comment 7

[Marian-Vasile Laza]

https://hg.mozilla.org/mozilla-central/rev/e9b3a413f85b

Comment 8

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220726094428-1da938652f57.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Should we land this testcase?

Comment 10

[Lee Salzman [:lsalzman]]

Attachment: Bug 1771007 - Add testcase. r?aosmond

Comment 11

[Pulsebot]

Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/261c4baf7f30
Add testcase. r=aosmond

Comment 12

[Atila Butkovits]

https://hg.mozilla.org/mozilla-central/rev/261c4baf7f30

Comment 13

[BugBot [:suhaib / :marco/ :calixte]]

A patch has been attached on this bug, which was already closed. Filing a separate bug will ensure better tracking. If this was not by mistake and further action is needed, please alert the appropriate party. (Or: if the patch doesn't change behavior -- e.g. landing a test case, or fixing a typo -- then feel free to disregard this message)