Open Bug 1783472 Opened 3 years ago Updated 11 months ago

Assertion failure: !mRawPtr, at /builds/worker/workspace/obj-build/dist/include/mozilla/AlreadyAddRefed.h:133

Categories

(Core :: Graphics: ImageLib, defect, P3)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr115 --- affected
firefox105 --- wontfix
firefox124 --- wontfix
firefox125 --- affected
firefox126 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion)

Found while fuzzing m-c 20220730-ff7fc1a977e2 (--enable-debug --enable-fuzzing)

A reliable test case is not available but a Pernosco session is available here: https://pernos.co/debug/sF8LS2biFfJtKpVpQvHM8g/index.html

Assertion failure: !mRawPtr, at /builds/worker/workspace/obj-build/dist/include/mozilla/AlreadyAddRefed.h:133

#0 0x7ff28576d90b in ~already_AddRefed /builds/worker/workspace/obj-build/dist/include/mozilla/AlreadyAddRefed.h:133:5
#1 0x7ff28576d90b in DropImageReference /builds/worker/checkouts/gecko/image/DecodedSurfaceProvider.cpp:48:3
#2 0x7ff28576d90b in mozilla::image::DecodedSurfaceProvider::FinishDecoding() /builds/worker/checkouts/gecko/image/DecodedSurfaceProvider.cpp:202:3
#3 0x7ff28576cf41 in mozilla::image::DecodedSurfaceProvider::Run() /builds/worker/checkouts/gecko/image/DecodedSurfaceProvider.cpp:131:5
#4 0x7ff2857843c3 in mozilla::image::DecodingTask::Run() /builds/worker/checkouts/gecko/image/DecodePool.cpp:146:12
#5 0x7ff28416e007 in mozilla::TaskController::RunPoolThread() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:327:33
#6 0x7ff29adaf557 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#7 0x7ff29bb29608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#8 0x7ff29b6f0132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

I've already debugged this in an intermittent. We can only release images on the main thread, so we try to dispatch a task to the main thread to do that, but it's too late in shutdown and the thread tools necessary to dispatch a task to the main thread have already been shut down. We hit this https://searchfox.org/mozilla-central/rev/8e2e05ea9683480d2258624fe217a9ab40bf3abf/image/SurfaceCache.cpp#1936 . Not much more we can do in this situation.

Crash on shutdown.

Severity: -- → S4
Priority: -- → P3

This has been reported by live site testing.

Blocks: site-scout
status-firefox105: affectedwontfix
status-firefox124: --- → wontfix
status-firefox125: --- → affected
status-firefox126: --- → affected
status-firefox-esr115: --- → affected
You need to log in before you can comment on or make changes to this bug.