Closed Bug 1785921 Opened 7 months ago Closed 7 months ago

Assertion failure: mType == eType_Document, at /builds/worker/checkouts/gecko/dom/base/nsObjectLoadingContent.cpp:2412

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox104 --- unaffected
firefox105 --- wontfix
firefox106 --- verified

People

(Reporter: tsmith, Assigned: sefeng)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])

Attachments

(2 files, 1 obsolete file)

testcase.html
1.24 KB, text/html
Details
Bug 1785921 - Update an assertion in nsObjectLoadingContent r=smaug
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html (obsolete) —

Found while fuzzing m-c 20220817-7fd0b1b3fc98 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mType == eType_Document, at /builds/worker/checkouts/gecko/dom/base/nsObjectLoadingContent.cpp:2412

#0 0x7f8803a99555 in nsObjectLoadingContent::SubdocumentImageLoadComplete(nsresult) /builds/worker/checkouts/gecko/dom/base/nsObjectLoadingContent.cpp:2412:3
#1 0x7f8805a08e29 in operator() /builds/worker/checkouts/gecko/dom/html/ImageDocument.cpp:760:21
#2 0x7f8805a08e29 in mozilla::detail::RunnableFunction<mozilla::dom::ImageDocument::MaybeSendResultToEmbedder(nsresult)::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#3 0x7f88022162ee in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#4 0x7f88021ee999 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#5 0x7f88021ed523 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#6 0x7f88021ed793 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#7 0x7f8802219b46 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#8 0x7f8802219b46 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#9 0x7f880220345f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
#10 0x7f8802209a6d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#11 0x7f8802de2476 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#12 0x7f8802d07b57 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#13 0x7f8802d07a62 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#14 0x7f8802d07a62 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#15 0x7f8806fff218 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#16 0x7f88091209bb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:893:20
#17 0x7f8802de336a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#18 0x7f8802d07b57 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#19 0x7f8802d07a62 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#20 0x7f8802d07a62 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#21 0x7f880911fed3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:752:34
#22 0x557dcbe4f429 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#23 0x557dcbe4f429 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:362:18
#24 0x7f8818a39082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#25 0x557dcbe251cc in _start (/home/worker/builds/m-c-20220817091029-fuzzing-debug/firefox-bin+0x161cc) (BuildId: 24924bf7cdf890c63b2014e54a359f09737ed2ad)
Flags: in-testsuite?
Attached file testcase.html

A more reliable test case.

Attachment #9290538 - Attachment is obsolete: true

A Pernosco session is available here: https://pernos.co/debug/z9sxCJb5_CqOaWGI8_zPzg/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220818232425-6502583dede7.
The bug appears to have been introduced in the following build range:

Start: 14afe11d8d4ad1b4ed9e736aebd492fe636fccec (20220816144443)
End: d45bfb8869b2b4b584e68938f725cbd7af2b0e05 (20220816165133)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=14afe11d8d4ad1b4ed9e736aebd492fe636fccec&tochange=d45bfb8869b2b4b584e68938f725cbd7af2b0e05

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

I'll take a look

Severity: -- → S3
Flags: needinfo?(sefeng)

Set release status flags based on info from the regressing bug 1595491

status-firefox106: --- → affected

This issue is hit frequently by the DOM fuzzers, marking as fuzzblocker.

Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][fuzzblocker]

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:hsinyi, could you increase the severity?

For more information, please visit auto_nag documentation.

Flags: needinfo?(htsai)

SubdocumentImageLoadedComplete is only being used with image
documents, so there's an assertion in it to assert the type
is eType_Document. However, in addition to document type, the type
could also be eType_Loading if the object has been unloaded before
SubdocumentImageLoadedComplete runs.

So we update the assertion accordingly.

Assignee: nobody → sefeng
Status: NEW → ASSIGNED
Flags: needinfo?(sefeng)
Flags: needinfo?(htsai)
Pushed by sefeng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9adfb44793c2
Update an assertion in nsObjectLoadingContent r=smaug

https://hg.mozilla.org/mozilla-central/rev/9adfb44793c2

Status: ASSIGNED → RESOLVED
Closed: 7 months ago
status-firefox106: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
See Also: → 1789489

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220830210405-ecb328de1aaf.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox106: fixedverified
Keywords: bugmon
Regressions: 1789489
You need to log in before you can comment on or make changes to this bug.