1786395 - Assertion failure: retainedBytes_ >= nbytes, at /builds/worker/checkouts/gecko/js/src/gc/Scheduling.h:769

Status: NEW

(Core :: JavaScript: GC, defect, P2)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20220820-b1f99e866232 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: retainedBytes_ >= nbytes, at /builds/worker/checkouts/gecko/js/src/gc/Scheduling.h:769

#0 0x7f88f315b34b in removeBytes /builds/worker/checkouts/gecko/js/src/gc/Scheduling.h:769:7
#1 0x7f88f315b34b in js::ZoneAllocator::removeCellMemory(js::gc::Cell*, unsigned long, js::MemoryUse, bool) /builds/worker/checkouts/gecko/js/src/gc/ZoneAllocator.h:88:20
#2 0x7f88ee5c2912 in mozilla::dom::CanvasRenderingContext2D_Binding::_finalize(JS::GCContext*, JSObject*) /builds/worker/workspace/obj-build/dom/bindings/CanvasRenderingContext2DBinding.cpp:7390:7
#3 0x7f88f3aedad8 in doFinalize /builds/worker/workspace/obj-build/dist/include/js/Class.h:649:5
#4 0x7f88f3aedad8 in JSObject::finalize(JS::GCContext*) /builds/worker/checkouts/gecko/js/src/vm/JSObject-inl.h:101:12
#5 0x7f88f3aed0de in unsigned long js::gc::Arena::finalize<JSObject>(JS::GCContext*, js::gc::AllocKind, unsigned long) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:130:10
#6 0x7f88f3aecc77 in bool FinalizeTypedArenas<JSObject>(JS::GCContext*, js::gc::ArenaList&, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:196:29
#7 0x7f88f3ae86c7 in js::gc::GCRuntime::foregroundFinalize(JS::GCContext*, JS::Zone*, js::gc::AllocKind, js::SliceBudget&, js::gc::SortedArenaList&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:1697:8
#8 0x7f88f3ae96c5 in js::gc::GCRuntime::finalizeAllocKind(JS::GCContext*, js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:1898:8
#9 0x7f88f3afc0b5 in sweepaction::SweepActionForEach<ContainerIter<mozilla::EnumSet<js::gc::AllocKind, unsigned long> >, mozilla::EnumSet<js::gc::AllocKind, unsigned long> >::run(js::gc::SweepAction::Args&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:2124:19
#10 0x7f88f3b04c80 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:2089:23
#11 0x7f88f3afbb80 in sweepaction::SweepActionForEach<js::gc::SweepGroupZonesIter, JSRuntime*>::run(js::gc::SweepAction::Args&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:2124:19
#12 0x7f88f3b04c80 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:2089:23
#13 0x7f88f3afb518 in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:2124:19
#14 0x7f88f3aeae36 in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:2261:53
#15 0x7f88f3a5b993 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:3315:11
#16 0x7f88f3a5f38a in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:3819:3
#17 0x7f88f3a60655 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4007:9
#18 0x7f88f3a4f2a0 in gcSlice /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4107:3
#19 0x7f88f3a4f2a0 in js::gc::GCRuntime::gcIfRequestedImpl(bool) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4284:5
#20 0x7f88f3a30aeb in gcIfRequested /builds/worker/checkouts/gecko/js/src/gc/GCRuntime.h:346:33
#21 0x7f88f3a30aeb in gcIfNeededAtAllocation /builds/worker/checkouts/gecko/js/src/gc/Allocator.cpp:447:5
#22 0x7f88f3a30aeb in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) /builds/worker/checkouts/gecko/js/src/gc/Allocator.cpp:404:10
#23 0x7f88f3a308e7 in JSObject* js::AllocateObject<(js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap, JSClass const*, js::gc::AllocSite*) /builds/worker/checkouts/gecko/js/src/gc/Allocator.cpp:69:15
#24 0x7f88f3427381 in js::ProxyObject::New(JSContext*, js::BaseProxyHandler const*, JS::Handle<JS::Value>, js::TaggedProto, JSClass const*) /builds/worker/checkouts/gecko/js/src/vm/ProxyObject.cpp:122:7
#25 0x7f88f36c8fab in js::NewProxyObject(JSContext*, js::BaseProxyHandler const*, JS::Handle<JS::Value>, JSObject*, js::ProxyOptions const&) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:973:10
#26 0x7f88ecdd81e6 in mozilla::loader::CreateJSMEnvironmentProxy(JSContext*, JS::Handle<JSObject*>) /builds/worker/checkouts/gecko/js/xpconnect/loader/JSMEnvironmentProxy.cpp:255:10
#27 0x7f88ecdcc1e5 in mozJSModuleLoader::Import(JSContext*, nsTSubstring<char> const&, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSObject*>, bool) /builds/worker/checkouts/gecko/js/xpconnect/loader/mozJSModuleLoader.cpp:1489:19
#28 0x7f88f0981294 in mozilla::dom::JSActorManager::GetActor(JSContext*, nsTSubstring<char> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSActorManager.cpp:73:21
#29 0x7f88f07a3929 in mozilla::dom::WindowGlobalChild::GetActor(JSContext*, nsTSubstring<char> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/ipc/WindowGlobalChild.cpp:617:26
#30 0x7f88f098c8f7 in mozilla::dom::JSWindowActorProtocol::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSWindowActorProtocol.cpp:194:20
#31 0x7f88ef6433de in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1316:22
#32 0x7f88ef644047 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1506:17
#33 0x7f88ef638f84 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#34 0x7f88ef638f84 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#35 0x7f88ef638697 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:586:14
#36 0x7f88ef63ad71 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11
#37 0x7f88ef63d7e6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#38 0x7f88edcf04fd in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1366:17
#39 0x7f88ed82a6da in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4490:28
#40 0x7f88ed82a4d7 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4460:10
#41 0x7f88eda6815f in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7865:3
#42 0x7f88edb1d53b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#43 0x7f88edb1d53b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#44 0x7f88edb1d53b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#45 0x7f88ec0878c2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20
#46 0x7f88ec0b95fe in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#47 0x7f88ec091ca9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#48 0x7f88ec090833 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#49 0x7f88ec090aa3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#50 0x7f88ec0bce56 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#51 0x7f88ec0bce56 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#52 0x7f88ec0a676f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
#53 0x7f88ec0acd7d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#54 0x7f88ecc859f6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#55 0x7f88ecbab0d7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#56 0x7f88ecbaafe2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#57 0x7f88ecbaafe2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#58 0x7f88f0eb5c08 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#59 0x7f88f2fd6e4b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:892:20
#60 0x7f88ecc868ea in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#61 0x7f88ecbab0d7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#62 0x7f88ecbaafe2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#63 0x7f88ecbaafe2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#64 0x7f88f2fd6363 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:751:34
#65 0x5624ca1af429 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#66 0x5624ca1af429 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:362:18
#67 0x7f8904132082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#68 0x5624ca1851cc in _start (/home/worker/builds/m-c-20220820094621-fuzzing-debug/firefox-bin+0x161cc) (BuildId: 9216ecd5ec9b44cb615b4196aae44846b2bdb56a)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/0i4wbr-4yDKj0_X9hJGcFw/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220822152630-637da318b3ad.
The bug appears to have been introduced in the following build range:

Start: 08038e535f5829c597acade6b2b375bdb3615432 (20220601213138)
End: 47515060f20a877b02cfd78282249a7e5420443f (20220601180248)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=08038e535f5829c597acade6b2b375bdb3615432&tochange=47515060f20a877b02cfd78282249a7e5420443f

Comment 3

[Tyson Smith [:tsmith]]

The assertion was added in bug 1771747.

Comment 4

[Jon Coppeard (:jonco)]

Not a security issue.

This is probably a bug in the way the memory associated with CanvasRenderingContext2D is calculated: https://searchfox.org/mozilla-central/source/dom/canvas/CanvasRenderingContext2D.cpp#6141-6155

See also bug 1551745.

Comment 5

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1786395 using build mozilla-central 20220820094621-b1f99e866232. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 6

[Intermittent Failures Robot]

1 failures in 1328 pushes (0.001 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• try: 1

Platform and build breakdown:

• windows10-64-2004-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1786395&startday=2022-12-26&endday=2023-01-01&tree=all

Comment 7

[Intermittent Failures Robot]

1 failures in 3761 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• mozilla-beta: 1

Platform and build breakdown:

• macosx1015-64-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1786395&startday=2023-03-13&endday=2023-03-19&tree=all

Comment 8

[Intermittent Failures Robot]

1 failures in 4161 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 1

Platform and build breakdown:

• windows11-64-2009-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1786395&startday=2023-03-20&endday=2023-03-26&tree=all

Comment 9

[Intermittent Failures Robot]

1 failures in 3206 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• try: 1

Platform and build breakdown:

• macosx1015-64-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1786395&startday=2023-04-10&endday=2023-04-16&tree=all

Comment 10

[Intermittent Failures Robot]

2 failures in 3177 pushes (0.001 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 2

Platform and build breakdown:

• windows11-32-2009-qr: 2
  • debug: 2

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1786395&startday=2023-04-24&endday=2023-04-30&tree=all

Comment 11

[Intermittent Failures Robot]

1 failures in 3471 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• try: 1

Platform and build breakdown:

• macosx1015-64-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1786395&startday=2023-05-29&endday=2023-06-04&tree=all

Comment 12

[Intermittent Failures Robot]

2 failures in 3885 pushes (0.001 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• try: 1
• mozilla-central: 1

Platform and build breakdown:

• windows11-64-2009-qr: 1
  • debug: 1
• windows11-32-2009-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1786395&startday=2023-06-05&endday=2023-06-11&tree=all

Comment 13

[Intermittent Failures Robot]

2 failures in 3594 pushes (0.001 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 1
• try: 1

Platform and build breakdown:

• macosx1015-64-qr: 1
  • debug: 1
• windows11-64-2009-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1786395&startday=2023-06-26&endday=2023-07-02&tree=all

Comment 14

[Intermittent Failures Robot]

1 failures in 3276 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 1

Platform and build breakdown:

• windows11-64-2009-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1786395&startday=2023-07-31&endday=2023-08-06&tree=all

Comment 15

[Tyson Smith [:tsmith]]

(In reply to Bugmon [:jkratzer for issues] from comment #5)

Unable to reproduce bug 1786395 using build mozilla-central 20220820094621-b1f99e866232. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

This issue is reproducible with the attached test case using m-c 20230815-0f010e753b74.

Comment 16

[Intermittent Failures Robot]

1 failures in 4108 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 1

Platform and build breakdown:

• windows11-32-2009-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1786395&startday=2023-11-27&endday=2023-12-03&tree=all