Closed Bug 1788238 Opened 3 years ago Closed 3 years ago

Assertion failure: radioGroup->mRequiredRadioCount != 0 (mRequiredRadioCount about to wrap below 0!), at /dom/base/RadioGroupManager.cpp:134

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1777574
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- fixed
firefox104 --- wontfix
firefox105 --- fixed
firefox106 --- fixed

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
576 bytes, text/html
Details

Testcase found while fuzzing mozilla-central rev 4c76664026b5 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 4c76664026b5 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: radioGroup->mRequiredRadioCount != 0 (mRequiredRadioCount about to wrap below 0!), at /dom/base/RadioGroupManager.cpp:134

    ==49617==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f367daa0ba7 bp 0x7ffd365de580 sp 0x7ffd365de520 T49617)
    ==49617==The signal is caused by a WRITE memory access.
    ==49617==Hint: address points to the zero page.
        #0 0x7f367daa0ba7 in mozilla::dom::RadioGroupManager::RemoveFromRadioGroup(nsTSubstring<char16_t> const&, mozilla::dom::HTMLInputElement*) /dom/base/RadioGroupManager.cpp:133:5
        #1 0x7f367f7876ec in mozilla::dom::HTMLInputElement::WillRemoveFromRadioGroup() /dom/html/HTMLInputElement.cpp:6159:14
        #2 0x7f367f786d9b in mozilla::dom::HTMLFormElement::RemoveElement(nsGenericHTMLFormElement*, bool) /dom/html/HTMLFormElement.cpp:1374:12
        #3 0x7f367f86164c in nsGenericHTMLFormElement::ClearForm(bool, bool) /dom/html/nsGenericHTMLElement.cpp:1703:11
        #4 0x7f367f861ae3 in nsGenericHTMLFormElement::UnbindFromTree(bool) /dom/html/nsGenericHTMLElement.cpp
        #5 0x7f367f7b21cc in mozilla::dom::HTMLInputElement::UnbindFromTree(bool) /dom/html/HTMLInputElement.cpp:4278:45
        #6 0x7f367d9c0ce9 in mozilla::dom::Element::UnbindFromTree(bool) /dom/base/Element.cpp:2096:12
        #7 0x7f367f85c2bb in nsGenericHTMLElement::UnbindFromTree(bool) /dom/html/nsGenericHTMLElement.cpp:499:20
        #8 0x7f367d9c0ce9 in mozilla::dom::Element::UnbindFromTree(bool) /dom/base/Element.cpp:2096:12
        #9 0x7f367f85c2bb in nsGenericHTMLElement::UnbindFromTree(bool) /dom/html/nsGenericHTMLElement.cpp:499:20
        #10 0x7f367f819c08 in mozilla::dom::HTMLSharedElement::UnbindFromTree(bool) /dom/html/HTMLSharedElement.cpp:249:25
        #11 0x7f367d937f7a in mozilla::dom::Document::cycleCollection::Unlink(void*) /dom/base/Document.cpp:2601:12
        #12 0x7f367beac1de in nsCycleCollector::CollectWhite() /xpcom/base/nsCycleCollector.cpp:3074:26
        #13 0x7f367beadb0b in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /xpcom/base/nsCycleCollector.cpp:3440:26
        #14 0x7f367beb02c3 in nsCycleCollector_collectSlice(js::SliceBudget&, mozilla::CCReason, bool) /xpcom/base/nsCycleCollector.cpp:3934:21
        #15 0x7f367dc0903c in nsJSContext::RunCycleCollectorSlice(mozilla::CCReason, mozilla::TimeStamp) /dom/base/nsJSEnvironment.cpp:1460:5
        #16 0x7f367dc0a322 in mozilla::CCGCScheduler::CCRunnerFired(mozilla::TimeStamp) /dom/base/nsJSEnvironment.cpp:1609:9
        #17 0x7f367bf72532 in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
        #18 0x7f367bf72532 in mozilla::IdleTaskRunner::Run() /xpcom/threads/IdleTaskRunner.cpp:125:14
        #19 0x7f367bf73055 in mozilla::IdleTaskRunnerTask::Run() /xpcom/threads/IdleTaskRunner.cpp:46:15
        #20 0x7f367bf8a5c9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
        #21 0x7f367bf89279 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:725:15
        #22 0x7f367bf893c3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
        #23 0x7f367bfb5776 in operator() /xpcom/threads/TaskController.cpp:187:37
        #24 0x7f367bfb5776 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #25 0x7f367bf9f08f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
        #26 0x7f367bfa569d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #27 0x7f367cb801c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #28 0x7f367caa58a7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #29 0x7f367caa57b2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #30 0x7f367caa57b2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #31 0x7f3680e53fd8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #32 0x7f3682f9253b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:880:20
        #33 0x7f367cb810ba in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #34 0x7f367caa58a7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #35 0x7f367caa57b2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #36 0x7f367caa57b2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #37 0x7f3682f91a53 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:739:34
        #38 0x5608f431d429 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #39 0x5608f431d429 in main /browser/app/nsBrowserApp.cpp:362:18
        #40 0x7f3693897d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #41 0x7f3693897e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #42 0x5608f42f31cc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x161cc) (BuildId: 0a6eeadf11fd7f5f47958e33f9d922c20460129c)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/base/RadioGroupManager.cpp:133:5 in mozilla::dom::RadioGroupManager::RemoveFromRadioGroup(nsTSubstring<char16_t> const&, mozilla::dom::HTMLInputElement*)
    ==49617==ABORTING
Attached file Testcase

Kagami, care to take a look to see what's up here? thanks!

Flags: needinfo?(krosylight)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220907093209-663615ef7a19.
The bug appears to have been introduced in the following build range:

Start: 297bda3439b29163f959cd746502c42852a4d42e (20220317181520)
End: 0458e8c1e761f2b1ef629bc240e89a292f07a407 (20220317205218)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=297bda3439b29163f959cd746502c42852a4d42e&tochange=0458e8c1e761f2b1ef629bc240e89a292f07a407

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Attachment #9292466 - Attachment mime type: text/plain → text/html
Flags: needinfo?(krosylight)

Didn't intend to unflag...

Flags: needinfo?(krosylight)

Hi Jason, how can I confirm comment #3? Either 297bda3439b2 nor 0458e8c1e761 doesn't work for fuzzfetch, I'm confused.

Can mozregression do anything here?

Flags: needinfo?(krosylight) → needinfo?(jkratzer)

(In reply to Kagami :saschanaz from comment #5)

Hi Jason, how can I confirm comment #3? Either 297bda3439b2 nor 0458e8c1e761 doesn't work for fuzzfetch, I'm confused.

Can mozregression do anything here?

:saschanaz, if you want to use fuzzfetch to retrieve those builds, you'll have to specify the autoland branch:

fuzzfetch --debug --fuzzing --build 297bda3439b2 --autoland
fuzzfetch --debug --fuzzing --build 0458e8c1e761 --autoland
Flags: needinfo?(jkratzer)

Okay, the bisection says it's bug 1760016. I'm not quite sure how it can cause this, though.

Hi Peter, could you take a look?

~\Desktop\bug-repro> python -m fuzzfetch --build bd730b7daeef --debug -n firefox-bd730b7daeef-dbg --autoland
[2022-09-09 21:43:18] Identified task: https://firefox-ci-tc.services.mozilla.com/api/index/v1/task/gecko.v2.autoland.revision.bd730b7daeefcfc185bd3b67dcc24d92c15d7999.firefox.win64-debug
[2022-09-09 21:43:18] > Task ID: QcaHfeC9RGiaWRTg-NHI8w
[2022-09-09 21:43:18] > Rank: 1647544017
[2022-09-09 21:43:18] > Changeset: bd730b7daeefcfc185bd3b67dcc24d92c15d7999
[2022-09-09 21:43:18] > Build ID: 20220317190657
[2022-09-09 21:43:20] > Downloading: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/QcaHfeC9RGiaWRTg-NHI8w/artifacts/public/build/target.zip (111.04MiB total)
[2022-09-09 21:43:30] .. downloaded (10.67MB/s)
[2022-09-09 21:43:30] .. extracting
[2022-09-09 21:43:34] > Downloading: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/QcaHfeC9RGiaWRTg-NHI8w/artifacts/public/build/target.crashreporter-symbols.zip (95.05MiB total)
[2022-09-09 21:43:43] .. downloaded (9.44MB/s)
[2022-09-09 21:43:43] .. extracting
[2022-09-09 21:43:46] Extracted into C:\Users\Kagami\Desktop\bug-repro\firefox-bd730b7daeef-dbg
~\Desktop\bug-repro> python -m grizzly.replay ./firefox-bd730b7daeef-dbg/firefox.exe bug1788238.html
[2022-09-09 21:43:53] Starting Grizzly Replay
[2022-09-09 21:43:53] Ignoring: log-limit, timeout
[2022-09-09 21:43:53] Using time limit: 30s, timeout: 45s
[2022-09-09 21:43:53] Repeat: 1, Minimum crashes: 1, Relaunch 1
[2022-09-09 21:43:57] Running test (1/1)...
[2022-09-09 21:44:06] Found a minidump, but can't process it without minidump-stackwalk. See README.md for how to obtain it.
[2022-09-09 21:44:06] Processing result...
[2022-09-09 21:44:06] Result: Assertion failure: radioGroup->mRequiredRadioCount != 0 (mRequiredRadioCount about to wrap below 0!), at /builds/worker/checkouts/gecko/dom/base/RadioGroupManager.cpp:134 (NO_STACK:0)
[2022-09-09 21:44:06] Result successfully reproduced
[2022-09-09 21:44:06] Shutting down...
[2022-09-09 21:44:06] Done.
~\Desktop\bug-repro> python -m fuzzfetch --build 5253da2a1727 --debug -n firefox-5253da2a1727-dbg --autoland
[2022-09-09 21:47:09] Identified task: https://firefox-ci-tc.services.mozilla.com/api/index/v1/task/gecko.v2.autoland.revision.5253da2a17270aa5efa10e513f0609454c086d7f.firefox.win64-debug
[2022-09-09 21:47:09] > Task ID: GUgax6QCTKOhJS-dyiL48A
[2022-09-09 21:47:09] > Rank: 1647543850
[2022-09-09 21:47:09] > Changeset: 5253da2a17270aa5efa10e513f0609454c086d7f
[2022-09-09 21:47:09] > Build ID: 20220317190410
[2022-09-09 21:47:10] > Downloading: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/GUgax6QCTKOhJS-dyiL48A/artifacts/public/build/target.zip (111.04MiB total)
[2022-09-09 21:47:20] .. downloaded (10.86MB/s)
[2022-09-09 21:47:20] .. extracting
[2022-09-09 21:47:23] > Downloading: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/GUgax6QCTKOhJS-dyiL48A/artifacts/public/build/target.crashreporter-symbols.zip (95.05MiB total)
[2022-09-09 21:47:32] .. downloaded (10.37MB/s)
[2022-09-09 21:47:32] .. extracting
[2022-09-09 21:47:35] Extracted into C:\Users\Kagami\Desktop\bug-repro\firefox-5253da2a1727-dbg
~\Desktop\bug-repro> python -m grizzly.replay ./firefox-5253da2a1727-dbg/firefox.exe bug1788238.html
[2022-09-09 21:47:45] Starting Grizzly Replay
[2022-09-09 21:47:45] Ignoring: log-limit, timeout
[2022-09-09 21:47:45] Using time limit: 30s, timeout: 45s
[2022-09-09 21:47:45] Repeat: 1, Minimum crashes: 1, Relaunch 1
[2022-09-09 21:47:48] Running test (1/1)...
[2022-09-09 21:48:22] Failed to reproduce results
[2022-09-09 21:48:22] Shutting down...
[2022-09-09 21:48:22] Done.
Flags: needinfo?(peterv)
Regressed by: 1760016

Set release status flags based on info from the regressing bug 1760016

status-firefox104: --- → affected
status-firefox105: --- → affected
status-firefox106: --- → affected
status-firefox-esr102: --- → affected
status-firefox-esr91: --- → unaffected

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220830092750-4c76664026b5) but not with tip (mozilla-central 20220910094302-9acb1117b572.)

The bug appears to have been fixed in the following build range:

Start: f737234929d42b2d1aafc60ec74605cfb185fed7 (20220907091852)
End: 333d1c3b11396a5bbf5de38ba8926e8ed02cad81 (20220907112702)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f737234929d42b2d1aafc60ec74605cfb185fed7&tochange=333d1c3b11396a5bbf5de38ba8926e8ed02cad81

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(peterv) → needinfo?(jkratzer)
Keywords: bugmon

The fuzzers haven't seen this bug since 2022/09/02. :sfink, is it possible that this was fixed via bug 1785804?

Flags: needinfo?(jkratzer) → needinfo?(sfink)

Set release status flags based on info from the regressing bug 1760016

status-firefox107: --- → affected

(In reply to Jason Kratzer [:jkratzer] from comment #10)

The fuzzers haven't seen this bug since 2022/09/02. :sfink, is it possible that this was fixed via bug 1785804?

It really shouldn't have. The tracer used for cycle collection didn't really change in that bug. On the other hand, that bug certainly did touch a lot of code involved in tracing, so it is possible that it could have affected this.

The other possible fix would be bug 1777574. smaug, is the crash in comment 0 a possible symptom of getting the Zones wrong? That seems plausible to me, at least.

Flags: needinfo?(sfink) → needinfo?(smaug)

I can't immediately see how bug 1777574 would have fixed this, but in that build range, that bug might be the mostly likely one.

Flags: needinfo?(smaug)

Verified locally, the bisection says this is fixed by bug 1777574.

Status: NEW → RESOLVED
Closed: 3 years ago
Duplicate of bug: 1777574
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: