Assertion failure: mSuspendedByChrome, at /dom/media/webaudio/AudioContext.cpp:1046
Categories
(Core :: Web Audio, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox105 | --- | unaffected |
| firefox106 | --- | wontfix |
| firefox107 | --- | verified |
People
(Reporter: jkratzer, Assigned: karlt)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev 45d33d6757ba (built with: --enable-debug --enable-fuzzing).
This issue appears to be a recent regression and due to the simplistic nature of the testcase, is triggering at an extremely high rate. Marking this issue as a fuzzblocker.
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 45d33d6757ba --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: mSuspendedByChrome, at /dom/media/webaudio/AudioContext.cpp:1046
==1212703==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7c77e0f41c bp 0x7ffcc53e7b50 sp 0x7ffcc53e7b50 T1212703)
==1212703==The signal is caused by a WRITE memory access.
==1212703==Hint: address points to the zero page.
#0 0x7f7c77e0f41c in mozilla::dom::AudioContext::ResumeFromChrome() /dom/media/webaudio/AudioContext.cpp:1046:3
#1 0x7f7c755d866c in nsGlobalWindowInner::Resume(bool) /dom/base/nsGlobalWindowInner.cpp:5768:24
#2 0x7f7c78a89746 in mozilla::dom::nsResumeTimeoutsEvent::Run() /dom/xhr/XMLHttpRequestMainThread.cpp:154:14
#3 0x7f7c73d2e952 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
#4 0x7f7c73d6086e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
#5 0x7f7c73d38d89 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
#6 0x7f7c73d37913 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
#7 0x7f7c73d37b83 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
#8 0x7f7c73d64116 in operator() /xpcom/threads/TaskController.cpp:187:37
#9 0x7f7c73d64116 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#10 0x7f7c73d4d9df in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
#11 0x7f7c73d53fed in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#12 0x7f7c74934646 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#13 0x7f7c74859ca7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#14 0x7f7c74859bb2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#15 0x7f7c74859bb2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#16 0x7f7c78d157b8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
#17 0x7f7c7af0bd0b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:880:20
#18 0x7f7c7493553a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#19 0x7f7c74859ca7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#20 0x7f7c74859bb2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#21 0x7f7c74859bb2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#22 0x7f7c7af0b223 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:739:34
#23 0x564790865b39 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#24 0x564790865b39 in main /browser/app/nsBrowserApp.cpp:359:18
#25 0x7f7c8b6d3d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#26 0x7f7c8b6d3e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#27 0x56479083b8dc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x168dc) (BuildId: b1d395243da9b2b84533ddb248fa0c0bd65c19ef)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/media/webaudio/AudioContext.cpp:1046:3 in mozilla::dom::AudioContext::ResumeFromChrome()
==1212703==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
|
||
Comment 2•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/kq2tK6dOkJlBufLeUluoSA/index.html
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 3•2 years ago
|
||
The assertion was added for bug 1787371. Arguably there was already a defect before then, but starting an AudioContext before the resume() from XMLHttpRequest probably didn't cause any real problems.
|
|
Assignee | |
Comment 4•2 years ago
|
||
Based on testcase by Jason Kratzer <jkratzer@mozilla.com>
|
|
Assignee | |
Comment 5•2 years ago
|
||
The AudioContext can be created in a suspended Window after sync
XMLHttpRequest, because the resume after send() runs off an event dispatched
after rather than a synchronous resume when its nested event loop unwinds.
https://searchfox.org/mozilla-central/rev/0948667bc62415d48abff27e1405fb4ab4d65d75/dom/xhr/XMLHttpRequestMainThread.cpp#2801,3041,3073
Depends on D157766
|
||
Comment 6•2 years ago
|
||
Set release status flags based on info from the regressing bug 1787371
|
||
Comment 7•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220920092542-45d33d6757ba.
The bug appears to have been introduced in the following build range:
Start: a8be9ab374f410ce2cd9fdd15e72dda08689eb04 (20220916031225)
End: 77a0b4c5d19b8006fd2daeac01032ec2e3110f1a (20220916124237)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a8be9ab374f410ce2cd9fdd15e72dda08689eb04&tochange=77a0b4c5d19b8006fd2daeac01032ec2e3110f1a
Pushed by ktomlinson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0f363654a72a test AudioContext creation after sync XMLHttpRequest r=padenot https://hg.mozilla.org/integration/autoland/rev/617dceedc536 initialize mSuspendedByChrome according to state of Window r=padenot
|
||
Comment 9•2 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/0f363654a72a
https://hg.mozilla.org/mozilla-central/rev/617dceedc536
|
|
||
Updated•2 years ago
|
|
|
||
Comment 10•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220922034533-9cd6d487eef1.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
Assignee | |
Comment 11•2 years ago
•
|
||
Wontfix for 106, unless this is getting in the way of fuzzing on beta (?), because the regression was only in a new debug-only assertion failure rather than an unwanted change in behavior.
Description
•