Assertion failure: mFontFaceSet, at /dom/workers/WorkerScope.cpp:491
Categories
(Core :: Graphics: Text, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox108 | --- | wontfix |
firefox109 | --- | wontfix |
firefox110 | --- | wontfix |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file, 1 obsolete file)
628 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 5ad292b847e4 (built with: --enable-debug --enable-fuzzing).
The testcase may text several attempts in order to reproduce this issue.
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5ad292b847e4 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip --repeat 10 --no-harness --relaunch 1
Assertion failure: mFontFaceSet, at /dom/workers/WorkerScope.cpp:491
==2687766==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f534c837ee8 bp 0x7f533f8ea990 sp 0x7f533f8ea970 T2687803)
==2687766==The signal is caused by a WRITE memory access.
==2687766==Hint: address points to the zero page.
#0 0x7f534c837ee8 in mozilla::dom::WorkerGlobalScope::Fonts() /dom/workers/WorkerScope.cpp:491:5
#1 0x7f534cfb0252 in mozilla::dom::FontFace::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char> const&, mozilla::dom::UTF8StringOrArrayBufferOrArrayBufferView const&, mozilla::dom::FontFaceDescriptors const&, mozilla::ErrorResult&) /layout/style/FontFace.cpp:109:30
#2 0x7f534ac7b63d in mozilla::dom::FontFace_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FontFaceBinding.cpp:2128:54
#3 0x7f535055354c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:458:13
#4 0x7f535055ff39 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /js/src/vm/Interpreter.cpp:474:8
#5 0x7f53505549a0 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:693:10
#6 0x7f535054a136 in ConstructFromStack /js/src/vm/Interpreter.cpp:721:10
#7 0x7f535054a136 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3359:16
#8 0x7f535054124d in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:430:13
#9 0x7f5350552d6d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:578:13
#10 0x7f53505542ac in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:645:8
#11 0x7f534f1d33fc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#12 0x7f534ab9a863 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:299:37
#13 0x7f534b47c549 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
#14 0x7f534b47b723 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /dom/events/JSEventHandler.cpp:201:12
#15 0x7f534b45c86e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1316:22
#16 0x7f534b45d4d7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1506:17
#17 0x7f534b452414 in HandleEvent /dom/events/EventListenerManager.h:395:5
#18 0x7f534b452414 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
#19 0x7f534b451962 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
#20 0x7f534b454201 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1119:11
#21 0x7f534b456c76 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
#22 0x7f534b42bbbb in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/events/DOMEventTargetHelper.cpp:176:17
#23 0x7f534b463ee2 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /dom/events/EventTarget.cpp:180:13
#24 0x7f534c7f0a31 in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /dom/workers/MessageEventRunnable.cpp:104:12
#25 0x7f534c83339e in mozilla::dom::WorkerRunnable::Run() /dom/workers/WorkerRunnable.cpp:377:12
#26 0x7f5347d4f387 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
#27 0x7f5347d558cd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#28 0x7f534c822104 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3204:7
#29 0x7f534c80b1cb in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2042:42
#30 0x7f5347d4f387 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
#31 0x7f5347d558cd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#32 0x7f5348936a6b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
#33 0x7f534885af07 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#34 0x7f534885ae12 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#35 0x7f534885ae12 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#36 0x7f5347d4a6b6 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
#37 0x7f535ee26557 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#38 0x7f535f6d4b42 in start_thread nptl/./nptl/pthread_create.c:442:8
#39 0x7f535f7669ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/workers/WorkerScope.cpp:491:5 in mozilla::dom::WorkerGlobalScope::Fonts()
==2687766==ABORTING
Reporter | ||
Comment 1•2 years ago
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220921214338-7c0a787fe65a.
The bug appears to have been introduced in the following build range:
Start: cfd3841b57843fd2d33b23b4d430a6b21bdd8400 (20220720035554)
End: 553b7242667d9998744c752bcdf3f04f6438df1d (20220720095935)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cfd3841b57843fd2d33b23b4d430a6b21bdd8400&tochange=553b7242667d9998744c752bcdf3f04f6438df1d
Comment 3•2 years ago
|
||
:aosmond, can you comment to the bug? Is it related to Bug 1072107?
Updated•2 years ago
|
Comment 4•2 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220921095211-5ad292b847e4) but not with tip (mozilla-central 20220930214439-2d182255c548.)
Unable to bisect testcase (Start build didn't crash!):
Start: 5ad292b847e44f0f00e351a05a7a4c4935db703a (20220921095211)
End: 2d182255c548f48ca5dc98a0bf9d04e5da99d3a8 (20220930214439)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•2 years ago
|
Comment 6•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/hNFVOxyr4zcUKJl4UnZ3BA/index.html
Updated•2 years ago
|
Updated•2 years ago
|
Comment 7•6 months ago
|
||
Looking at the old pernosco trace here, I believe this should have been fixed by bug 1811950. Tyson, can you confirm this by any chance?
Comment 8•6 months ago
|
||
That is plausible. This was last reported by fuzzers running m-c 20230407-c3356b6d41ca.
Updated•6 months ago
|
Description
•