Closed Bug 1791874 Opened 2 years ago Closed 6 months ago

Assertion failure: mFontFaceSet, at /dom/workers/WorkerScope.cpp:491

Categories

(Core :: Graphics: Text, defect)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr102 --- unaffected
firefox108 --- wontfix
firefox109 --- wontfix
firefox110 --- wontfix

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file, 1 obsolete file)

Testcase found while fuzzing mozilla-central rev 5ad292b847e4 (built with: --enable-debug --enable-fuzzing).

The testcase may text several attempts in order to reproduce this issue.

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5ad292b847e4 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip --repeat 10 --no-harness --relaunch 1
Assertion failure: mFontFaceSet, at /dom/workers/WorkerScope.cpp:491

    ==2687766==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f534c837ee8 bp 0x7f533f8ea990 sp 0x7f533f8ea970 T2687803)
    ==2687766==The signal is caused by a WRITE memory access.
    ==2687766==Hint: address points to the zero page.
        #0 0x7f534c837ee8 in mozilla::dom::WorkerGlobalScope::Fonts() /dom/workers/WorkerScope.cpp:491:5
        #1 0x7f534cfb0252 in mozilla::dom::FontFace::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char> const&, mozilla::dom::UTF8StringOrArrayBufferOrArrayBufferView const&, mozilla::dom::FontFaceDescriptors const&, mozilla::ErrorResult&) /layout/style/FontFace.cpp:109:30
        #2 0x7f534ac7b63d in mozilla::dom::FontFace_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FontFaceBinding.cpp:2128:54
        #3 0x7f535055354c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:458:13
        #4 0x7f535055ff39 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /js/src/vm/Interpreter.cpp:474:8
        #5 0x7f53505549a0 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:693:10
        #6 0x7f535054a136 in ConstructFromStack /js/src/vm/Interpreter.cpp:721:10
        #7 0x7f535054a136 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3359:16
        #8 0x7f535054124d in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:430:13
        #9 0x7f5350552d6d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:578:13
        #10 0x7f53505542ac in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:645:8
        #11 0x7f534f1d33fc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #12 0x7f534ab9a863 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:299:37
        #13 0x7f534b47c549 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
        #14 0x7f534b47b723 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /dom/events/JSEventHandler.cpp:201:12
        #15 0x7f534b45c86e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1316:22
        #16 0x7f534b45d4d7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1506:17
        #17 0x7f534b452414 in HandleEvent /dom/events/EventListenerManager.h:395:5
        #18 0x7f534b452414 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
        #19 0x7f534b451962 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
        #20 0x7f534b454201 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1119:11
        #21 0x7f534b456c76 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #22 0x7f534b42bbbb in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/events/DOMEventTargetHelper.cpp:176:17
        #23 0x7f534b463ee2 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /dom/events/EventTarget.cpp:180:13
        #24 0x7f534c7f0a31 in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /dom/workers/MessageEventRunnable.cpp:104:12
        #25 0x7f534c83339e in mozilla::dom::WorkerRunnable::Run() /dom/workers/WorkerRunnable.cpp:377:12
        #26 0x7f5347d4f387 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
        #27 0x7f5347d558cd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #28 0x7f534c822104 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3204:7
        #29 0x7f534c80b1cb in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2042:42
        #30 0x7f5347d4f387 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
        #31 0x7f5347d558cd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #32 0x7f5348936a6b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #33 0x7f534885af07 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #34 0x7f534885ae12 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #35 0x7f534885ae12 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #36 0x7f5347d4a6b6 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
        #37 0x7f535ee26557 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #38 0x7f535f6d4b42 in start_thread nptl/./nptl/pthread_create.c:442:8
        #39 0x7f535f7669ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/workers/WorkerScope.cpp:491:5 in mozilla::dom::WorkerGlobalScope::Fonts()
    ==2687766==ABORTING
Attached file Testcase (obsolete) —

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220921214338-7c0a787fe65a.
The bug appears to have been introduced in the following build range:

Start: cfd3841b57843fd2d33b23b4d430a6b21bdd8400 (20220720035554)
End: 553b7242667d9998744c752bcdf3f04f6438df1d (20220720095935)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cfd3841b57843fd2d33b23b4d430a6b21bdd8400&tochange=553b7242667d9998744c752bcdf3f04f6438df1d

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

:aosmond, can you comment to the bug? Is it related to Bug 1072107?

Flags: needinfo?(aosmond)
Severity: -- → S3

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220921095211-5ad292b847e4) but not with tip (mozilla-central 20220930214439-2d182255c548.)

Unable to bisect testcase (Start build didn't crash!):

Start: 5ad292b847e44f0f00e351a05a7a4c4935db703a (20220921095211)
End: 2d182255c548f48ca5dc98a0bf9d04e5da99d3a8 (20220930214439)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Attached file testcase.html

Simplified test case.

Attachment #9295658 - Attachment is obsolete: true
Flags: in-testsuite?
See Also: → 1886924

Looking at the old pernosco trace here, I believe this should have been fixed by bug 1811950. Tyson, can you confirm this by any chance?

Flags: needinfo?(twsmith)

That is plausible. This was last reported by fuzzers running m-c 20230407-c3356b6d41ca.

Status: NEW → RESOLVED
Closed: 6 months ago
Flags: needinfo?(twsmith)
Flags: needinfo?(aosmond)
Resolution: --- → FIXED
Assignee: nobody → emilio
Depends on: 1811950
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: