1799173 - Assertion failure: IsOnWorkerThread(), at /dom/workers/WorkerPrivate.cpp:5479

Status: VERIFIED FIXED

(Core :: DOM: Workers, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 2db9822e6dd3 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 2db9822e6dd3 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: IsOnWorkerThread(), at /dom/workers/WorkerPrivate.cpp:5479

    ==19804==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2fd879ac9f bp 0x7ffe91e4f640 sp 0x7ffe91e4f630 T19804)
    ==19804==The signal is caused by a WRITE memory access.
    ==19804==Hint: address points to the zero page.
        #0 0x7f2fd879ac9f in AssertIsOnWorkerThread /dom/workers/WorkerPrivate.cpp:5479:3
        #1 0x7f2fd879ac9f in mozilla::dom::WorkerPrivate::AssertIsOnParentThread() const /dom/workers/WorkerPrivate.cpp:2184:18
        #2 0x7f2fd87b48da in mozilla::dom::WorkerRunnable::PreDispatch(mozilla::dom::WorkerPrivate*) /dom/workers/WorkerRunnable.cpp:79:23
        #3 0x7f2fd8798ac3 in mozilla::dom::WorkerRunnable::Dispatch() /dom/workers/WorkerRunnable.cpp:95:13
        #4 0x7f2fd6f6c1ea in mozilla::dom::CreateImageBitmapFromBlob::MimeTypeAndDecodeAndCropBlobCompletedMainThread(mozilla::layers::Image*, nsresult) /dom/canvas/ImageBitmap.cpp:2105:8
        #5 0x7f2fd6f6ca56 in mozilla::dom::CreateImageBitmapFromBlob::OnImageReady(imgIContainer*, nsresult) /dom/canvas/ImageBitmap.cpp
        #6 0x7f2fd6f6cb64 in non-virtual thunk to mozilla::dom::CreateImageBitmapFromBlob::OnImageReady(imgIContainer*, nsresult) /dom/canvas/ImageBitmap.cpp
        #7 0x7f2fd535d36a in mozilla::image::(anonymous namespace)::ImageDecoderHelper::Run() /image/imgTools.cpp:193:18
        #8 0x7f2fd3c3c54d in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /xpcom/threads/ThrottledEventQueue.cpp:254:22
        #9 0x7f2fd3c38f01 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /xpcom/threads/ThrottledEventQueue.cpp:81:15
        #10 0x7f2fd3c0c714 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
        #11 0x7f2fd3c07d11 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
        #12 0x7f2fd3c0686a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
        #13 0x7f2fd3c06bc5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
        #14 0x7f2fd3c100d9 in operator() /xpcom/threads/TaskController.cpp:190:37
        #15 0x7f2fd3c100d9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #16 0x7f2fd3c25967 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1204:16
        #17 0x7f2fd3c2c16d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #18 0x7f2fd4821524 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #19 0x7f2fd47452e7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #20 0x7f2fd47451f2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #21 0x7f2fd47451f2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #22 0x7f2fd8c8b188 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #23 0x7f2fdaebe6fb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:884:20
        #24 0x7f2fd482246a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #25 0x7f2fd47452e7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #26 0x7f2fd47451f2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #27 0x7f2fd47451f2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #28 0x7f2fdaebdd00 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:743:34
        #29 0x55c93d9c2c19 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #30 0x55c93d9c2c19 in main /browser/app/nsBrowserApp.cpp:357:18
        #31 0x7f2feaec4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #32 0x7f2feaec4e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #33 0x55c93d9988dc in _start (/home/jkratzer/builds/m-c-20221031214452-fuzzing-debug/firefox-bin+0x168dc) (BuildId: 07a8923c4f6b95c46a3124f5353756a114c76cdf)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/workers/WorkerPrivate.cpp:5479:3 in AssertIsOnWorkerThread
    ==19804==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20221105092350-4dfcb6e877c9.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 0283aba1bf2069cfff3ee77c86162fb153a55fc2 (20211106093208)
End: 2db9822e6dd36ebcb94adbfa54031b471988fa1e (20221031214452)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Comment 3

[Jens Stutte [:jstutte]]

Hi Jason, would it be possible to get a pernosco session for this? It feels wrong that the worker thread we are apparently on here seems to have a worker parent thread and not the main thread as parent.

Comment 4

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 5

[Jens Stutte [:jstutte]]

Eden, please take a look here.

Comment 6

[Eden Chuang[:edenchuang]]

State something I found.

1. WorkerRunnable::PreDispatch() checks if the current thread has the permit to modify the busy count of the target thread. For the case WorkerThreadModifyBusyCount and WorkerThreadUnchangedBusyCount, we only allow its parent thread to dispatch the WorkerRunnable. That means for the top-level worker, it is the main thread, otherwise, it should be its parent worker thread.
2. CreateImageBitmapFromBlob::OnImageReady() is only allowed to run on the main thread even though CreateImageBitmap can be triggered from a worker thread.
3. When doing a CreateImageBitmap in a nested worker. CreateImageBitmapFromBlob::OnImageReady runs on the main thread and tries to dispatch a WorkerRunnable to the nested worker to complete the work. However, this violates the limitation of 1. Then we hit the assertion.

It seems we should not limit WorkerRunnable dispatching in this way. But I need some time to figure out what is a reasonable solution for this.

Comment 8

[Bugmon [:jkratzer for issues]]

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 9

[Jason Kratzer [:jkratzer]]

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Comment 10

[Eden Chuang[:edenchuang]]

Attachment: Bug 1799173 - Override Predispatch/PostDispatch of CreateImageBitmapFromBlobRunnable to mute the noise of WorkerRunnable dispatching assertion. r=#dom-worker-reviewers

CreateImageBigmapFromBlob is a behavior across the owning thread and the main thread. It starts from the owning thread, completes the IO on the main thread, and returns to the owning thread in the end.

However, when CreateImageBitmapFromBlob is in a nested worker, it uses CreateImageBitmapFromBlobRunnable to return to the owning thread. And It hits the assertion of WorkerRunnable::PreDispatch(), which supposes the runnable should be dispatched from its parent thread.

According to the design of CreateImageBigmapFromBlob, it should not be restricted by the assertion of WorkerRunnable::PreDispatch(), and it should always be dispatched back to the owning thread. Therefore, This patch overrides PreDispatch() and PostDispatch() of CreateImageBitmapFromBlobRunnable so that it can work correctly.

Comment 11

[Pulsebot]

Pushed by echuang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/acb4edab4daf
Override Predispatch/PostDispatch of CreateImageBitmapFromBlobRunnable to mute the noise of WorkerRunnable dispatching assertion. r=dom-worker-reviewers,asuth

Comment 12

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/acb4edab4daf

Comment 13

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20231122034940-ef0b50d89a7f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.