Assertion failure: mResponseTarget->IsOnCurrentThread(), at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:600
Categories
(Core :: DOM: Workers, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox109 | --- | disabled |
| firefox110 | --- | fixed |
People
(Reporter: tsmith, Assigned: janv)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file)
|
1.10 KB,
application/x-zip-compressed
|
Details |
Found while fuzzing m-c 20221217-59c15c902a18 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --repeat 100
The provided test case is not 100% reliable and may require a few attempts to triggers the issue.
Assertion failure: mResponseTarget->IsOnCurrentThread(), at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:600
#0 0x7fb1a737c626 in mozilla::MozPromise<bool, bool, false>::ThenValueBase::DoResolveOrReject(mozilla::MozPromise<bool, bool, false>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:600:7
#1 0x7fb1a737c223 in mozilla::MozPromise<bool, bool, false>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:489:21
#2 0x7fb1a736eb4e in OnDiscard /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:93:9
#3 0x7fb1a736eb4e in non-virtual thunk to mozilla::CancelableRunnable::OnDiscard() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp
#4 0x7fb1abec30b4 in mozilla::dom::(anonymous namespace)::ExternalRunnableWrapper::Cancel() /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:221:13
#5 0x7fb1abeb4c87 in mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:247:5
#6 0x7fb1a7362b54 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1203:16
#7 0x7fb1a735edc9 in NS_ProcessPendingEvents(nsIThread*, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:441:19
#8 0x7fb1abea75d3 in mozilla::dom::WorkerPrivate::ClearMainEventQueue(mozilla::dom::WorkerPrivate::WorkerRanOrNot) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3860:5
#9 0x7fb1abea9ba0 in mozilla::dom::WorkerPrivate::DestroySyncLoop(unsigned int) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:4279:7
#10 0x7fb1abea9578 in mozilla::dom::WorkerPrivate::RunCurrentSyncLoop() /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:4250:10
#11 0x7fb1aab35324 in mozilla::dom::AutoSyncLoopHolder::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:1500:27
#12 0x7fb1ac116c1c in mozilla::dom::XMLHttpRequestWorker::SendInternal(mozilla::dom::BodyExtractorBase const*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestWorker.cpp:1695:20
#13 0x7fb1ac117cd2 in mozilla::dom::XMLHttpRequestWorker::Send(mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestWorker.cpp
#14 0x7fb1a9f5e0b9 in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/XMLHttpRequestBinding.cpp:1682:24
#15 0x7fb1aa4d8232 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
#16 0x7fb1ae809cb6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#17 0x7fb1ae8095df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#18 0x7fb1ae7fb21f in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#19 0x7fb1ae7fb21f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3379:16
#20 0x7fb1ae7ee8de in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#21 0x7fb1ae8094db in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#22 0x7fb1ae80aa0c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#23 0x7fb1aeafef77 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1488:10
#24 0x7fb1ae89e4ec in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:149:8
#25 0x7fb1aea842f5 in AsyncFunctionPromiseReactionJob /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2111:12
#26 0x7fb1aea842f5 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2174:12
#27 0x7fb1ae809cb6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#28 0x7fb1ae8095df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#29 0x7fb1ae80aa0c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#30 0x7fb1ae8c6dac in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#31 0x7fb1a96f860e in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
#32 0x7fb1a724dfd5 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
#33 0x7fb1a724d293 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
#34 0x7fb1a724d293 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18
#35 0x7fb1a723af48 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17
#36 0x7fb1a723bdbc in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:463:3
#37 0x7fb1a7362e4c in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1246:24
#38 0x7fb1a73692dd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
#39 0x7fb1abea3c94 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3234:7
#40 0x7fb1abe8b1fd in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2044:42
#41 0x7fb1a7362b54 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1203:16
#42 0x7fb1a73692dd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
#43 0x7fb1a7f5526a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#44 0x7fb1a7e78d78 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#45 0x7fb1a7e78c81 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#46 0x7fb1a7e78c81 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#47 0x7fb1a735dee7 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:383:10
#48 0x7fb1bad55c86 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#49 0x7fb1bb5feb42 in start_thread nptl/pthread_create.c:442:8
#50 0x7fb1bb6909ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
||
Comment 1•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20221219162526-91a9bbbe6bea.
The bug appears to have been introduced in the following build range:
Start: c9ad12757bb5e3ad162bc8920a42cc14f7859bec (20221015212605)
End: 2afbf50098b61b33d3a06339e29c067fb9e7727e (20221015201449)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c9ad12757bb5e3ad162bc8920a42cc14f7859bec&tochange=2afbf50098b61b33d3a06339e29c067fb9e7727e
|
||
Comment 2•2 years ago
|
||
Hmm, I'm not sure that regression range is correct. I don't see workers related changes there.
This is another variant of those XHR issues on workers.
|
|
||
Comment 3•2 years ago
|
||
Testcase crashes using the initial build (mozilla-central 20221217093017-59c15c902a18) but not with tip (mozilla-central 20221230213139-0254637cfb2f.)
The bug appears to have been fixed in the following build range:
Start: 345ec3c4436ae80e5f25367b1a07e301aaa416c5 (20221227051100)
End: 345ec3c4436ae80e5f25367b1a07e301aaa416c5 (20221227093156)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=345ec3c4436ae80e5f25367b1a07e301aaa416c5&tochange=345ec3c4436ae80e5f25367b1a07e301aaa416c5
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
Reporter | |
Comment 4•2 years ago
|
||
I am able to repro with the attached test case and the fuzzers are still reporting this frequently.
|
|
||
Comment 5•2 years ago
|
||
Testcase crashes using the initial build (mozilla-central 20221217093017-59c15c902a18) but not with tip (mozilla-central 20230106214742-7968ae37c117.)
The bug appears to have been fixed in the following build range:
Start: 8e6dd71c4ece68ea8667d0e75488023b502bca76 (20230105002630)
End: 8e6dd71c4ece68ea8667d0e75488023b502bca76 (20230105034049)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8e6dd71c4ece68ea8667d0e75488023b502bca76&tochange=8e6dd71c4ece68ea8667d0e75488023b502bca76
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 6•2 years ago
•
|
||
That range is not even valid 🤔
|
||
Updated•2 years ago
|
|
||
Comment 8•2 years ago
|
||
Ah, I missed --repeat 100. This testcase is too unreliable to be handled by bugmon.
|
||
Comment 9•2 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #8)
Ah, I missed
--repeat 100. This testcase is too unreliable to be handled by bugmon.
Is it possible to validate if this is still happening (with or without bugmon)? I think this was likely addressed by the backout/reverse patch landed in bug 1808685 that stopped us from making GetCurrentSerialEventTarget() return different things. (And bug 1808687 changed the need for the logic that was backed out to exist.) But if it wasn't, I think a number of other fixes related to promises have also landed that could have made this go away.
|
|
Reporter | |
Comment 10•2 years ago
|
||
I tested with m-c 20230120-8dd315952fe9 and could not reproduce the issue.
The issue was last reported by fuzzers running m-c 20230105-13af43e59e41 so it looks like bug 1808687 removed the issue.
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 11•2 years ago
|
||
Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.
:janv, if possible, could you fill the Regressed by field?
For more information, please visit auto_nag documentation.
|
|
||
Comment 12•2 years ago
|
||
Comment #9 implies it was bug 1803062 which is reverted in bug 1808685.
Description
•