Closed Bug 1808052 Opened 1 year ago Closed 1 year ago

Assertion failure: rv != NS_ERROR_NOT_IMPLEMENTED (target for MessageChannel must support shutdown tasks), at /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:663

Categories

(Core :: Graphics: WebGPU, defect)

defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox110 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

1.12 KB, application/x-zip-compressed
Details
Attached file testcase.zip

Found while fuzzing m-c 20221215-440856ffde51 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: rv != NS_ERROR_NOT_IMPLEMENTED (target for MessageChannel must support shutdown tasks), at /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:663

#0 0x7fea6bd8da0b in mozilla::ipc::MessageChannel::Open(mozilla::ipc::ScopedPort, mozilla::ipc::Side, nsID const&, nsISerialEventTarget*) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:662:3
#1 0x7fea6bdb4f48 in mozilla::ipc::IToplevelProtocol::Open(mozilla::ipc::ScopedPort, nsID const&, int, nsISerialEventTarget*) /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:606:27
#2 0x7fea6ae428b1 in mozilla::ipc::UntypedEndpoint::Bind(mozilla::ipc::IToplevelProtocol*, nsISerialEventTarget*) /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/Endpoint.h:81:20
#3 0x7fea6c7636e4 in Bind /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/Endpoint.h:142:29
#4 0x7fea6c7636e4 in mozilla::gfx::CanvasManagerChild::Get() /builds/worker/checkouts/gecko/gfx/ipc/CanvasManagerChild.cpp:112:7
#5 0x7fea6e77d93d in mozilla::webgpu::CanvasContext::GetSurfaceSnapshot(gfxAlphaType*) /builds/worker/checkouts/gecko/dom/webgpu/CanvasContext.cpp:196:20
#6 0x7fea6e42e394 in mozilla::dom::OffscreenCanvas::GetSurfaceSnapshot(gfxAlphaType*) /builds/worker/checkouts/gecko/dom/canvas/OffscreenCanvas.cpp:422:27
#7 0x7fea70635c0a in nsLayoutUtils::SurfaceFromOffscreenCanvas(mozilla::dom::OffscreenCanvas*, unsigned int, RefPtr<mozilla::gfx::DrawTarget>&) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:7127:25
#8 0x7fea6e4a0c64 in SurfaceFromOffscreenCanvas /builds/worker/workspace/obj-build/dist/include/nsLayoutUtils.h:2213:12
#9 0x7fea6e4a0c64 in mozilla::dom::ImageBitmap::CreateFromOffscreenCanvas(nsIGlobalObject*, mozilla::dom::OffscreenCanvas&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/ImageBitmap.cpp:851:34
#10 0x7fea6e4b0018 in mozilla::dom::OffscreenCanvas::TransferToImageBitmap(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/OffscreenCanvas.cpp:257:7
#11 0x7fea6d452033 in mozilla::dom::OffscreenCanvas_Binding::transferToImageBitmap(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasBinding.cpp:1180:78
#12 0x7fea6e3302a2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
#13 0x7fea72673cd6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#14 0x7fea726735ff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#15 0x7fea7266523f in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#16 0x7fea7266523f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3366:16
#17 0x7fea726588fe in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#18 0x7fea726734fb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#19 0x7fea72674a2c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#20 0x7fea72969237 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1488:10
#21 0x7fea727083ec in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:149:8
#22 0x7fea728ee455 in AsyncFunctionPromiseReactionJob /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2111:12
#23 0x7fea728ee455 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2174:12
#24 0x7fea72673cd6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#25 0x7fea726735ff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#26 0x7fea72674a2c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#27 0x7fea72730cac in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#28 0x7fea6d54d97e in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
#29 0x7fea6b098415 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
#30 0x7fea6b0976d3 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
#31 0x7fea6b0976d3 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18
#32 0x7fea6b085388 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17
#33 0x7fea6b0861fc in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:463:3
#34 0x7fea6b1ad17a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:24
#35 0x7fea6b1b32fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
#36 0x7fea6fd03248 in mozilla::dom::WorkerPrivate::RunCurrentSyncLoop() /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:4238:9
#37 0x7fea6e98d9c4 in mozilla::dom::AutoSyncLoopHolder::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:1496:27
#38 0x7fea6fcf065b in mozilla::dom::WorkerMainThreadRunnable::Dispatch(mozilla::dom::WorkerStatus, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:570:18
#39 0x7fea6ff7aa77 in Dispatch /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestWorker.cpp:217:31
#40 0x7fea6ff7aa77 in mozilla::dom::XMLHttpRequestWorker::Open(nsTSubstring<char> const&, nsTSubstring<char16_t> const&, bool, mozilla::dom::Optional<nsTSubstring<char16_t>> const&, mozilla::dom::Optional<nsTSubstring<char16_t>> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestWorker.cpp:1755:13
#41 0x7fea6ff7d241 in mozilla::dom::XMLHttpRequestWorker::Open(nsTSubstring<char> const&, nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestWorker.h:114:5
#42 0x7fea6ddb5a65 in mozilla::dom::XMLHttpRequest_Binding::open(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/XMLHttpRequestBinding.cpp:1381:28
#43 0x7fea6e3302a2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
#44 0x7fea72673cd6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#45 0x7fea726735ff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#46 0x7fea7266523f in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#47 0x7fea7266523f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3366:16
#48 0x7fea726588fe in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#49 0x7fea726734fb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#50 0x7fea72674a2c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#51 0x7fea72730cac in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#52 0x7fea6d564bce in mozilla::dom::QueuingStrategySize::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Optional<JS::Handle<JS::Value>> const&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/QueuingStrategyBinding.cpp:279:8
#53 0x7fea6fdbdf23 in mozilla::dom::QueuingStrategySize::Call(mozilla::dom::Optional<JS::Handle<JS::Value>> const&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/QueuingStrategyBinding.h:196:12
#54 0x7fea6fde7ba8 in mozilla::dom::WritableStreamDefaultControllerGetChunkSize(JSContext*, mozilla::dom::WritableStreamDefaultController*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/WritableStreamDefaultController.cpp:544:28
#55 0x7fea6fde9297 in mozilla::dom::WritableStreamDefaultWriterWrite(JSContext*, mozilla::dom::WritableStreamDefaultWriter*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/WritableStreamDefaultWriter.cpp:289:7
#56 0x7fea6fdc3209 in mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:604:7
#57 0x7fea6fdcfcc5 in mozilla::dom::PipeToReadRequest::ChunkSteps(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:636:17
#58 0x7fea6fdb0006 in mozilla::dom::ReadableStreamFulfillReadRequest(JSContext*, mozilla::dom::ReadableStream*, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableStream.cpp:633:16
#59 0x7fea6fdb186f in mozilla::dom::ReadableByteStreamControllerEnqueue(JSContext*, mozilla::dom::ReadableByteStreamController*, JS::Handle<JSObject*>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableByteStreamController.cpp:890:7
#60 0x7fea6caec907 in mozilla::dom::BodyStream::EnqueueChunkWithSizeIntoStream(JSContext*, mozilla::dom::ReadableStream*, unsigned long, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/BodyStream.cpp:412:3
#61 0x7fea6caece54 in mozilla::dom::BodyStream::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/dom/base/BodyStream.cpp:478:3
#62 0x7fea6b124661 in mozilla::NonBlockingAsyncInputStream::RunAsyncWaitCallback(mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable*, already_AddRefed<nsIInputStreamCallback>) /builds/worker/checkouts/gecko/xpcom/io/NonBlockingAsyncInputStream.cpp:383:13
#63 0x7fea6b1238af in mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run() /builds/worker/checkouts/gecko/xpcom/io/NonBlockingAsyncInputStream.cpp:33:14
#64 0x7fea6fd1cdf9 in mozilla::dom::(anonymous namespace)::ExternalRunnableWrapper::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:203:37
#65 0x7fea6fd0ed5e in mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12
#66 0x7fea6fceb612 in mozilla::dom::(anonymous namespace)::WrappedControlRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/WorkerEventTarget.cpp:39:13
#67 0x7fea6fd0ed5e in mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12
#68 0x7fea6fcfe501 in mozilla::dom::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3817:9
#69 0x7fea6fcfd687 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3138:21
#70 0x7fea6fce4d2d in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2044:42
#71 0x7fea6b1ace78 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1191:16
#72 0x7fea6b1b32fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
#73 0x7fea6bda2b23 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#74 0x7fea6bcc53b8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#75 0x7fea6bcc52c1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#76 0x7fea6bcc52c1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#77 0x7fea6b1a8377 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:383:10
#78 0x7fea7df86c86 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#79 0x7fea7e82fb42 in start_thread nptl/pthread_create.c:442:8
#80 0x7fea7e8c19ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Verified bug as reproducible on mozilla-central 20221230213139-0254637cfb2f.
The bug appears to have been introduced in the following build range:

Start: 061ba69417ebfdcb275f01049f09a893004c5587 (20221215092759)
End: 32522f6f67501c52b30dad3c4b7d9d2612e42f13 (20221215082552)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=061ba69417ebfdcb275f01049f09a893004c5587&tochange=32522f6f67501c52b30dad3c4b7d9d2612e42f13

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

Testcase crashes using the initial build (mozilla-central 20221215195521-440856ffde51) but not with tip (mozilla-central 20230106214742-7968ae37c117.)

The bug appears to have been fixed in the following build range:

Start: b6260907be11fee863350ad1725d25b9f3f90234 (20230105234755)
End: 4208a0e0b9cd19fa86e08a4ec0867b870cbf9a31 (20230106031419)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b6260907be11fee863350ad1725d25b9f3f90234&tochange=4208a0e0b9cd19fa86e08a4ec0867b870cbf9a31

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon

Marking WFM, see bug 1808685.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(twsmith)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: