Closed
Bug 1817477
Opened 1 year ago
Closed 1 year ago
Assertion failure: IsOnWorkerThread(), at /dom/workers/WorkerPrivate.cpp:5651
Categories
(Core :: DOM: Workers, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1799173
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
4.06 KB,
application/octet-stream
|
Details |
Testcase found while fuzzing mozilla-central rev 36b67e826e2d (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 36b67e826e2d --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
Assertion failure: IsOnWorkerThread(), at /dom/workers/WorkerPrivate.cpp:5651
==501739==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f77a5fdb15f bp 0x7ffca5a57470 sp 0x7ffca5a57460 T501739)
==501739==The signal is caused by a WRITE memory access.
==501739==Hint: address points to the zero page.
#0 0x7f77a5fdb15f in AssertIsOnWorkerThread /dom/workers/WorkerPrivate.cpp:5651:3
#1 0x7f77a5fdb15f in mozilla::dom::WorkerPrivate::AssertIsOnParentThread() const /dom/workers/WorkerPrivate.cpp:2227:18
#2 0x7f77a5ff607a in mozilla::dom::WorkerRunnable::PreDispatch(mozilla::dom::WorkerPrivate*) /dom/workers/WorkerRunnable.cpp:79:23
#3 0x7f77a5fd8f53 in mozilla::dom::WorkerRunnable::Dispatch() /dom/workers/WorkerRunnable.cpp:95:13
#4 0x7f77a58cc54b in Finish /dom/quota/StorageManager.cpp:566:9
#5 0x7f77a58cc54b in mozilla::dom::(anonymous namespace)::RequestResolver::OnComplete(nsIQuotaRequest*) /dom/quota/StorageManager.cpp:581:17
#6 0x7f77a58be516 in FireCallback /dom/quota/QuotaRequests.cpp:281:16
#7 0x7f77a58be516 in mozilla::dom::quota::Request::SetResult(nsIVariant*) /dom/quota/QuotaRequests.cpp:235:3
#8 0x7f77a58531f3 in mozilla::dom::quota::QuotaRequestChild::HandleResponse(bool) /dom/quota/ActorsChild.cpp:269:13
#9 0x7f77a5853b74 in mozilla::dom::quota::QuotaRequestChild::Recv__delete__(mozilla::dom::quota::RequestResponse const&) /dom/quota/ActorsChild.cpp
#10 0x7f77a58d4aef in mozilla::dom::quota::PQuotaRequestChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PQuotaRequestChild.cpp:148:52
#11 0x7f77a1ed4cd8 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6305:32
#12 0x7f77a1e5f79a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1800:25
#13 0x7f77a1e5c417 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1725:9
#14 0x7f77a1e5cf45 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
#15 0x7f77a1e5e27f in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
#16 0x7f77a1208d65 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:539:16
#17 0x7f77a1203fac in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:852:26
#18 0x7f77a1202b7a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:684:15
#19 0x7f77a1202ed5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:462:36
#20 0x7f77a120c889 in operator() /xpcom/threads/TaskController.cpp:191:37
#21 0x7f77a120c889 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#22 0x7f77a1222107 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1225:16
#23 0x7f77a122858d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
#24 0x7f77a1e65693 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
#25 0x7f77a1d87618 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#26 0x7f77a1d87521 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#27 0x7f77a1d87521 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#28 0x7f77a6517ae8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#29 0x7f77a878357b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:742:20
#30 0x7f77a1e665a9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#31 0x7f77a1d87618 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#32 0x7f77a1d87521 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#33 0x7f77a1d87521 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#34 0x7f77a87830d8 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:675:34
#35 0x55ace9e39ca0 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#36 0x55ace9e39ca0 in main /browser/app/nsBrowserApp.cpp:353:18
#37 0x7f77b4babd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#38 0x7f77b4babe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#39 0x55ace9e10308 in _start (/home/jkratzer/builds/m-c-20230213170842-fuzzing-debug/firefox-bin+0x5b308) (BuildId: e6e538411639defba1d9fd0550053bfcdb425e0d)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/workers/WorkerPrivate.cpp:5651:3 in AssertIsOnWorkerThread
==501739==ABORTING
|
Reporter | |
Comment 1•1 year ago
|
||
|
||
Comment 2•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230218090955-54f1bd9fa6d6.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: 5300e917c86d0b1e209a231bcbdbe389d0d0b1bc (20220219093323)
End: 36b67e826e2dfa1eedbc9567f9bb3be61c431a7e (20230213170842)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Updated•1 year ago
|
Severity: -- → S3
Flags: needinfo?(jmarshall)
Flags: needinfo?(echuang)
Priority: -- → P3
|
||
Comment 3•1 year ago
|
||
I think this is a duplicate of bug 1799173.
Currently, if dispatching a WorkerRunnable from other thread, it can only be its parent thread.
However, some tasks are limited only to execute on the main thread, it means that when a nested worker must send runnables to the main thread and then go back to the worker thread to continue the jobs by dispatching a WorkerRunnable would fail.
Bug 1799173 has the same root cause, so set this as a duplicate.
Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1799173
Flags: needinfo?(jmarshall)
Flags: needinfo?(echuang)
Resolution: --- → DUPLICATE
|
|
||
Comment 4•1 year ago
|
||
No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•