Closed Bug 1817557 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(Found dangling CheckedUnsafePtr) at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:247

Categories

(Core :: Graphics: WebGPU, defect)

Product:
Core
Component:
Graphics: WebGPU
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1808820
Tracking Flags:
Tracking Status
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
683 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20230217-c0c7ac76b5f3 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Found dangling CheckedUnsafePtr) at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:247

#0 0x7efdd1df6b8e in NotifyCheckFailure /builds/worker/workspace/obj-build/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:247:31
#1 0x7efdd1df6b8e in NotifyCheckFailure<mozilla::CrashOnDanglingCheckedUnsafePtr> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:215:13
#2 0x7efdd1df6b8e in mozilla::CheckCheckedUnsafePtrs<mozilla::CrashOnDanglingCheckedUnsafePtr>::Check(nsTArray<mozilla::detail::CheckedUnsafePtrBaseCheckingEnabled*>&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:239:7
#3 0x7efdd1dc33dd in mozilla::detail::SupportCheckedUnsafePtrImpl<mozilla::CrashOnDanglingCheckedUnsafePtr, (mozilla::CheckingSupport)1>::~SupportCheckedUnsafePtrImpl() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/quota/CheckedUnsafePtr.h:287:13
#4 0x7efdd4100940 in mozilla::dom::WorkerPrivate::Release() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:145:3
#5 0x7efdd40e09b5 in mozilla::dom::Worker::cycleCollection::Unlink(void*) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:192:8
#6 0x7efdcba46fc5 in nsCycleCollector::CollectWhite() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3100:26
#7 0x7efdcba49f71 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3466:26
#8 0x7efdcba4974b in nsCycleCollector::ShutdownCollect() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3377:20
#9 0x7efdcba4bc76 in nsCycleCollector::Shutdown(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3673:5
#10 0x7efdcba4db42 in nsCycleCollector_shutdown(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3997:18
#11 0x7efdcbc9194c in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:673:3
#12 0x7efdd9a91b4d in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:679:16
#13 0x55bb61903594 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#14 0x55bb61903a57 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#15 0x7efdee8f9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#16 0x7efdee8f9e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#17 0x55bb61842018 in _start (/home/user/workspace/browsers/m-c-20230215145624-fuzzing-asan-opt/firefox+0x112018) (BuildId: 079808ee1baf282c160225b56b493266258dde85)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20230218045051-50be9c4a3f06.
The bug appears to have been introduced in the following build range:

Start: e6e2286d2ac25001127a1cf54a87a95fb435c734 (20220708093332)
End: 807e95cd9956aa4967ddddc80f8ccab4ad370e8d (20220708081410)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e6e2286d2ac25001127a1cf54a87a95fb435c734&tochange=807e95cd9956aa4967ddddc80f8ccab4ad370e8d

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

:nical i suspect from the above regression that it is caused by bug 1750576, could you take a look if this is the right regressor?

status-firefox110: --- → wontfix
status-firefox111: --- → wontfix
Flags: needinfo?(nical.bugzilla)

Testcase crashes using the initial build (mozilla-central 20230217165316-c0c7ac76b5f3) but not with tip (mozilla-central 20230224160401-25a8668d9243.)

The bug appears to have been fixed in the following build range:

Start: 58d33c51785789f5c1ed888718a66893ac9ed8ec (20230221212648)
End: aaf82d1483adc6d6d2eeb5af8702324f169c02b4 (20230221200239)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=58d33c51785789f5c1ed888718a66893ac9ed8ec&tochange=aaf82d1483adc6d6d2eeb5af8702324f169c02b4

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(nical.bugzilla) → needinfo?(twsmith)
Keywords: bugmon

Given this has the same regression range and the same fix range I'll mark it as a duplicate.

Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1809668
Flags: needinfo?(twsmith)
Resolution: --- → DUPLICATE
Regressed by: 1750576
Duplicate of bug: 1808820
No longer duplicate of bug: 1809668
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: