Closed Bug 1818655 Opened 1 year ago Closed 1 year ago

Assertion failure: !tc->isMarkedGray(), at /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:5096

Categories

(Core :: DOM: Streams, defect, P2)

Product:
Core
Component:
DOM: Streams
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox110 --- wontfix
firefox111 --- fixed
firefox112 --- verified

People

(Reporter: tsmith, Assigned: saschanaz)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

testcase.html
572 bytes, text/html
Details
Bug 1818655 - Call exposeToActiveJS before passing the args to ThenWithCycleCollectedArgsJS's callback r=sfink,jonco
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20230214-e027953e2470 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

I'm not sure if this is s-s, marking to be safe.

Assertion failure: !tc->isMarkedGray(), at /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:5096

#0 0x7f8a7218d3ce in js::gc::detail::AssertCellIsNotGray(js::gc::Cell const*) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:5096:3
#1 0x7f8a7187211d in AssertCellIsNotGray /builds/worker/workspace/obj-build/dist/include/js/RootingAPI.h:423:5
#2 0x7f8a7187211d in AssertObjectIsNotGray /builds/worker/workspace/obj-build/dist/include/js/RootingAPI.h:428:3
#3 0x7f8a7187211d in checkObject /builds/worker/checkouts/gecko/js/src/vm/JSContext-inl.h:88:5
#4 0x7f8a7187211d in js::ContextChecks::check(JSObject*, int) /builds/worker/checkouts/gecko/js/src/vm/JSContext-inl.h:82:7
#5 0x7f8a71af8fff in void JSContext::checkImpl<JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>>(JS::Handle<JSObject*> const&, JS::Handle<JS::PropertyKey> const&, JS::Handle<JS::Value> const&) /builds/worker/checkouts/gecko/js/src/vm/JSContext-inl.h:206:33
#6 0x7f8a71b210f2 in check<JS::Handle<JSObject *>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value> > /builds/worker/checkouts/gecko/js/src/vm/JSContext-inl.h:213:5
#7 0x7f8a71b210f2 in DefineDataPropertyById(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, unsigned int) /builds/worker/checkouts/gecko/js/src/vm/PropertyAndElement.cpp:74:7
#8 0x7f8a71b21ca9 in DefineDataProperty(JSContext*, JS::Handle<JSObject*>, char const*, JS::Handle<JS::Value>, unsigned int) /builds/worker/checkouts/gecko/js/src/vm/PropertyAndElement.cpp:231:10
#9 0x7f8a6efc4deb in mozilla::dom::PackAndPostMessage(JSContext*, mozilla::dom::MessagePort*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/Transferable.cpp:58:8
#10 0x7f8a6efc57fb in mozilla::dom::PackAndPostMessageHandlingError(JSContext*, mozilla::dom::MessagePort*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/dom/streams/Transferable.cpp:281:3
#11 0x7f8a6efc56d1 in mozilla::dom::CrossRealmWritableUnderlyingSinkAlgorithms::WriteCallback(JSContext*, JS::Handle<JS::Value>, mozilla::dom::WritableStreamDefaultController&, mozilla::ErrorResult&)::'lambda'(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&, mozilla::dom::SetUpTransformWritableMessageEventListener*, mozilla::dom::MessagePort*, JS::Handle<JS::Value>)::operator()(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&, mozilla::dom::SetUpTransformWritableMessageEventListener*, mozilla::dom::MessagePort*, JS::Handle<JS::Value>) const /builds/worker/checkouts/gecko/dom/streams/Transferable.cpp:340:29
#12 0x7f8a6efc542a in CallCallback<(lambda at /builds/worker/checkouts/gecko/dom/streams/Transferable.cpp:330:13), 0UL, 1UL, 0UL> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise-inl.h:205:12
#13 0x7f8a6efc542a in CallCallback<(lambda at /builds/worker/checkouts/gecko/dom/streams/Transferable.cpp:330:13)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise-inl.h:213:12
#14 0x7f8a6efc542a in mozilla::dom::(anonymous namespace)::NativeThenHandler<mozilla::dom::CrossRealmWritableUnderlyingSinkAlgorithms::WriteCallback(JSContext*, JS::Handle<JS::Value>, mozilla::dom::WritableStreamDefaultController&, mozilla::ErrorResult&)::'lambda'(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&, mozilla::dom::SetUpTransformWritableMessageEventListener*, mozilla::dom::MessagePort*, JS::Handle<JS::Value>), mozilla::dom::CrossRealmWritableUnderlyingSinkAlgorithms::WriteCallback(JSContext*, JS::Handle<JS::Value>, mozilla::dom::WritableStreamDefaultController&, mozilla::ErrorResult&)::'lambda'(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&, mozilla::dom::SetUpTransformWritableMessageEventListener*, mozilla::dom::MessagePort*, JS::Handle<JS::Value>), std::tuple<RefPtr<mozilla::dom::SetUpTransformWritableMessageEventListener>, RefPtr<mozilla::dom::MessagePort>>, std::tuple<JS::Handle<JS::Value>>>::CallResolveCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise-inl.h:186:12
#15 0x7f8a6ef71c5b in mozilla::dom::PromiseNativeThenHandlerBase::ResolvedCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:291:29
#16 0x7f8a6ef795e1 in mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::ResolvedCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:466:12
#17 0x7f8a6ef79c8a in mozilla::dom::NativeHandlerCallback(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/promise/Promise.cpp
#18 0x7f8a718e0c66 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#19 0x7f8a718e058f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#20 0x7f8a718e19bc in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#21 0x7f8a719040b5 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.h:116:10
#22 0x7f8a71b613a9 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2240:10
#23 0x7f8a718e0c66 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#24 0x7f8a718e058f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#25 0x7f8a718e19bc in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#26 0x7f8a7199de7c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#27 0x7f8a6c5a01ce in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
#28 0x7f8a6a018a85 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
#29 0x7f8a6a018353 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
#30 0x7f8a6a018353 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18
#31 0x7f8a6a005b28 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17
#32 0x7f8a6d9a2b7c in LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:246:7
#33 0x7f8a6d9a2b7c in ~nsAutoMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:394:13
#34 0x7f8a6d9a2b7c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1316:3
#35 0x7f8a6d9a37c9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1504:17
#36 0x7f8a6d998606 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#37 0x7f8a6d998606 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
#38 0x7f8a6d997b3b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
#39 0x7f8a6d99a2f5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1122:11
#40 0x7f8a6d99ced6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#41 0x7f8a6d97133b in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/events/DOMEventTargetHelper.cpp:176:17
#42 0x7f8a6d9aa232 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:180:13
#43 0x7f8a6ef6e2f2 in mozilla::dom::PostMessageRunnable::DispatchMessage() const /builds/worker/checkouts/gecko/dom/messagechannel/MessagePort.cpp:160:12
#44 0x7f8a6ef6dad9 in mozilla::dom::PostMessageRunnable::Run() /builds/worker/checkouts/gecko/dom/messagechannel/MessagePort.cpp:75:5
#45 0x7f8a6a10a272 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
#46 0x7f8a6a1149a5 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541:16
#47 0x7f8a6a10faf8 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855:26
#48 0x7f8a6a10e6ca in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:686:15
#49 0x7f8a6a10ea25 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#50 0x7f8a6a118456 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#51 0x7f8a6a118456 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#52 0x7f8a6a12e517 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1225:16
#53 0x7f8a6a1349cd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#54 0x7f8a6ad820e3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#55 0x7f8a6aca3f58 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#56 0x7f8a6aca3e61 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#57 0x7f8a6aca3e61 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#58 0x7f8a6f41ae38 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#59 0x7f8a71695e8b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
#60 0x7f8a6ad82fa9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#61 0x7f8a6aca3f58 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#62 0x7f8a6aca3e61 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#63 0x7f8a6aca3e61 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#64 0x7f8a716959e8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
#65 0x563b9116ed80 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#66 0x563b9116ed80 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#67 0x7f8a7dadfd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#68 0x7f8a7dadfe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#69 0x563b911453e8 in _start (/home/user/workspace/browsers/m-c-20230223172038-fuzzing-debug/firefox-bin+0x5b3e8) (BuildId: bbd8ebc04b8c7c34e8927b0a6a78fa5e4e0c6f13)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20230224035235-3290e57446bb.
The bug appears to have been introduced in the following build range:

Start: aaaed875acb35024eb955fca92ba50ae244be85c (20220519114425)
End: cc776278c4ea98788c42b90a53d1c6c37fdf47e7 (20220519160314)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=aaaed875acb35024eb955fca92ba50ae244be85c&tochange=cc776278c4ea98788c42b90a53d1c6c37fdf47e7

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

Kagami, would you mind taking a look?

Flags: needinfo?(krosylight)

(In reply to Bugmon [:jkratzer for issues] from comment #1)

Verified bug as reproducible on mozilla-central 20230224035235-3290e57446bb.
The bug appears to have been introduced in the following build range:

Start: aaaed875acb35024eb955fca92ba50ae244be85c (20220519114425)
End: cc776278c4ea98788c42b90a53d1c6c37fdf47e7 (20220519160314)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=aaaed875acb35024eb955fca92ba50ae244be85c&tochange=cc776278c4ea98788c42b90a53d1c6c37fdf47e7

The pushlog seems to be empty?

Flags: needinfo?(jkratzer)

I'm not sure why Bugmon got this wrong but this appears to be the correct range:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=aaaed875acb35024eb955fca92ba50ae244be85c&tochange=cc776278c4ea98788c42b90a53d1c6c37fdf47e7

I'm guessing it's due to bug 1659025.

Flags: needinfo?(jkratzer)

I'm running another bisection with the pref enabled to see if we can narrow it down to an early commit.

Anyone knows what "being gray" means here?

Flags: needinfo?(krosylight)

Bisecting with the pref enabled returns the following range, pointing to bug 1659025 when Transferable was implemented for ReadableStream.
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=aaaed875acb35024eb955fca92ba50ae244be85c&tochange=cc776278c4ea98788c42b90a53d1c6c37fdf47e7

Assignee: nobody → krosylight
Status: NEW → ASSIGNED

I think this will just cause weird null derefs so we can unhide this.

Group: dom-core-security
Severity: -- → S3
Priority: -- → P2

Hey there, is this a patch we need for 111? If so, do we need someone else to get the patch updated and landed?

Flags: needinfo?(jcoppeard)

With small and simple patches like this one that fix potential crashes I'd say yes to uplift. But obviously it needs to be reviewed and landed on central first.

Flags: needinfo?(jcoppeard)

I'm about to tweak the patch to call ExposeObjectToActiveJS in a bit different place.
Patch coming still today

Attachment #9319754 - Attachment description: Bug 1818655 - Call ExposeObjectToActiveJS while packing a message r=sfink → Bug 1818655 - Call exposeToActiveJS before passing the args to ThenWithCycleCollectedArgsJS's callback r=sfink,jonco
Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/88de69c24246
Call exposeToActiveJS before passing the args to ThenWithCycleCollectedArgsJS's callback  r=jonco
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/38774 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

Comment on attachment 9319754 [details]
Bug 1818655 - Call exposeToActiveJS before passing the args to ThenWithCycleCollectedArgsJS's callback r=sfink,jonco

Beta/Release Uplift Approval Request

  • User impact if declined: Crashes
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just adding extra exposeToActiveJS call
  • String changes made/needed: N/A
  • Is Android affected?: Yes
Attachment #9319754 - Flags: approval-mozilla-beta?

https://hg.mozilla.org/mozilla-central/rev/88de69c24246

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox112: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch

Verified bug as fixed on rev mozilla-central 20230302045723-da5d9cb0388f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox112: fixedverified
Keywords: bugmon

Comment on attachment 9319754 [details]
Bug 1818655 - Call exposeToActiveJS before passing the args to ThenWithCycleCollectedArgsJS's callback r=sfink,jonco

Approved for 111.0b8

Attachment #9319754 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: