Closed
Bug 1818799
Opened 2 years ago
Closed 1 year ago
crash at null in [@ nsRefreshDriver::ScheduleViewManagerFlush]
Categories
(Core :: Layout, defect, P3)
Core
Layout
Tracking
()
RESOLVED
DUPLICATE
of bug 1875466
112 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox110 | --- | unaffected |
| firefox111 | --- | wontfix |
| firefox112 | --- | wontfix |
| firefox113 | --- | wontfix |
| firefox114 | --- | fix-optional |
People
(Reporter: tsmith, Assigned: emilio)
References
(Blocks 2 open bugs, Regression)
Details
(5 keywords, Whiteboard: [bugmon:bisected,confirmed,origRev=5eb81f0156a8])
Attachments
(2 files)
Found while fuzzing m-c 20230222-3408467a0885 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
This test case does not seem trigger the issue on ASan builds.
==326275==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f17fbfab330 bp 0x7ffc6980ff30 sp 0x7ffc6980ff00 T326275)
==326275==The signal is caused by a READ memory access.
==326275==Hint: address points to the zero page.
#0 0x7f17fbfab330 in nsRefreshDriver::ScheduleViewManagerFlush() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:3140:3
#1 0x7f17fbfe1979 in mozilla::PresShell::ScheduleViewManagerFlush() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:3842:35
#2 0x7f17fc035d58 in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:2638:15
#3 0x7f17fbfd7b52 in mozilla::PresShell::Initialize() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:1825:36
#4 0x7f17f8631508 in nsContentSink::StartLayout(bool) /builds/worker/checkouts/gecko/dom/base/nsContentSink.cpp:542:30
#5 0x7f17f845292f in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10698:13
#6 0x7f17f78a7f04 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:742:14
#7 0x7f17f78a9315 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#8 0x7f17fd6db97e in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13904:23
#9 0x7f17f6b2259f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#10 0x7f17f6b21c9c in mozilla::net::nsLoadGroup::Cancel(nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:257:11
#11 0x7f17f78a7935 in nsDocLoader::Stop() /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:259:22
#12 0x7f17f78a7851 in nsDocLoader::Stop() /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:256:3
#13 0x7f17fd65958d in Stop /builds/worker/checkouts/gecko/docshell/base/nsDocShell.h:186:25
#14 0x7f17fd65958d in nsDocShell::Stop(unsigned int) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:4362:5
#15 0x7f17fd6777b9 in nsDocShell::Destroy() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:4613:3
#16 0x7f17fdb0eaa0 in nsWebBrowser::SetDocShell(nsDocShell*) /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp:1156:18
#17 0x7f17fdb0e065 in nsWebBrowser::InternalDestroy() /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp:175:3
#18 0x7f17fdb1210c in Destroy /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp:881:3
#19 0x7f17fdb1210c in non-virtual thunk to nsWebBrowser::Destroy() /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp
#20 0x7f17fb3842ac in mozilla::dom::BrowserChild::DestroyWindow() /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:760:31
#21 0x7f17fb393cbf in mozilla::dom::BrowserChild::RecvDestroy() /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:2469:3
#22 0x7f17fb4b016c in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:7468:80
#23 0x7f17fb5445a6 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8785:32
#24 0x7f17f757cd4a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#25 0x7f17f75799c7 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#26 0x7f17f757a4f5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#27 0x7f17f757b82f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#28 0x7f17f69141a5 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541:16
#29 0x7f17f690f2f8 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855:26
#30 0x7f17f690deca in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:686:15
#31 0x7f17f690e225 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#32 0x7f17f6917cc9 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:191:37
#33 0x7f17f6917cc9 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#34 0x7f17f692dd17 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1225:16
#35 0x7f17f69341cd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#36 0x7f17f82ca6ec in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_3>(nsTSubstring<char> const&, nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_3&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
#37 0x7f17f82c7de0 in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5325:5
#38 0x7f17f82c6646 in nsGlobalWindowOuter::PrintOuter(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:5124:3
#39 0x7f17f8280539 in nsGlobalWindowInner::Print(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:3934:3
#40 0x7f17fc058f50 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1170:16
#41 0x7f17fd6a8a90 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6478:20
#42 0x7f17fd6a803b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5871:7
#43 0x7f17fd6a9936 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#44 0x7f17f78aa898 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3
#45 0x7f17f78a9e82 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14
#46 0x7f17f78a8135 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:797:9
#47 0x7f17f78aa04a in ChildDoneWithOnload /builds/worker/workspace/obj-build/dist/include/nsDocLoader.h:228:5
#48 0x7f17f78aa04a in nsDocLoader::NotifyDoneWithOnload(nsDocLoader*) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:872:14
#49 0x7f17f78a8140 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:799:9
#50 0x7f17f78a9315 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#51 0x7f17fd6db97e in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13904:23
#52 0x7f17f6b2259f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#53 0x7f17f6b23ac3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#54 0x7f17f730df1a in operator() /builds/worker/checkouts/gecko/netwerk/ipc/DocumentChannel.cpp:118:22
#55 0x7f17f730df1a in mozilla::detail::RunnableFunction<mozilla::net::DocumentChannel::ShutdownListeners(nsresult)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#56 0x7f17f69141a5 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541:16
#57 0x7f17f690f2f8 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855:26
#58 0x7f17f690deca in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:686:15
#59 0x7f17f690e225 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#60 0x7f17f6917c56 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#61 0x7f17f6917c56 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#62 0x7f17f692dd17 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1225:16
#63 0x7f17f69341cd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#64 0x7f17f7582c93 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#65 0x7f17f74a4aa8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#66 0x7f17f74a49b1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#67 0x7f17f74a49b1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#68 0x7f17fbc2fd58 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#69 0x7f17fdeb247b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
#70 0x7f17f7583b59 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#71 0x7f17f74a4aa8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#72 0x7f17f74a49b1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#73 0x7f17f74a49b1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#74 0x7f17fdeb1fd8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
#75 0x55f613fc5d80 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#76 0x55f613fc5d80 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#77 0x7f180a2ffd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#78 0x7f180a2ffe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#79 0x55f613f9c3e8 in _start (/home/user/workspace/browsers/m-c-20230224160401-fuzzing-debug/firefox-bin+0x5b3e8) (BuildId: 24355ecedf0e18fbe1ad64b24b7384b4d0fc7984)
Flags: in-testsuite?
|
||
Comment 1•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20230224160401-25a8668d9243.
The bug appears to have been introduced in the following build range:
Start: ba5f6662ca8058d3e646c042c5bbaa8b0ef027ca (20230202172003)
End: 97a75b42cf6dbdd4ac05c2bbcf4872e1ba818af6 (20230202152647)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ba5f6662ca8058d3e646c042c5bbaa8b0ef027ca&tochange=97a75b42cf6dbdd4ac05c2bbcf4872e1ba818af6
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•2 years ago
|
||
:emilio do you happen to know the severity on this or if its possibly caused by bug 1813960?
Flags: needinfo?(emilio)
|
Assignee | |
Comment 3•2 years ago
|
||
Can I get a pernosco trace by any chance? Yeah this seems probably caused by bug 1813960.
Assignee: nobody → emilio
Severity: -- → S3
Component: CSS Parsing and Computation → Layout
Flags: needinfo?(emilio) → needinfo?(twsmith)
Priority: -- → P3
Regressed by: 1813960
|
Reporter | |
Comment 4•2 years ago
|
||
jkratzer added support to bugmon to get pernosco sessions... let's try it out.
Keywords: pernosco-wanted
|
||
Comment 5•2 years ago
|
||
Set release status flags based on info from the regressing bug 1813960
status-firefox110:
--- → unaffected
status-firefox111:
--- → affected
status-firefox-esr102:
--- → unaffected
|
|
||
Updated•2 years ago
|
Keywords: pernosco-wanted → pernosco
|
||
Comment 6•2 years ago
|
||
Re-adding pernosco-wanted keyword as there was a bug in bugmon preventing the trace from being submitted.
Keywords: pernosco → pernosco-wanted
|
|
||
Comment 7•2 years ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
Keywords: pernosco-wanted → pernosco
|
|
Assignee | |
Comment 9•2 years ago
|
||
This kinda papers over the issue. There's a somewhat deeper problem here
where creating an <object> element inside a static document creates a
non-print presshell / pres context / etc.
But let's address the regression for now, since this is harmless and
trivial.
|
|
Assignee | |
Comment 10•2 years ago
|
||
Thanks! This seems DEBUG only, so not worth tracking IMO.
Flags: needinfo?(twsmith)
|
||
Updated•2 years ago
|
|
||
Comment 11•2 years ago
|
||
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5d2f6d3f231a
Tweak a debug assert to avoid crashing on disconnected refresh drivers. r=layout-reviewers,tnikkel
|
||
Comment 12•2 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
|
|
||
Comment 13•2 years ago
|
||
Bug marked as FIXED but still reproduces on mozilla-central 20230302162359-9d6a3eb520ac. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.
|
||
Comment 14•2 years ago
|
||
We'll still hit the NS_ASSERTION, but it's not fatal, and we won't be accessing null. :shrug:
|
|
||
Comment 15•2 years ago
|
||
On mozilla-central rev 5eb81f0156a8 (20230303) built with --enable-debug --enable-fuzzing, the testcase triggers the following assertion:
Assertion failure: ObserverCount() == mEarlyRunners.Length() (observers, except pending selection scrolls, should have been unregistered), at /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1364
==215472==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbae00adaa4 bp 0x7ffe633c26e0 sp 0x7ffe633c2690 T215472)
==215472==The signal is caused by a WRITE memory access.
==215472==Hint: address points to the zero page.
#0 0x7fbae00adaa4 in nsRefreshDriver::~nsRefreshDriver() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1362:3
#1 0x7fbae00ae250 in nsRefreshDriver::~nsRefreshDriver() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1360:37
#2 0x7fbae01a64b8 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/layers/TransactionIdAllocator.h:23:3
#3 0x7fbae01a64b8 in Release /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.h:356:36
#4 0x7fbae01a64b8 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#5 0x7fbae01a64b8 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#6 0x7fbae01a64b8 in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:69:7
#7 0x7fbae01a64b8 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:168:5
#8 0x7fbae01a64b8 in nsPresContext::Destroy() /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:364:18
#9 0x7fbae01a65d1 in nsPresContext::~nsPresContext() /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:372:3
#10 0x7fbae01a6d60 in nsPresContext::~nsPresContext() /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:368:33
#11 0x7fbada935798 in SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2456:29
#12 0x7fbada93a7bb in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2481:9
#13 0x7fbada928d5e in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:940:23
#14 0x7fbada929619 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2649:14
#15 0x7fbadb85c8c1 in AsyncFreeSnowWhite::Run() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSRuntime.cpp:154:9
#16 0x7fbadaa35b0f in IdleRunnableWrapper::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:324:22
#17 0x7fbadaa07985 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541:16
#18 0x7fbadaa02ad8 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855:26
#19 0x7fbadaa0180e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#20 0x7fbadaa01a05 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#21 0x7fbadaa0b386 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#22 0x7fbadaa0b386 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547:5
#23 0x7fbadaa214e7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#24 0x7fbadaa2799d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#25 0x7fbadb677633 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#26 0x7fbadb598ff8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#27 0x7fbadb598f01 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#28 0x7fbadb598f01 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#29 0x7fbadfd3be78 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#30 0x7fbae1fc27db in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#31 0x7fbadb6784f9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#32 0x7fbadb598ff8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#33 0x7fbadb598f01 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#34 0x7fbadb598f01 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#35 0x7fbae1fc2338 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:671:34
#36 0x56102df54df0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#37 0x56102df54df0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#38 0x7fbaee429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#39 0x7fbaee429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#40 0x56102df2b458 in _start (/home/jkratzer/builds/m-c-20230303095645-fuzzing-debug/firefox-bin+0x5b458) (BuildId: d162de9a42fbd2000af77299d7eafa65b30c3888)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1362:3 in nsRefreshDriver::~nsRefreshDriver()
|
|
||
Comment 16•2 years ago
|
||
Set release status flags based on info from the regressing bug 1813960
status-firefox113:
--- → affected
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
Keywords: pernosco → pernosco-wanted
|
|
||
Updated•2 years ago
|
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed,origRev=5eb81f0156a8]
|
|
||
Comment 17•2 years ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
Keywords: pernosco-wanted → pernosco
|
|
||
Comment 18•2 years ago
|
||
A pernosco session for this bug can be found here.
|
||
Updated•2 years ago
|
|
|
||
Comment 19•2 years ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
||
Comment 20•2 years ago
|
||
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.
Keywords: bugmon
|
|
||
Comment 21•1 year ago
|
||
Testcase crashes using the initial build (mozilla-central 20230303095645-5eb81f0156a8) but not with tip (mozilla-central 20240127092204-0452ed2e98ac.)
The bug appears to have been fixed in the following build range:
Start: 82dfbdd770bc54674f82bae256dae683772884af (20240122155520)
End: 75c3c3ed6fe2c33aa435e3a099c5f18be4b4d8d2 (20240122183000)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=82dfbdd770bc54674f82bae256dae683772884af&tochange=75c3c3ed6fe2c33aa435e3a099c5f18be4b4d8d2
emilio, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Flags: needinfo?(emilio)
Keywords: bugmon
|
|
Assignee | |
Comment 22•1 year ago
|
||
Seems somewhat believable that some of the <object> simplifications in bug 1875466 fixed this.
Status: REOPENED → RESOLVED
Closed: 2 years ago → 1 year ago
Duplicate of bug: 1875466
Flags: needinfo?(emilio)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•