1821224 - Assertion failure: !IsWritableStreamLocked(aDest), at /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:907

Status: RESOLVED DUPLICATE of bug 1818576

(Core :: DOM: Streams, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230214-e027953e2470 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !IsWritableStreamLocked(aDest), at /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:907

#0 0x7f197290cf54 in mozilla::dom::streams_abstract::ReadableStreamPipeTo(mozilla::dom::ReadableStream*, mozilla::dom::WritableStream*, bool, bool, bool, mozilla::dom::AbortSignal*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:907:3
#1 0x7f197291eb9a in mozilla::dom::WritableStream::Transfer(JSContext*, mozilla::dom::UniqueMessagePortId&) /builds/worker/checkouts/gecko/dom/streams/Transferable.cpp:926:7
#2 0x7f196f715116 in mozilla::dom::StructuredCloneHolder::CustomWriteTransferHandler(JSContext*, JS::Handle<JSObject*>, unsigned int*, JS::TransferableOwnership*, void**, unsigned long*) /builds/worker/checkouts/gecko/dom/base/StructuredCloneHolder.cpp:1465:22
#3 0x7f19751bf13b in JSStructuredCloneWriter::transferOwnership() /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:2316:12
#4 0x7f19751b014f in JSStructuredCloneWriter::write(JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:2449:10
#5 0x7f19751af023 in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*, JS::Value const&) /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:754:10
#6 0x7f19751c937a in JS_WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:3882:10
#7 0x7f19751ca8ec in JSAutoStructuredCloneBuffer::write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*) /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:4003:13
#8 0x7f196f70de32 in mozilla::dom::StructuredCloneHolderBase::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&) /builds/worker/checkouts/gecko/dom/base/StructuredCloneHolder.cpp:276:17
#9 0x7f196f70e75b in mozilla::dom::StructuredCloneHolder::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/StructuredCloneHolder.cpp:363:35
#10 0x7f1972825b92 in mozilla::dom::Worker::PostMessage(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Sequence<JSObject*> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:146:13
#11 0x7f1970740caf in mozilla::dom::Worker_Binding::postMessage(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:695:32
#12 0x7f1970ce3932 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3318:13
#13 0x7f19752482d6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#14 0x7f1975247bff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:553:12
#15 0x7f197523985f in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:625:10
#16 0x7f197523985f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3368:16
#17 0x7f197522cf1e in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#18 0x7f1975247afb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585:13
#19 0x7f197524902c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:8
#20 0x7f19753092bc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#21 0x7f19709bb643 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#22 0x7f19712f9ac6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#23 0x7f19712f97ec in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1308:43
#24 0x7f19712fa499 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1504:17
#25 0x7f19712ef2d6 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#26 0x7f19712ef2d6 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
#27 0x7f19712ee80b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
#28 0x7f19712f0fc5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1122:11
#29 0x7f19731c3864 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1082:7
#30 0x7f19747f0710 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6478:20
#31 0x7f19747efcbb in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5871:7
#32 0x7f19747f15b6 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#33 0x7f196e9f0c18 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3
#34 0x7f196e9f0202 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14
#35 0x7f196e9ee4b5 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:797:9
#36 0x7f196e9ef695 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#37 0x7f19748237ae in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13904:23
#38 0x7f196dc632cf in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#39 0x7f196dc647f3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#40 0x7f196f5a18f9 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11516:18
#41 0x7f196f56dbbb in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11454:9
#42 0x7f196f588a1a in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7992:3
#43 0x7f196f6391d8 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:12
#44 0x7f196f6391d8 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1169:12
#45 0x7f196f6391d8 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1216:13
#46 0x7f196da4a2f2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
#47 0x7f196da549f5 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:553:16
#48 0x7f196da4fb48 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:867:26
#49 0x7f196da4e74a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:698:15
#50 0x7f196da4eaa5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#51 0x7f196da583f6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#52 0x7f196da583f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547:5
#53 0x7f196da6e5d7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#54 0x7f196da74a8d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#55 0x7f196e6c7853 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#56 0x7f196e5e9218 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#57 0x7f196e5e9121 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#58 0x7f196e5e9121 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#59 0x7f1972d97da8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#60 0x7f1974ffd53b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#61 0x7f196e6c8719 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#62 0x7f196e5e9218 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#63 0x7f196e5e9121 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#64 0x7f196e5e9121 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#65 0x7f1974ffd098 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:671:34
#66 0x561b1387fdf0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#67 0x561b1387fdf0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#68 0x7f198148cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#69 0x7f198148ce3f in __libc_start_main csu/../csu/libc-start.c:392:3
#70 0x561b13856458 in _start (/home/user/workspace/browsers/m-c-20230308094825-fuzzing-debug/firefox-bin+0x5b458) (BuildId: f7ea1ee45272be95005714a4364acde5f7231cca)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230308094825-64b0a4a734ea.
The bug appears to have been introduced in the following build range:

Start: aaaed875acb35024eb955fca92ba50ae244be85c (20220519114425)
End: cc776278c4ea98788c42b90a53d1c6c37fdf47e7 (20220519125856)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=aaaed875acb35024eb955fca92ba50ae244be85c&tochange=cc776278c4ea98788c42b90a53d1c6c37fdf47e7

Comment 2

[Dianna Smith [:diannaS]]

:saschanaz can you take a look and see if this was caused by bug 1659025, (based on the above regression range)?

Comment 3

[Kagami Rosylight [:saschanaz] (they/them)]

Yup, but let's track it in bug 1818576.

Comment 4

[Bugmon [:jkratzer for issues]]

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.