Closed Bug 1827468 Opened 2 years ago Closed 2 years ago

Assertion failure: data (Cycle collected object used on a thread without a cycle collector.), at /xpcom/base/nsCycleCollector.cpp:3808

Categories

(Core :: DOM: File, defect, P3)

Product:
Core
Component:
DOM: File
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
114 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox112 --- unaffected
firefox113 --- fixed
firefox114 --- fixed

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
957 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev 948cf466f3f2 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 948cf466f3f2 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: data (Cycle collected object used on a thread without a cycle collector.), at /xpcom/base/nsCycleCollector.cpp:3808

    =================================================================
    ==321172==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f36c66fc90c bp 0x7f36aa324ba0 sp 0x7f36aa324ac0 T20)
    ==321172==The signal is caused by a WRITE memory access.
    ==321172==Hint: address points to the zero page.
        #0 0x7f36c66fc90c in NS_CycleCollectorSuspect3 /xpcom/base/nsCycleCollector.cpp:3806:3
        #1 0x7f36cc6ef9b4 in incr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:248:7
        #2 0x7f36cc6ef9b4 in incr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:234:12
        #3 0x7f36cc6ef9b4 in mozilla::DOMEventTargetHelper::AddRef() /dom/events/DOMEventTargetHelper.cpp:81:1
        #4 0x7f36cc6ef888 in mozilla::DOMEventTargetHelper::QueryInterface(nsID const&, void**) /dom/events/DOMEventTargetHelper.cpp:79:1
        #5 0x7f36ced000da in mozilla::dom::WorkerGlobalScopeBase::QueryInterface(nsID const&, void**) /dom/workers/WorkerScope.cpp:233:1
        #6 0x7f36ced01ef8 in mozilla::dom::WorkerGlobalScope::QueryInterface(nsID const&, void**) /dom/workers/WorkerScope.cpp:427:1
        #7 0x7f36ced054b8 in mozilla::dom::DedicatedWorkerGlobalScope::QueryInterface(nsID const&, void**) /dom/workers/WorkerScope.cpp:884:1
        #8 0x7f36c673414b in nsQueryReferent::operator()(nsID const&, void**) const /xpcom/base/nsWeakReference.cpp:51:9
        #9 0x7f36c66e5e2d in nsCOMPtr_base::assign_from_query_referent(nsQueryReferent const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:100:7
        #10 0x7f36cecba734 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:643:5
        #11 0x7f36cecba734 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2213:9
        #12 0x7f36c68d6754 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
        #13 0x7f36c68e0474 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #14 0x7f36c80c88b4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #15 0x7f36c7f45117 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #16 0x7f36c7f45117 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #17 0x7f36c7f45117 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #18 0x7f36c68cdff5 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
        #19 0x7f36e94bd628 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #20 0x7f36e9294b42 in start_thread nptl/pthread_create.c:442:8
        #21 0x7f36e93269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /xpcom/base/nsCycleCollector.cpp:3806:3 in NS_CycleCollectorSuspect3
    Thread T20 created by T0 (Isolated Web Co) here:
        #0 0x561d200779cc in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
        #1 0x7f36e94ad6f9 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7f36e949eb6e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7f36c68d154b in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:633:18
        #4 0x7f36ced0b6ca in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /dom/workers/WorkerThread.cpp:102:7
        #5 0x7f36cec8ee07 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1331:37
        #6 0x7f36cec8def8 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1213:19
        #7 0x7f36cecde331 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&) /dom/workers/WorkerPrivate.cpp:2653:24
        #8 0x7f36ceca476f in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /dom/workers/Worker.cpp:43:41
        #9 0x7f36cb47525f in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1173:52
        #10 0x7f36d4a201ac in CallJSNative /js/src/vm/Interpreter.cpp:486:13
        #11 0x7f36d4a201ac in CallJSNativeConstructor /js/src/vm/Interpreter.cpp:502:8
        #12 0x7f36d4a201ac in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:727:10
        #13 0x7f36d4a40037 in ConstructFromStack /js/src/vm/Interpreter.cpp:755:10
        #14 0x7f36d4a40037 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3380:16
        #15 0x7f36d4a1c7cc in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:400:10
        #16 0x7f36d4a1c7cc in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
        #17 0x7f36d4a1d990 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:612:13
        #18 0x7f36d4a1f60f in InternalCall /js/src/vm/Interpreter.cpp:647:10
        #19 0x7f36d4a1f60f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
        #20 0x7f36d4b5ec5d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #21 0x7f36cb8336a2 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #22 0x7f36cc76d225 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #23 0x7f36cc76ca9d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1323:43
        #24 0x7f36cc76e5db in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1519:17
        #25 0x7f36cc75c252 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:347:17
        #26 0x7f36cc75ab04 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:549:16
        #27 0x7f36cc75ec7a in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1122:11
        #28 0x7f36cc764995 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #29 0x7f36c9f65e13 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1390:17
        #30 0x7f36c984ae57 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4647:28
        #31 0x7f36c984aba5 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4617:10
        #32 0x7f36c9bc097f in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:7915:3
        #33 0x7f36c9ca2caa in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
        #34 0x7f36c9ca2caa in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/invoke.h:60:14
        #35 0x7f36c9ca2caa in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/invoke.h:95:14
        #36 0x7f36c9ca2caa in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/tuple:1662:14
        #37 0x7f36c9ca2caa in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/tuple:1671:14
        #38 0x7f36c9ca2caa in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #39 0x7f36c9ca2caa in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
        #40 0x7f36c689830f in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:114:20
        #41 0x7f36c68ac6b9 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:553:16
        #42 0x7f36c68a2a4c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:869:26
        #43 0x7f36c689fd18 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:700:15
        #44 0x7f36c68a0431 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:464:36
        #45 0x7f36c68b23a1 in operator() /xpcom/threads/TaskController.cpp:191:37
        #46 0x7f36c68b23a1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
        #47 0x7f36c68d5e8e in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1239:16
        #48 0x7f36c68e0474 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #49 0x7f36c80c726e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #50 0x7f36c7f45117 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #51 0x7f36c7f45117 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #52 0x7f36c7f45117 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #53 0x7f36cf65dbe9 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #54 0x7f36d4636388 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
        #55 0x7f36c7f45117 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #56 0x7f36c7f45117 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #57 0x7f36c7f45117 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #58 0x7f36d4635b1f in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
        #59 0x561d200cb684 in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #60 0x561d200cbb47 in main /browser/app/nsBrowserApp.cpp:353:18
        #61 0x7f36e9229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    ==321172==ABORTING
Attached file Testcase

I think this is potentially more the FS API than streams directly.

Component: DOM: Streams → DOM: File
Flags: needinfo?(rjesup)
Flags: needinfo?(rjesup) → needinfo?(jjalkanen)

Verified bug as reproducible on mozilla-central 20230411215906-c35b4a881395.
The bug appears to have been introduced in the following build range:

Start: bfcc1d053494c6a9b83345a975f2580d107ec475 (20230403172803)
End: 9a0019f8494d122b7a149346b08644464d71cfc6 (20230403184717)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bfcc1d053494c6a9b83345a975f2580d107ec475&tochange=9a0019f8494d122b7a149346b08644464d71cfc6

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

(In reply to Matthew Gaudet (he/him) [:mgaudet] from comment #2)

I think this is potentially more the FS API than streams directly.

This seems to be the same regression as seen in bug 1826416. Probably even a duplicate, let's see after that lands.

Severity: -- → S3
Depends on: 1826416
Flags: needinfo?(jjalkanen)
Priority: -- → P3
Regressed by: 1825589

Set release status flags based on info from the regressing bug 1825589

status-firefox112: --- → unaffected
status-firefox113: --- → affected
status-firefox114: --- → affected
status-firefox-esr102: --- → unaffected

Yeah, seems like the same issue.

Jason, can you confirm that the fuzzers are no longer hitting this since bug 1826416 landed?

Flags: needinfo?(jkratzer)

I can confirm that the fuzzers stopped seeing this issue shortly after bug 1826416 landed.

Flags: needinfo?(jkratzer)
Assignee: nobody → jstutte
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox113: affectedfixed
status-firefox114: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 114 Branch

Verified bug as fixed on rev mozilla-central 20230419094414-d81011a98436.

Status: RESOLVED → VERIFIED
Assignee: jstutte → nobody
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: