Assertion failure: !mRawPtr, at /builds/worker/workspace/obj-build/dist/include/mozilla/AlreadyAddRefed.h:133
Categories
(Core :: DOM: File, defect, P2)
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:confirmed,bisected])
Attachments
(1 file)
|
752 bytes,
text/html
|
Details |
Found while fuzzing m-c 20230420-81d74ac67472 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !mRawPtr, at /builds/worker/workspace/obj-build/dist/include/mozilla/AlreadyAddRefed.h:133
#0 0x7fd279ed1604 in ~already_AddRefed /builds/worker/workspace/obj-build/dist/include/mozilla/AlreadyAddRefed.h:133:5
#1 0x7fd279ed1604 in nsIEventTarget::Dispatch(nsIRunnable*, unsigned int) /builds/worker/workspace/obj-build/dist/include/nsIEventTarget.h:38:7
#2 0x7fd27a25df83 in PostContinuationEvent_Locked /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:463:21
#3 0x7fd27a25df83 in nsAStreamCopier::PostContinuationEvent() /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:455:12
#4 0x7fd27a25c27c in OnOutputStreamReady /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:425:5
#5 0x7fd27a25c27c in non-virtual thunk to nsAStreamCopier::OnOutputStreamReady(nsIAsyncOutputStream*) /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp
#6 0x7fd27a25d01f in operator() /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:86:47
#7 0x7fd27a25d01f in already_AddRefed<mozilla::CancelableRunnable> NS_NewCancelableRunnableFunction<CallbackHolder::CallbackHolder(nsIAsyncOutputStream*, nsIOutputStreamCallback*, unsigned int, nsIEventTarget*)::'lambda'()>(char const*, CallbackHolder::CallbackHolder(nsIAsyncOutputStream*, nsIOutputStreamCallback*, unsigned int, nsIEventTarget*)::'lambda'()&&)::FuncCancelableRunnable::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:667:9
#8 0x7fd27a24d15b in CallbackHolder::Notify() /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:118:19
#9 0x7fd27a24a9b2 in ~nsPipeEvents /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:1155:14
#10 0x7fd27a24a9b2 in nsPipe::AdvanceReadCursor(nsPipeReadState&, unsigned int) /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:677:1
#11 0x7fd27a24e90b in AutoReadSegment::~AutoReadSegment() /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:467:16
#12 0x7fd27a24e551 in nsPipeInputStream::ReadSegments(nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:1383:3
#13 0x7fd27dc53b7e in mozilla::RemoteLazyInputStream::ReadSegments(nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:444:25
#14 0x7fd27a25d96b in nsStreamCopierIB::DoCopy(nsresult*, nsresult*) /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:532:18
#15 0x7fd27a25e42f in nsAStreamCopier::Process() /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:304:22
#16 0x7fd27a25c1ae in nsAStreamCopier::Run() /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:431:5
#17 0x7fd27a2a203c in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:259:20
#18 0x7fd27a2bf385 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#19 0x7fd27a2b5fda in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233:16
#20 0x7fd27a2bc60d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#21 0x7fd27af0d01c in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#22 0x7fd27ae2bce1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#23 0x7fd27ae2bce1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#24 0x7fd27a2b1336 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#25 0x7fd28e0afb1f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#26 0x7fd28da94b42 in start_thread nptl/pthread_create.c:442:8
#27 0x7fd28db269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
||
Comment 1•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20230426170915-17ea6f29654b.
The bug appears to have been introduced in the following build range:
Start: dafb2e6890e11b74ec00d49c8f2767903a67aa92 (20230213153318)
End: 073223bab35f4149bf5665ec59b16684b7b9a65b (20230213163401)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dafb2e6890e11b74ec00d49c8f2767903a67aa92&tochange=073223bab35f4149bf5665ec59b16684b7b9a65b
|
||
Updated•2 years ago
|
|
||
Comment 3•2 years ago
|
||
Set release status flags based on info from the regressing bug 1816388
:jjalkanen, since you are the author of the regressor, bug 1816388, could you take a look?
For more information, please visit auto_nag documentation.
|
||
Updated•2 years ago
|
|
|
||
Comment 5•2 years ago
|
||
Set release status flags based on info from the regressing bug 1816388
|
||
Comment 6•2 years ago
|
||
We will see if this issue goes away after the related ongoing work lands.
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 7•2 years ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•2 years ago
|
|
||
Comment 8•2 years ago
|
||
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.
|
|
||
Comment 9•2 years ago
|
||
I was not able to reproduce this with the latest nightly, or with a debug build.
|
||
Comment 10•2 years ago
|
||
I guess removing bugmon whiteboard retriggers bugmon?
|
|
||
Comment 12•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20230609214634-501ade4b55d9.
|
|
||
Comment 13•2 years ago
|
||
Testcase crashes using the initial build (mozilla-central 20230420160012-81d74ac67472) but not with tip (mozilla-central 20230630211055-0abcd848f821.)
The bug appears to have been fixed in the following build range:
Start: be6843e3475a7f536156aba03a849fe701932b0c (20230628154748)
End: 0df511b69760b69959818e34e07aa74a0ad7061a (20230628173448)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=be6843e3475a7f536156aba03a849fe701932b0c&tochange=0df511b69760b69959818e34e07aa74a0ad7061a
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
Reporter | |
Comment 14•2 years ago
|
||
Looks like this was fixed by bug 1824305.
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Description
•