Closed Bug 1861713 Opened 2 years ago Closed 2 years ago

Assertion failure: taskQueue, at /dom/webscheduling/WebTaskScheduler.cpp:328

Categories

(Core :: DOM: Performance APIs, defect)

Product:
Core
Component:
DOM: Performance APIs
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
121 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox119 --- unaffected
firefox120 --- wontfix
firefox121 --- verified

People

(Reporter: jkratzer, Assigned: sefeng211)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: pernosco, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase
4.00 KB, application/octet-stream
Details
Bug 1861713 - Fix a nullptr crash in WebTaskScheduler r=#dom-core
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 99f1297a102b (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 99f1297a102b --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: taskQueue, at /dom/webscheduling/WebTaskScheduler.cpp:328

    ==134720==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f15370e16df bp 0x7f15287a8410 sp 0x7f15287a83f0 T134740)
    ==134720==The signal is caused by a WRITE memory access.
    ==134720==Hint: address points to the zero page.
        #0 0x7f15370e16df in RunTaskSignalPriorityChange /dom/webscheduling/WebTaskScheduler.cpp:328:3
        #1 0x7f15370e16df in mozilla::dom::TaskSignal::RunPriorityChangeAlgorithms() /dom/webscheduling/TaskSignal.h:49:18
        #2 0x7f15370e1516 in mozilla::dom::WebTaskController::SetPriority(mozilla::dom::TaskPriority, mozilla::ErrorResult&) /dom/webscheduling/WebTaskController.cpp:40:15
        #3 0x7f153483550a in mozilla::dom::TaskController_Binding::setPriority(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WebTaskSchedulingBinding.cpp:745:24
        #4 0x7f1534e21a88 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3327:13
        #5 0x7f15395d2154 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
        #6 0x7f15395d1a6d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
        #7 0x7f15395e2038 in CallFromStack /js/src/vm/Interpreter.cpp:638:10
        #8 0x7f15395e2038 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3053:16
        #9 0x7f15395d0fc2 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:444:13
        #10 0x7f15395d1a89 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:598:13
        #11 0x7f15395d2f2d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
        #12 0x7f15399434d7 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1519:10
        #13 0x7f15396892f4 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:149:8
        #14 0x7f15398a2d89 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2115:12
        #15 0x7f15398a2d89 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2178:12
        #16 0x7f15395d2154 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
        #17 0x7f15395d1a6d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
        #18 0x7f15395d2f2d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
        #19 0x7f15396b9b14 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #20 0x7f15340ba76c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./PromiseBinding.cpp:83:8
        #21 0x7f1531b29b05 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #22 0x7f1531b29445 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #23 0x7f1531b29445 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:210:18
        #24 0x7f1531b15338 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:673:17
        #25 0x7f1531b16359 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:460:3
        #26 0x7f1531c4add3 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1236:24
        #27 0x7f1531c51a8d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #28 0x7f1536bd1a9e in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3385:7
        #29 0x7f1536bb5931 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2114:42
        #30 0x7f1531c4aafd in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1192:16
        #31 0x7f1531c51a8d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #32 0x7f153290a22e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #33 0x7f1532823081 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #34 0x7f1532823081 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #35 0x7f1531c45de3 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:370:10
        #36 0x7f1545772d0f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #37 0x7f1546013ac2 in start_thread nptl/pthread_create.c:442:8
        #38 0x7f15460a5a3f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/webscheduling/WebTaskScheduler.cpp:328:3 in RunTaskSignalPriorityChange
    ==134720==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20231027211343-ec7d4cb306bc.
The bug appears to have been introduced in the following build range:

Start: 2f916475570cc2795e33107c2ee9e62ee0cc3e5c (20231002184304)
End: 0435b7e1340f2ced37216f0dd2fbf09a0a8f2cad (20231002204643)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2f916475570cc2795e33107c2ee9e62ee0cc3e5c&tochange=0435b7e1340f2ced37216f0dd2fbf09a0a8f2cad

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox121: --- → affected
Keywords: pernosco-wanted

:sefeng, since you are the author of the regressor, bug 1853984, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(sefeng)

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco

A pernosco session for this bug can be found here.

A pernosco session for this bug can be found here.

Assignee: nobody → sefeng
Status: NEW → ASSIGNED

A patch is attached to this bug.

Flags: needinfo?(sefeng)

:sefeng do you still plan on landing this and uplifting to 120? Just a reminder this is the last week of betas before RC week

Flags: needinfo?(sefeng)

This is a nightly only feature. I plan landing this soon but not uplifting to 120

Flags: needinfo?(sefeng)
Pushed by sefeng@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/84c26e773f93 Fix a nullptr crash in WebTaskScheduler r=dom-core,mccr8

https://hg.mozilla.org/mozilla-central/rev/84c26e773f93

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox121: fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch

Verified bug as fixed on rev mozilla-central 20231110044755-543c915fc8c6.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox121: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: