Open Bug 1863782 Opened 1 year ago Updated 4 days ago

Crash [@ get]

Categories

(Core :: DOM: Streams, defect, P2)

Product:
Core
Component:
DOM: Streams
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Testcase
14.53 KB, application/octet-stream
Details
minimal.html
334 bytes, text/html
Details

Testcase found while fuzzing mozilla-central rev 0be08aa0812f (built with: --enable-fuzzing --enable-thread-sanitizer).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 0be08aa0812f --fuzzing --tsan -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

[@ get]

    ==124851==ERROR: ThreadSanitizer: SEGV on unknown address 0x000000000048 (pc 0x7f96e56fc59a bp 0x7b1400041b50 sp 0x7ffce110bbf0 T124851)
    ==124851==The signal is caused by a READ memory access.
    ==124851==Hint: address points to the zero page.
        #0 get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:325:27 (libxul.so+0x790659a) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #1 operator mozilla::dom::WritableStreamDefaultController * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:338:12 (libxul.so+0x790659a)
        #2 Controller /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WritableStream.h:64:12 (libxul.so+0x790659a)
        #3 mozilla::dom::streams_abstract::WritableStreamDefaultWriterWrite(JSContext*, mozilla::dom::WritableStreamDefaultWriter*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/WritableStreamDefaultWriter.cpp:281:64 (libxul.so+0x790659a)
        #4 operator() /dom/streams/ReadableStreamPipeTo.cpp:619:17 (libxul.so+0x78f4501) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #5 CallCallback<(lambda at /dom/streams/ReadableStreamPipeTo.cpp:613:7), 0UL, 1UL, 0UL> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise-inl.h:206:12 (libxul.so+0x78f4501)
        #6 already_AddRefed<mozilla::dom::Promise> mozilla::dom::(anonymous namespace)::NativeThenHandler<mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)::$_0, mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)::$_0, std::tuple<RefPtr<mozilla::dom::PipeToPump>, RefPtr<mozilla::dom::WritableStreamDefaultWriter>>, std::tuple<JS::Handle<JS::Value>>>::CallCallback<mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)::$_0>(JSContext*, mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)::$_0 const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise-inl.h:214:12 (libxul.so+0x78f4501)
        #7 mozilla::dom::(anonymous namespace)::NativeThenHandler<mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)::$_0, mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)::$_0, std::tuple<RefPtr<mozilla::dom::PipeToPump>, RefPtr<mozilla::dom::WritableStreamDefaultWriter>>, std::tuple<JS::Handle<JS::Value>>>::CallResolveCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise-inl.h:185:12 (libxul.so+0x78f4135) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #8 mozilla::dom::PromiseNativeThenHandlerBase::ResolvedCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/promise/Promise.cpp:294:29 (libxul.so+0x78971b9) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #9 mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::ResolvedCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/promise/Promise.cpp:469:12 (libxul.so+0x789d006) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #10 mozilla::dom::NativeHandlerCallback(JSContext*, unsigned int, JS::Value*) /dom/promise/Promise.cpp (libxul.so+0x789d654) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #11 CallJSNative /js/src/vm/Interpreter.cpp:472:13 (libxul.so+0xa197da9) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #12 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12 (libxul.so+0xa197da9)
        #13 InternalCall /js/src/vm/Interpreter.cpp:633:10 (libxul.so+0xa198a27) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #14 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8 (libxul.so+0xa198a27)
        #15 Call /js/src/vm/Interpreter.h:116:10 (libxul.so+0xa39e799) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #16 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2244:10 (libxul.so+0xa39e799)
        #17 CallJSNative /js/src/vm/Interpreter.cpp:472:13 (libxul.so+0xa197da9) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #18 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12 (libxul.so+0xa197da9)
        #19 InternalCall /js/src/vm/Interpreter.cpp:633:10 (libxul.so+0xa198a27) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #20 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8 (libxul.so+0xa198a27)
        #21 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10 (libxul.so+0xa23c463) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #22 mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./PromiseBinding.cpp:83:8 (libxul.so+0x5207783) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #23 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12 (libxul.so+0x32dd227) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #24 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12 (libxul.so+0x32dd227)
        #25 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:210:18 (libxul.so+0x32dd227)
        #26 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:673:17 (libxul.so+0x32c9916) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #27 LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:246:7 (libxul.so+0x635047d) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #28 ~nsAutoMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:394:13 (libxul.so+0x635047d)
        #29 mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1350:3 (libxul.so+0x635047d)
        #30 mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1663:12 (libxul.so+0x63517fb) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #31 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1560:35 (libxul.so+0x6350b40) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #32 HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5 (libxul.so+0x6343a91) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #33 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:363:17 (libxul.so+0x6343a91)
        #34 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:610:18 (libxul.so+0x634280e) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #35 mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1225:11 (libxul.so+0x6346af9) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #36 nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1077:7 (libxul.so+0x81b0260) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #37 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6348:20 (libxul.so+0x99173a4) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #38 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5740:7 (libxul.so+0x9916bfb) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #39 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp (libxul.so+0x9917c79) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #40 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1372:3 (libxul.so+0x416f2f9) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #41 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:978:14 (libxul.so+0x416e9cf) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #42 nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:795:9 (libxul.so+0x416cc24) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #43 nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:678:5 (libxul.so+0x416ded2) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #44 nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13813:23 (libxul.so+0x9934e4f) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #45 non-virtual thunk to nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp (libxul.so+0x9935077) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #46 mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:631:22 (libxul.so+0x35cc02e) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #47 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:535:10 (libxul.so+0x35cd53c) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #48 DoUnblockOnload /dom/base/Document.cpp:11681:18 (libxul.so+0x4bacbf9) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #49 mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11619:9 (libxul.so+0x4bacbf9)
        #50 mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8131:3 (libxul.so+0x4bc02d7) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #51 operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18 (libxul.so+0x4c32309) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #52 __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14 (libxul.so+0x4c32309)
        #53 __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14 (libxul.so+0x4c32309)
        #54 __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14 (libxul.so+0x4c32309)
        #55 apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14 (libxul.so+0x4c32309)
        #56 apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12 (libxul.so+0x4c32309)
        #57 mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13 (libxul.so+0x4c32309)
        #58 mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:549:16 (libxul.so+0x33cb572) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #59 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:876:26 (libxul.so+0x33c207f) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #60 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:699:15 (libxul.so+0x33c0776) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #61 mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:485:36 (libxul.so+0x33c0b6f) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #62 operator() /xpcom/threads/TaskController.cpp:211:37 (libxul.so+0x33ce424) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #63 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x33ce424)
        #64 nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1198:16 (libxul.so+0x33e3f05) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #65 NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x33ea6b4) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #66 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x3eec3de) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #67 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x3eeceab) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #68 RunInternal /ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e666d8) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #69 RunHandler /ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e666d8)
        #70 MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e666d8)
        #71 nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x7d3c913) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #72 XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20 (libxul.so+0xa003b2f) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #73 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x3eece5a) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #74 RunInternal /ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e666d8) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #75 RunHandler /ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e666d8)
        #76 MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e666d8)
        #77 XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34 (libxul.so+0xa003790) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #78 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0xa00fbb2) (BuildId: c29ba4d0276bbcb0bf1a8ddf2e65b4b04bdd77d8)
        #79 content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x15be42) (BuildId: ec3bf0228ba78c3d531f4fc72b702dd9e5073be2)
        #80 main /browser/app/nsBrowserApp.cpp:375:18 (firefox-bin+0x15be42)
        #81 __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 (libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
        #82 __libc_start_main csu/../csu/libc-start.c:392:3 (libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
        #83 _start <null> (firefox-bin+0xa2fb8) (BuildId: ec3bf0228ba78c3d531f4fc72b702dd9e5073be2)
    
    ThreadSanitizer can not provide additional info.
    SUMMARY: ThreadSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:325:27 in get
    ==124851==ABORTING
Attached file Testcase
Attachment #9362647 - Attachment mime type: application/octet-stream → text/html
Attachment #9362647 - Attachment mime type: text/html → application/octet-stream
Attachment #9362647 - Attachment filename: testcase.html → testcase.zip

Verified bug as reproducible on mozilla-central 20231108211203-f1fb5f0afb58.
Unable to bisect testcase (Unable to launch the start build!):

Start: 57d2a9aee4e4d9c167ca813e40f0c926f5aa7dcb (20221110044858)
End: 0be08aa0812f81d5eb9f2235165d8478ebaf825b (20231028092407)
BuildFlags: BuildFlags(asan=False, tsan=True, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Severity: -- → S3
Priority: -- → P2

Insta crash on opening the testcase wiht Nightly: https://crash-stats.mozilla.org/report/index/5d6ae9f8-5515-4925-8e1a-511a40241029

Crash Signature: [@ get] → [@ get] [@ mozilla::dom::WritableStream::Controller ]
Attached file minimal.html

Oops, forgotten for a while. Tried minimizing the testcase. Very timing dependent between pipeThrough/pipeTo/cancel.

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: