Closed Bug 1870423 Opened 2 years ago Closed 2 years ago

Assertion failure: !mRawPtr, at /builds/worker/workspace/obj-build/dist/include/mozilla/AlreadyAddRefed.h:136

Categories

(Core :: DOM: File, defect, P3)

Product:
Core
Component:
DOM: File
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
123 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox121 --- wontfix
firefox122 --- wontfix
firefox123 --- fixed

People

(Reporter: tsmith, Assigned: jstutte)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: assertion, regression)

Attachments

(1 file)

Bug 1870423 - Take always ownership of aRunnable in RemoteLazyInputStreamThread::Dispatch. r?#dom-storage-reviewers
48 bytes, text/x-phabricator-request
Details | Review

Found while fuzzing m-c 20231215-8fd04cb03fbd (--enable-debug --enable-fuzzing)

A test case is not available but a Pernosco session is available here: https://pernos.co/debug/aNcGk2CGuPTaPK4kFkqTlg/index.html

Assertion failure: !mRawPtr, at /builds/worker/workspace/obj-build/dist/include/mozilla/AlreadyAddRefed.h:136

#0 0x7f3b312d8a70 in ~already_AddRefed /builds/worker/workspace/obj-build/dist/include/mozilla/AlreadyAddRefed.h:136:5
#1 0x7f3b312d8a70 in nsIEventTarget::Dispatch(nsIRunnable*, unsigned int) /builds/worker/workspace/obj-build/dist/include/nsIEventTarget.h:38:7
#2 0x7f3b31656eb3 in PostContinuationEvent_Locked /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:463:21
#3 0x7f3b31656eb3 in nsAStreamCopier::PostContinuationEvent() /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:455:12
#4 0x7f3b3165518c in OnOutputStreamReady /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:425:5
#5 0x7f3b3165518c in non-virtual thunk to nsAStreamCopier::OnOutputStreamReady(nsIAsyncOutputStream*) /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp
#6 0x7f3b3165602f in operator() /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:86:47
#7 0x7f3b3165602f in already_AddRefed<mozilla::CancelableRunnable> NS_NewCancelableRunnableFunction<CallbackHolder::CallbackHolder(nsIAsyncOutputStream*, nsIOutputStreamCallback*, unsigned int, nsIEventTarget*)::'lambda'()>(char const*, CallbackHolder::CallbackHolder(nsIAsyncOutputStream*, nsIOutputStreamCallback*, unsigned int, nsIEventTarget*)::'lambda'()&&)::FuncCancelableRunnable::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:667:9
#8 0x7f3b316450bb in CallbackHolder::Notify() /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:118:19
#9 0x7f3b31644576 in ~nsPipeEvents /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:1155:14
#10 0x7f3b31644576 in nsPipe::OnPipeException(nsresult, bool) /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:984:1
#11 0x7f3b316440e8 in nsPipe::OnInputStreamException(nsPipeInputStream*, nsresult) /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:916:9
#12 0x7f3b316461b6 in nsPipeInputStream::CloseWithStatus(nsresult) /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:1286:10
#13 0x7f3b34f1cae9 in mozilla::RemoteLazyInputStream::Close() /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:528:23
#14 0x7f3b3163d0c2 in nsMultiplexInputStream::Close() /builds/worker/checkouts/gecko/xpcom/io/nsMultiplexInputStream.cpp:302:32
#15 0x7f3b366ef668 in Shutdown /builds/worker/checkouts/gecko/dom/streams/UnderlyingSourceCallbackHelpers.cpp:195:13
#16 0x7f3b366ef668 in DisconnectFromOwner /builds/worker/checkouts/gecko/dom/streams/UnderlyingSourceCallbackHelpers.cpp:189:3
#17 0x7f3b366ef668 in non-virtual thunk to mozilla::dom::InputStreamHolder::DisconnectFromOwner() /builds/worker/checkouts/gecko/dom/streams/UnderlyingSourceCallbackHelpers.cpp
#18 0x7f3b335ccd6b in operator() /builds/worker/checkouts/gecko/dom/base/nsIGlobalObject.cpp:207:18
#19 0x7f3b335ccd6b in std::_Function_handler<void (mozilla::GlobalTeardownObserver*, bool*), nsIGlobalObject::DisconnectGlobalTeardownObservers()::$_0>::_M_invoke(std::_Any_data const&, mozilla::GlobalTeardownObserver*&&, bool*&&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:297:2
#20 0x7f3b335876bf in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
#21 0x7f3b335876bf in nsIGlobalObject::ForEachGlobalTeardownObserver(std::function<void (mozilla::GlobalTeardownObserver*, bool*)> const&) const /builds/worker/checkouts/gecko/dom/base/nsIGlobalObject.cpp:197:5
#22 0x7f3b3358671f in nsIGlobalObject::DisconnectGlobalTeardownObservers() /builds/worker/checkouts/gecko/dom/base/nsIGlobalObject.cpp:205:3
#23 0x7f3b365effb9 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3297:23
#24 0x7f3b365d3771 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2106:42
#25 0x7f3b316b5d24 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#26 0x7f3b316bcced in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#27 0x7f3b3238e2ee in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#28 0x7f3b322a6c91 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#29 0x7f3b322a6c91 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#30 0x7f3b316b1003 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10
#31 0x7f3b453d3d0f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#32 0x7f3b45c7cac2 in start_thread nptl/pthread_create.c:442:8
#33 0x7f3b45d0d813 in __clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100

Looks like RemoteLazyInputStreamThread::Dispatch does not take aRunnable if bailing out via RLISThreadIsInOrBeyondShutdown().

Severity: -- → S3
Priority: -- → P3
Keywords: regression
Regressed by: 1776209
Component: XPCOM → DOM: File
Assignee: nobody → jstutte
Status: NEW → ASSIGNED
See Also: → 1824189
Blocks: 1870784
Pushed by jstutte@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/67a1cfd154a9 Take always ownership of aRunnable in RemoteLazyInputStreamThread::Dispatch. r=dom-storage-reviewers,asuth

Set release status flags based on info from the regressing bug 1776209

status-firefox121: --- → affected
status-firefox123: --- → affected
status-firefox-esr115: --- → affected

https://hg.mozilla.org/mozilla-central/rev/67a1cfd154a9

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox123: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch
Regressions: 1889080
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: