1874273 - Assertion failure: !mRecorder->IsOpen(), at /widget/nsDeviceContextSpecProxy.cpp:129

Status: ASSIGNED

(Core :: Graphics, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev cc67c788cded (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build cc67c788cded --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: !mRecorder->IsOpen(), at /widget/nsDeviceContextSpecProxy.cpp:129

    ==2965446==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f69a0161b3d bp 0x7ffe53762b40 sp 0x7ffe53762b20 T2965446)
    ==2965446==The signal is caused by a WRITE memory access.
    ==2965446==Hint: address points to the zero page.
        #0 0x7f69a0161b3d in nsDeviceContextSpecProxy::EndDocument() /widget/nsDeviceContextSpecProxy.cpp:129:5
        #1 0x7f699be548cc in nsDeviceContext::EndDocument() /gfx/src/nsDeviceContext.cpp:314:32
        #2 0x7f69a09dad84 in nsPrintData::~nsPrintData() /layout/printing/nsPrintData.cpp:72:34
        #3 0x7f69a09e6e0c in nsPrintData::Release() /layout/printing/nsPrintData.h:28:3
        #4 0x7f69a09dc385 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
        #5 0x7f69a09dc385 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:409:36
        #6 0x7f69a09dc385 in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:68:7
        #7 0x7f69a09dc385 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:180:5
        #8 0x7f69a09dc385 in DestroyPrintingData /layout/printing/nsPrintJob.cpp:257:8
        #9 0x7f69a09dc385 in nsPrintJob::Destroy() /layout/printing/nsPrintJob.cpp:249:3
        #10 0x7f69a05e0691 in nsDocumentViewer::OnDonePrinting() /layout/base/nsDocumentViewer.cpp:3350:17
        #11 0x7f69a09e60f2 in nsPrintCompletionEvent::Run() /layout/printing/nsPrintJob.cpp:2080:43
        #12 0x7f699ac1b497 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:568:16
        #13 0x7f699ac10c06 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:895:26
        #14 0x7f699ac0f3e7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:718:15
        #15 0x7f699ac0f865 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:504:36
        #16 0x7f699ac1f4a9 in operator() /xpcom/threads/TaskController.cpp:225:37
        #17 0x7f699ac1f4a9 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #18 0x7f699ac347a2 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
        #19 0x7f699ac3b8ed in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #20 0x7f699c7014dc in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_1>(nsTSubstring<char> const&, nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_1&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
        #21 0x7f699c6fecb7 in nsGlobalWindowOuter::Print(nsIPrintSettings*, mozilla::layout::RemotePrintJobChild*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5205:5
        #22 0x7f699c6fd554 in nsGlobalWindowOuter::PrintOuter(mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5004:3
        #23 0x7f699c6b82a9 in nsGlobalWindowInner::Print(mozilla::ErrorResult&) /dom/base/nsGlobalWindowInner.cpp:3748:3
        #24 0x7f69a05d8068 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1167:16
        #25 0x7f69a187cd92 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6329:13
        #26 0x7f69a187c19b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5721:7
        #27 0x7f69a187de66 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
        #28 0x7f699bc4c749 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1372:3
        #29 0x7f699bc4bcc2 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:978:14
        #30 0x7f699bc49ecb in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:795:9
        #31 0x7f699bc4b171 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:678:5
        #32 0x7f69a18b44cf in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13839:23
        #33 0x7f699ae5fe5f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:631:22
        #34 0x7f699ae613a0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:535:10
        #35 0x7f699c897dfc in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11688:18
        #36 0x7f699c87dd96 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8157:3
        #37 0x7f699c931e09 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
        #38 0x7f699c931e09 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
        #39 0x7f699c931e09 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
        #40 0x7f699c931e09 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
        #41 0x7f699c931e09 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
        #42 0x7f699c931e09 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #43 0x7f699c931e09 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
        #44 0x7f699ac1b497 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:568:16
        #45 0x7f699ac10c06 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:895:26
        #46 0x7f699ac0f3e7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:718:15
        #47 0x7f699ac0f865 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:504:36
        #48 0x7f699ac1f436 in operator() /xpcom/threads/TaskController.cpp:222:37
        #49 0x7f699ac1f436 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #50 0x7f699ac347a2 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
        #51 0x7f699ac3b8ed in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #52 0x7f699b90ec25 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #53 0x7f699b8286f1 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #54 0x7f699b8286f1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #55 0x7f69a01567b8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #56 0x7f69a0213788 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:470:33
        #57 0x7f69a205ea3b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
        #58 0x7f699b90fb06 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #59 0x7f699b8286f1 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #60 0x7f699b8286f1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #61 0x7f69a205e2a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
        #62 0x556555f1d156 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #63 0x556555f1d156 in main /browser/app/nsBrowserApp.cpp:375:18
        #64 0x7f69af707d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #65 0x7f69af707e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #66 0x556555ef2e88 in _start (/home/jkratzer/builds/m-c-20240103050624-fuzzing-debug/firefox-bin+0x58e88) (BuildId: aa23fae85b8207972de3dfc7e203b3a922740df3)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /widget/nsDeviceContextSpecProxy.cpp:129:5 in nsDeviceContextSpecProxy::EndDocument()
    ==2965446==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Detailed Crash Information

Comment 2

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240111095249-3e561c391676.
The bug appears to have been introduced in the following build range:

Start: 085d99111847a3467e4b2f0bddb534b29a9e6c14 (20231220104014)
End: 97f2e0f6b821072bc498a3bc7921831eb6d10d38 (20231220131000)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=085d99111847a3467e4b2f0bddb534b29a9e6c14&tochange=97f2e0f6b821072bc498a3bc7921831eb6d10d38

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 4

[Stephen A Pohl [:spohl]]

This assertion was added in bug 1870970.

Comment 5

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1870970

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1870970

Comment 8

[Andrew Osmond [:aosmond] (he/him)]

I think the assert is just wrong.
https://searchfox.org/mozilla-central/rev/961556b584938a694d7df6e7bf25d70253c37060/widget/nsDeviceContextSpecProxy.cpp#129

It opens/closes the recording on each EndPage:
https://searchfox.org/mozilla-central/rev/961556b584938a694d7df6e7bf25d70253c37060/widget/nsDeviceContextSpecProxy.cpp#145
https://searchfox.org/mozilla-central/rev/961556b584938a694d7df6e7bf25d70253c37060/widget/nsDeviceContextSpecProxy.cpp#159

So when it finishes the document, it probably will actually be closed.

Comment 9

[Bob Hood [:bhood]]

Andrew, could you please apply Priority/Severity ratings to this report when you get a chance?