Closed Bug 1881070 Opened 8 months ago Closed 7 months ago

Assertion failure: mReleased, at /dom/power/WakeLockSentinel.h:33

Categories

(Core :: DOM: Core & HTML, defect)

x86_64
Linux
defect

Tracking

()

RESOLVED DUPLICATE of bug 1882344
Tracking Status
firefox-esr115 --- unaffected
firefox123 --- wontfix
firefox124 --- fix-optional
firefox125 --- fix-optional

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase found while fuzzing mozilla-central rev ad2add2f3c60 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build ad2add2f3c60 --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: mReleased, at /dom/power/WakeLockSentinel.h:33

    ==1156889==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff847153a94 bp 0x7ffd10c5a590 sp 0x7ffd10c5a580 T1156889)
    ==1156889==The signal is caused by a WRITE memory access.
    ==1156889==Hint: address points to the zero page.
        #0 0x7ff847153a94 in ~WakeLockSentinel /dom/power/WakeLockSentinel.h:33:5
        #1 0x7ff847153a94 in mozilla::dom::WakeLockSentinel::~WakeLockSentinel() /dom/power/WakeLockSentinel.h:32:23
        #2 0x7ff84289f77a in SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&) /xpcom/base/nsCycleCollector.cpp:2484:29
        #3 0x7ff8428926f3 in SnowWhiteKiller::~SnowWhiteKiller() /xpcom/base/nsCycleCollector.cpp:2471:7
        #4 0x7ff8428915a4 in nsCycleCollector::FreeSnowWhite(bool) /xpcom/base/nsCycleCollector.cpp:2661:3
        #5 0x7ff8428971d1 in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /xpcom/base/nsCycleCollector.cpp:3647:3
        #6 0x7ff842896b9f in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /xpcom/base/nsCycleCollector.cpp:3471:9
        #7 0x7ff8428968fd in nsCycleCollector::ShutdownCollect() /xpcom/base/nsCycleCollector.cpp:3410:20
        #8 0x7ff842897e56 in nsCycleCollector::Shutdown(bool) /xpcom/base/nsCycleCollector.cpp:3709:5
        #9 0x7ff8428998ed in nsCycleCollector_shutdown(bool) /xpcom/base/nsCycleCollector.cpp:4033:18
        #10 0x7ff8429df81b in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:706:3
        #11 0x7ff849dda44c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:660:16
        #12 0x55ed3f7903b6 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #13 0x55ed3f7903b6 in main /browser/app/nsBrowserApp.cpp:375:18
        #14 0x7ff857f5dd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #15 0x7ff857f5de3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #16 0x55ed3f7660e8 in _start (/home/jkratzer/builds/m-c-20240220094730-fuzzing-debug/firefox-bin+0x590e8) (BuildId: a8beba661b4dd560fdbaaf5736dad067341ac891)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/power/WakeLockSentinel.h:33:5 in ~WakeLockSentinel
    ==1156889==ABORTING
Attached file Testcase

Oh, I think it is because mActiveLocks is cleared without releasing when document unlink. :vhilla, mind taking a look? (If you don't have spare time, feel free to bounce it back to me.)

Flags: needinfo?(vhilla)

Verified bug as reproducible on mozilla-central 20240220212334-bf0897ec442e.
The bug appears to have been introduced in the following build range:

Start: 177375e24d1352ab203de0ac3aa53003c5d0ffd2 (20231205213852)
End: 30004166d9f2cc3399da68e8762c35b1b886c0dc (20231206021338)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=177375e24d1352ab203de0ac3aa53003c5d0ffd2&tochange=30004166d9f2cc3399da68e8762c35b1b886c0dc

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

This bug has been marked as a regression. Setting status flag for Nightly to affected.

See Also: → 1882344
Status: NEW → RESOLVED
Closed: 7 months ago
Duplicate of bug: 1882344
Flags: needinfo?(vhilla)
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: