Assertion failure: mReleased, at /dom/power/WakeLockSentinel.h:33
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox123 | --- | wontfix |
firefox124 | --- | fix-optional |
firefox125 | --- | fix-optional |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
572 bytes,
text/plain
|
Details |
Testcase found while fuzzing mozilla-central rev ad2add2f3c60 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build ad2add2f3c60 --debug --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: mReleased, at /dom/power/WakeLockSentinel.h:33
==1156889==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff847153a94 bp 0x7ffd10c5a590 sp 0x7ffd10c5a580 T1156889)
==1156889==The signal is caused by a WRITE memory access.
==1156889==Hint: address points to the zero page.
#0 0x7ff847153a94 in ~WakeLockSentinel /dom/power/WakeLockSentinel.h:33:5
#1 0x7ff847153a94 in mozilla::dom::WakeLockSentinel::~WakeLockSentinel() /dom/power/WakeLockSentinel.h:32:23
#2 0x7ff84289f77a in SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&) /xpcom/base/nsCycleCollector.cpp:2484:29
#3 0x7ff8428926f3 in SnowWhiteKiller::~SnowWhiteKiller() /xpcom/base/nsCycleCollector.cpp:2471:7
#4 0x7ff8428915a4 in nsCycleCollector::FreeSnowWhite(bool) /xpcom/base/nsCycleCollector.cpp:2661:3
#5 0x7ff8428971d1 in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /xpcom/base/nsCycleCollector.cpp:3647:3
#6 0x7ff842896b9f in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /xpcom/base/nsCycleCollector.cpp:3471:9
#7 0x7ff8428968fd in nsCycleCollector::ShutdownCollect() /xpcom/base/nsCycleCollector.cpp:3410:20
#8 0x7ff842897e56 in nsCycleCollector::Shutdown(bool) /xpcom/base/nsCycleCollector.cpp:3709:5
#9 0x7ff8428998ed in nsCycleCollector_shutdown(bool) /xpcom/base/nsCycleCollector.cpp:4033:18
#10 0x7ff8429df81b in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:706:3
#11 0x7ff849dda44c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:660:16
#12 0x55ed3f7903b6 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#13 0x55ed3f7903b6 in main /browser/app/nsBrowserApp.cpp:375:18
#14 0x7ff857f5dd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#15 0x7ff857f5de3f in __libc_start_main csu/../csu/libc-start.c:392:3
#16 0x55ed3f7660e8 in _start (/home/jkratzer/builds/m-c-20240220094730-fuzzing-debug/firefox-bin+0x590e8) (BuildId: a8beba661b4dd560fdbaaf5736dad067341ac891)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/power/WakeLockSentinel.h:33:5 in ~WakeLockSentinel
==1156889==ABORTING
Reporter | ||
Comment 1•8 months ago
|
||
Comment 2•8 months ago
|
||
Oh, I think it is because mActiveLocks is cleared without releasing when document unlink. :vhilla, mind taking a look? (If you don't have spare time, feel free to bounce it back to me.)
Comment 3•8 months ago
|
||
Verified bug as reproducible on mozilla-central 20240220212334-bf0897ec442e.
The bug appears to have been introduced in the following build range:
Start: 177375e24d1352ab203de0ac3aa53003c5d0ffd2 (20231205213852)
End: 30004166d9f2cc3399da68e8762c35b1b886c0dc (20231206021338)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=177375e24d1352ab203de0ac3aa53003c5d0ffd2&tochange=30004166d9f2cc3399da68e8762c35b1b886c0dc
Comment 4•8 months ago
|
||
This bug has been marked as a regression. Setting status flag for Nightly to affected
.
Updated•8 months ago
|
Updated•7 months ago
|
Comment 6•7 months ago
|
||
No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•