Closed Bug 1881084 Opened 8 months ago Closed 3 months ago

Assertion failure: mObservers.Length() == 0, at /hal/Hal.cpp:175

Categories

(Core :: Hardware Abstraction Layer (HAL), defect)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
130 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- disabled
firefox123 --- disabled
firefox124 --- disabled
firefox125 --- disabled
firefox126 --- disabled
firefox128 --- disabled
firefox129 --- disabled
firefox130 --- verified

People

(Reporter: jkratzer, Assigned: nical)

References

(Blocks 1 open bug)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase found while fuzzing mozilla-central rev ad2add2f3c60 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build ad2add2f3c60 --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: mObservers.Length() == 0, at /hal/Hal.cpp:175

    ==1205987==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fea93797e79 bp 0x7ffec978cd50 sp 0x7ffec978cd40 T1205987)
    ==1205987==The signal is caused by a WRITE memory access.
    ==1205987==Hint: address points to the zero page.
        #0 0x7fea93797e79 in ~ObserversManager /hal/Hal.cpp:175:25
        #1 0x7fea93797e79 in mozilla::StaticAutoPtr<mozilla::hal::BatteryObserversManager>::Assign(mozilla::hal::BatteryObserversManager*) /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:67:5
        #2 0x7fea93797877 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:41:5
        #3 0x7fea93797877 in mozilla::hal::Shutdown() /hal/Hal.cpp:441:21
        #4 0x7fea97fac3bd in nsAppShell::~nsAppShell() /widget/gtk/nsAppShell.cpp:168:3
        #5 0x7fea97fac50d in nsAppShell::~nsAppShell() /widget/gtk/nsAppShell.cpp:162:27
        #6 0x7fea97eed11b in nsBaseAppShell::Release() /widget/nsBaseAppShell.cpp:23:1
        #7 0x7fea97fe8461 in nsAppShellShutdown /widget/nsAppShellSingleton.h:52:36
        #8 0x7fea97fe8461 in nsWidgetGtk2ModuleDtor() /widget/gtk/nsWidgetFactory.cpp:66:3
        #9 0x7fea929540b9 in CallUnloadFuncs /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9504:5
        #10 0x7fea929540b9 in mozilla::xpcom::StaticComponents::Shutdown() /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:13197:3
        #11 0x7fea9295cf91 in nsComponentManagerImpl::Shutdown() /xpcom/components/nsComponentManager.cpp:569:3
        #12 0x7fea929df907 in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:721:54
        #13 0x7fea99dda44c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:660:16
        #14 0x5589628993b6 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #15 0x5589628993b6 in main /browser/app/nsBrowserApp.cpp:375:18
        #16 0x7feaa81d4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #17 0x7feaa81d4e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #18 0x55896286f0e8 in _start (/home/jkratzer/builds/m-c-20240220094730-fuzzing-debug/firefox-bin+0x590e8) (BuildId: a8beba661b4dd560fdbaaf5736dad067341ac891)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /hal/Hal.cpp:175:25 in ~ObserversManager
    ==1205987==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20240220212334-bf0897ec442e.
The bug appears to have been introduced in the following build range:

Start: 177375e24d1352ab203de0ac3aa53003c5d0ffd2 (20231205213852)
End: 30004166d9f2cc3399da68e8762c35b1b886c0dc (20231206021338)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=177375e24d1352ab203de0ac3aa53003c5d0ffd2&tochange=30004166d9f2cc3399da68e8762c35b1b886c0dc

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

This bug has been marked as a regression. Setting status flag for Nightly to affected.

:vhilla could this be introduced by bug 1589554?

Flags: needinfo?(vhilla)

When the window is closed, the script holds a CommandBuffer and WakeLockJS object. mozilla::ShutdownXPCOM first collects cycles (nsCycleCollector_shutdown) then shuts down HAL (nsComponentManagerImpl:Shutdown). If the WakeLockJS is not destructed, it won't release its listeners and HAL fails to assert that there are no remaining listeners.

The CommandBuffer holds a strong reference to a CommandEncoder and the collector is not notified of this relation. Changing this line to include mEncoder fixes above assertion failure.

:nical, you landed D193313 for Bug 1861985. Is it intended that mEncoder is not hooked up to the collector?

Status: NEW → UNCONFIRMED
Ever confirmed: false
Flags: needinfo?(vhilla) → needinfo?(nical.bugzilla)
Status: UNCONFIRMED → NEW
Ever confirmed: true

Updated the tracking flags to reflect that webgpu is nightly-only for now.

Assignee: nobody → nical.bugzilla
Status: NEW → ASSIGNED
Flags: needinfo?(nical.bugzilla)

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:nical, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(nical.bugzilla)
Pushed by nsilva@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cfaecb4f0364 Declare CommandBuffer::mEncoder to the cycle collector. r=webgpu-reviewers,teoxoy
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch

Verified bug as fixed on rev mozilla-central 20240716040830-2ed6b77c66d3.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Flags: needinfo?(nical.bugzilla)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: