Assertion failure: mObservers.Length() == 0, at /hal/Hal.cpp:175
Categories
(Core :: Hardware Abstraction Layer (HAL), defect)
Tracking
()
People
(Reporter: jkratzer, Assigned: nical)
References
(Blocks 1 open bug)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev ad2add2f3c60 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build ad2add2f3c60 --debug --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: mObservers.Length() == 0, at /hal/Hal.cpp:175
==1205987==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fea93797e79 bp 0x7ffec978cd50 sp 0x7ffec978cd40 T1205987)
==1205987==The signal is caused by a WRITE memory access.
==1205987==Hint: address points to the zero page.
#0 0x7fea93797e79 in ~ObserversManager /hal/Hal.cpp:175:25
#1 0x7fea93797e79 in mozilla::StaticAutoPtr<mozilla::hal::BatteryObserversManager>::Assign(mozilla::hal::BatteryObserversManager*) /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:67:5
#2 0x7fea93797877 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:41:5
#3 0x7fea93797877 in mozilla::hal::Shutdown() /hal/Hal.cpp:441:21
#4 0x7fea97fac3bd in nsAppShell::~nsAppShell() /widget/gtk/nsAppShell.cpp:168:3
#5 0x7fea97fac50d in nsAppShell::~nsAppShell() /widget/gtk/nsAppShell.cpp:162:27
#6 0x7fea97eed11b in nsBaseAppShell::Release() /widget/nsBaseAppShell.cpp:23:1
#7 0x7fea97fe8461 in nsAppShellShutdown /widget/nsAppShellSingleton.h:52:36
#8 0x7fea97fe8461 in nsWidgetGtk2ModuleDtor() /widget/gtk/nsWidgetFactory.cpp:66:3
#9 0x7fea929540b9 in CallUnloadFuncs /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9504:5
#10 0x7fea929540b9 in mozilla::xpcom::StaticComponents::Shutdown() /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:13197:3
#11 0x7fea9295cf91 in nsComponentManagerImpl::Shutdown() /xpcom/components/nsComponentManager.cpp:569:3
#12 0x7fea929df907 in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:721:54
#13 0x7fea99dda44c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:660:16
#14 0x5589628993b6 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#15 0x5589628993b6 in main /browser/app/nsBrowserApp.cpp:375:18
#16 0x7feaa81d4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#17 0x7feaa81d4e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#18 0x55896286f0e8 in _start (/home/jkratzer/builds/m-c-20240220094730-fuzzing-debug/firefox-bin+0x590e8) (BuildId: a8beba661b4dd560fdbaaf5736dad067341ac891)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /hal/Hal.cpp:175:25 in ~ObserversManager
==1205987==ABORTING
Reporter | ||
Comment 1•8 months ago
|
||
Comment 2•8 months ago
|
||
Verified bug as reproducible on mozilla-central 20240220212334-bf0897ec442e.
The bug appears to have been introduced in the following build range:
Start: 177375e24d1352ab203de0ac3aa53003c5d0ffd2 (20231205213852)
End: 30004166d9f2cc3399da68e8762c35b1b886c0dc (20231206021338)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=177375e24d1352ab203de0ac3aa53003c5d0ffd2&tochange=30004166d9f2cc3399da68e8762c35b1b886c0dc
Comment 3•7 months ago
|
||
This bug has been marked as a regression. Setting status flag for Nightly to affected
.
Comment 4•7 months ago
|
||
:vhilla could this be introduced by bug 1589554?
Comment 5•7 months ago
|
||
When the window is closed, the script holds a CommandBuffer
and WakeLockJS
object. mozilla::ShutdownXPCOM
first collects cycles (nsCycleCollector_shutdown
) then shuts down HAL (nsComponentManagerImpl:Shutdown
). If the WakeLockJS
is not destructed, it won't release its listeners and HAL
fails to assert that there are no remaining listeners.
The CommandBuffer
holds a strong reference to a CommandEncoder
and the collector is not notified of this relation. Changing this line to include mEncoder
fixes above assertion failure.
:nical, you landed D193313 for Bug 1861985. Is it intended that mEncoder
is not hooked up to the collector?
Updated•7 months ago
|
Updated•7 months ago
|
Assignee | ||
Comment 6•6 months ago
|
||
Updated the tracking flags to reflect that webgpu is nightly-only for now.
Assignee | ||
Comment 7•3 months ago
|
||
Updated•3 months ago
|
Assignee | ||
Updated•3 months ago
|
Comment 8•3 months ago
|
||
Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by
field is still not filled.
:nical, if possible, could you fill the Regressed by
field and investigate this regression?
For more information, please visit BugBot documentation.
Comment 10•3 months ago
|
||
bugherder |
Comment 11•3 months ago
|
||
Verified bug as fixed on rev mozilla-central 20240716040830-2ed6b77c66d3.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Assignee | ||
Updated•3 months ago
|
Updated•3 months ago
|
Description
•