Open Bug 1894696 Opened 6 months ago Updated 6 months ago

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Should not call off main-thread!), at /dom/canvas/OffscreenCanvasDisplayHelper.cpp:73

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox125 --- unaffected
firefox126 --- wontfix
firefox127 --- fix-optional

People

(Reporter: jkratzer, Unassigned, NeedInfo)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: bugmon, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
605 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev b7a1a8a3af7f (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build b7a1a8a3af7f --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Should not call off main-thread!), at /dom/canvas/OffscreenCanvasDisplayHelper.cpp:73

    ==28536==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7c7ca16d82bc bp 0x7c7c9472c0b0 sp 0x7c7c9472c0a0 T28684)
    ==28536==The signal is caused by a WRITE memory access.
    ==28536==Hint: address points to the zero page.
        #0 0x7c7ca16d82bc in mozilla::dom::OffscreenCanvasDisplayHelper::UsingElementCaptureStream() const /dom/canvas/OffscreenCanvasDisplayHelper.cpp:73:5
        #1 0x7c7ca1781745 in mozilla::dom::OffscreenCanvas::ToCloneData(JSContext*) /dom/canvas/OffscreenCanvas.cpp:367:19
        #2 0x7c7ca01cd2a5 in mozilla::dom::StructuredCloneHolder::CustomWriteTransferHandler(JSContext*, JS::Handle<JSObject*>, unsigned int*, JS::TransferableOwnership*, void**, unsigned long*) /dom/base/StructuredCloneHolder.cpp:1558:21
        #3 0x7c7ca5b4bae7 in JSStructuredCloneWriter::transferOwnership() /js/src/vm/StructuredClone.cpp:2356:12
        #4 0x7c7ca5b3babb in JSStructuredCloneWriter::write(JS::Handle<JS::Value>) /js/src/vm/StructuredClone.cpp:2489:10
        #5 0x7c7ca5b3a635 in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*, JS::Value const&) /js/src/vm/StructuredClone.cpp:759:10
        #6 0x7c7ca5b56c6a in JS_WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*, JS::Handle<JS::Value>) /js/src/vm/StructuredClone.cpp:4015:10
        #7 0x7c7ca5b581b9 in JSAutoStructuredCloneBuffer::write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*) /js/src/vm/StructuredClone.cpp:4136:13
        #8 0x7c7ca01c494a in mozilla::dom::StructuredCloneHolderBase::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&) /dom/base/StructuredCloneHolder.cpp:282:17
        #9 0x7c7ca01c52cb in mozilla::dom::StructuredCloneHolder::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&, mozilla::ErrorResult&) /dom/base/StructuredCloneHolder.cpp:369:35
        #10 0x7c7ca34e5693 in mozilla::dom::WorkerPrivate::PostMessageToParent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Sequence<JSObject*> const&, mozilla::ErrorResult&) /dom/workers/WorkerPrivate.cpp:4923:13
        #11 0x7c7ca12a94d0 in mozilla::dom::DedicatedWorkerGlobalScope_Binding::postMessage(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DedicatedWorkerGlobalScopeBinding.cpp:193:32
        #12 0x7c7ca15e557a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3268:13
        #13 0x7c7ca5bceac4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:480:13
        #14 0x7c7ca5bce3dd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:574:12
        #15 0x7c7ca5bde0dd in CallFromStack /js/src/vm/Interpreter.cpp:646:10
        #16 0x7c7ca5bde0dd in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3071:16
        #17 0x7c7ca5bcd9a2 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:452:13
        #18 0x7c7ca5bce3f9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:606:13
        #19 0x7c7ca5bcf8a7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:673:8
        #20 0x7c7ca5cef5d7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #21 0x7c7ca12daf58 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
        #22 0x7c7ca1c876d9 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
        #23 0x7c7ca1c867a7 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /dom/events/JSEventHandler.cpp:199:12
        #24 0x7c7ca1c63135 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1313:22
        #25 0x7c7ca1c64234 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1630:12
        #26 0x7c7ca1c63aa9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1527:35
        #27 0x7c7ca1c571ef in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
        #28 0x7c7ca1c571ef in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:365:17
        #29 0x7c7ca1c567e1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:606:16
        #30 0x7c7ca1c5913f in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1221:11
        #31 0x7c7ca1c5c586 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #32 0x7c7ca1c27bcb in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/events/DOMEventTargetHelper.cpp:148:17
        #33 0x7c7ca1c6b3e2 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /dom/events/EventTarget.cpp:214:13
        #34 0x7c7ca34a1a31 in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /dom/workers/MessageEventRunnable.cpp:79:12
        #35 0x7c7ca34f0bfc in mozilla::dom::WorkerThreadRunnable::Run() /dom/workers/WorkerRunnable.cpp:435:12
        #36 0x7c7c9e389da1 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1193:16
        #37 0x7c7c9e390d7d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #38 0x7c7ca34dc990 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3465:7
        #39 0x7c7ca34bf5f1 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2130:42
        #40 0x7c7c9e389da1 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1193:16
        #41 0x7c7c9e390d7d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #42 0x7c7c9f09873e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #43 0x7c7c9efad411 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #44 0x7c7c9efad411 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #45 0x7c7c9e385073 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:370:10
        #46 0x7c7cb2a0166f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #47 0x7c7cb32a3ac2 in start_thread nptl/pthread_create.c:442:8
        #48 0x7c7cb333584f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/canvas/OffscreenCanvasDisplayHelper.cpp:73:5 in mozilla::dom::OffscreenCanvasDisplayHelper::UsingElementCaptureStream() const
    ==28536==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20240502091633-dda5d5286866.
The bug appears to have been introduced in the following build range:

Start: b453de1f5c2cd5d120f328a7583b5581d98ff545 (20240417115940)
End: 57f6925a520cf97f4af35e42db00435e817475dc (20240417135703)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b453de1f5c2cd5d120f328a7583b5581d98ff545&tochange=57f6925a520cf97f4af35e42db00435e817475dc

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Blocks: wr-fuzz
Severity: -- → S3
Regressed by: 1888634

Set release status flags based on info from the regressing bug 1888634

:aosmond, since you are the author of the regressor, bug 1888634, could you take a look?

For more information, please visit BugBot documentation.

status-firefox125: --- → unaffected
status-firefox126: --- → affected
status-firefox127: --- → affected
status-firefox-esr115: --- → unaffected
Flags: needinfo?(aosmond)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: