Assertion failure: mState < aState, at /builds/worker/checkouts/gecko/dom/fetch/FetchObserver.cpp:47
Categories
(Core :: DOM: Networking, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox130 | --- | unaffected |
| firefox131 | --- | wontfix |
| firefox132 | --- | wontfix |
| firefox133 | --- | fix-optional |
People
(Reporter: tsmith, Assigned: smayya)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][necko-triaged])
Attachments
(1 file)
|
304 bytes,
text/html
|
Details |
Found while fuzzing m-c 20240904-35b419e9cf53 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: mState < aState, at /builds/worker/checkouts/gecko/dom/fetch/FetchObserver.cpp:47
#0 0x77ee0119a201 in mozilla::dom::FetchObserver::SetState(mozilla::dom::FetchState) /builds/worker/checkouts/gecko/dom/fetch/FetchObserver.cpp:47:3
#1 0x77ee0119d3f1 in mozilla::dom::FetchChild::RecvOnResponseEnd(mozilla::dom::ResponseEndArgs&&) /builds/worker/checkouts/gecko/dom/fetch/FetchChild.cpp:129:23
#2 0x77ee011e2af7 in mozilla::dom::PFetchChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PFetchChild.cpp:261:78
#3 0x77edfe40e550 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:4932:32
#4 0x77edfe3b2c0f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1785:25
#5 0x77edfe3afb92 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1712:9
#6 0x77edfe3b0812 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1503:3
#7 0x77edfe3b195f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1603:14
#8 0x77edfd8378b7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#9 0x77edfd82d326 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#10 0x77edfd82bd37 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#11 0x77edfd82c1b5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#12 0x77edfd83b226 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
#13 0x77edfd83b226 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#14 0x77edfd84e94b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
#15 0x77edfd85562f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#16 0x77edfe3b8795 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#17 0x77edfe310121 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#18 0x77edfe310121 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#19 0x77ee02e2cfb8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#20 0x77ee02eda5b8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#21 0x77ee03d99f2b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:710:20
#22 0x77edfe3b95e6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#23 0x77edfe310121 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#24 0x77edfe310121 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#25 0x77ee03d997bb in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:645:34
#26 0x5f827b5fa08e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:403:22
|
||
Comment 1•4 months ago
|
||
Verified bug as reproducible on mozilla-central 20240911214006-606085de1f6c.
The bug appears to have been introduced in the following build range:
Start: 498e0d5a53f4ee0a2ed370afdf6de8cc588c7fbe (20240808163831)
End: 7742b23a126df264dec9eff7c299afe33c6ca74f (20240808191214)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=498e0d5a53f4ee0a2ed370afdf6de8cc588c7fbe&tochange=7742b23a126df264dec9eff7c299afe33c6ca74f
|
||
Comment 2•4 months ago
|
||
Set release status flags based on info from the regressing bug 1871382
:smayya, since you are the author of the regressor, bug 1871382, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
Assignee | |
Updated•4 months ago
|
|
||
Updated•4 months ago
|
|
|
||
Comment 3•4 months ago
|
||
Set release status flags based on info from the regressing bug 1871382
|
||
Updated•3 months ago
|
|
||
Updated•3 months ago
|
|
|
||
Comment 4•3 months ago
|
||
Testcase crashes using the initial build (mozilla-central 20240904095513-35b419e9cf53) but not with tip (mozilla-central 20241025155727-a5db02c4fbb5.)
The bug appears to have been fixed in the following build range:
Start: efb1596265e9da9bbccbcbf3f4f796564780ccec (20241015135709)
End: 6a8e59a2d55cc8704f0b6bd09dfe4eea8b08de33 (20241015071005)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=efb1596265e9da9bbccbcbf3f4f796564780ccec&tochange=6a8e59a2d55cc8704f0b6bd09dfe4eea8b08de33
smayya, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
Assignee | |
Comment 5•1 month ago
|
||
In reply to Bugmon [:jkratzer for issues] from comment #4)
Testcase crashes using the initial build (mozilla-central 20240904095513-35b419e9cf53) but not with tip (mozilla-central 20241025155727-a5db02c4fbb5.)
The bug appears to have been fixed in the following build range:
Start: efb1596265e9da9bbccbcbf3f4f796564780ccec (20241015135709)
End: 6a8e59a2d55cc8704f0b6bd09dfe4eea8b08de33 (20241015071005)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=efb1596265e9da9bbccbcbf3f4f796564780ccec&tochange=6a8e59a2d55cc8704f0b6bd09dfe4eea8b08de33smayya, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
The change that has fixed this is below:
182b701e641a3e624b25bb903fa0211fb02793eb smayya — Bug 1924458 - increase fetch keepalive request limit quota. r=smaug
We have increased the keepalive quota. This means we accomodate more keepalive requests than before. However, the underlying problem resurfaces when we increase the quota.
Hence, the underlying issue still remains which will be fixed with 1919132 (removing the fetch observer).
We can close this bug as the underlying problem will be fixed with 1919132.
|
||
Updated•1 month ago
|
Description
•