Closed
Bug 1918505
Opened 5 months ago
Closed 5 months ago
Assertion failure: mInitialized, at /builds/worker/checkouts/gecko/dom/base/nsFrameLoader.cpp:3459
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
132 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox130 | --- | unaffected |
| firefox131 | --- | unaffected |
| firefox132 | --- | verified |
People
(Reporter: tsmith, Assigned: sefeng)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
Found while fuzzing m-c 20240907-8a9983896462 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: mInitialized, at /builds/worker/checkouts/gecko/dom/base/nsFrameLoader.cpp:3459
#0 0x7d406d6f440a in nsFrameLoader::GetBrowsingContext() /builds/worker/checkouts/gecko/dom/base/nsFrameLoader.cpp:3459:3
#1 0x7d406b384f96 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#2 0x7d406b384f96 in __invoke_impl<nsresult, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#3 0x7d406b384f96 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#4 0x7d406b384f96 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#5 0x7d406b384f96 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#6 0x7d406b384f96 in apply<nsIThread, nsresult (nsIThread::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#7 0x7d406b384f96 in mozilla::detail::RunnableMethodImpl<nsUpdateProcessor*, void (nsUpdateProcessor::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#8 0x7d406d22a825 in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6205:17
#9 0x7d406d48f9d5 in mozilla::dom::Document::EndUpdate() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8291:3
#10 0x7d406c5d1079 in EndDocUpdate /builds/worker/checkouts/gecko/parser/html/nsHtml5DocumentBuilder.h:77:16
#11 0x7d406c5d1079 in nsHtml5AutoFlush::~nsHtml5AutoFlush() /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:100:18
#12 0x7d406c5cece4 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:664:5
#13 0x7d406c5d724d in nsHtml5ExecutorReflusher::Run() /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:82:16
#14 0x7d406b649017 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#15 0x7d406b63ea86 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#16 0x7d406b63d497 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#17 0x7d406b63d915 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#18 0x7d406b64c986 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
#19 0x7d406b64c986 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#20 0x7d406b6600ab in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
#21 0x7d406b666d8f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#22 0x7d406c1cf365 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#23 0x7d406c122bc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#24 0x7d406c122bc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#25 0x7d4070c45c68 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#26 0x7d4070cf3438 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#27 0x7d4071bb4f0b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:710:20
#28 0x7d406c1d01b6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#29 0x7d406c122bc1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#30 0x7d406c122bc1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#31 0x7d4071bb479b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:645:34
#32 0x64f8cb78108e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:403:22
Flags: in-testsuite?
|
||
Comment 1•5 months ago
|
||
Verified bug as reproducible on mozilla-central 20240912200624-91f8ef13345e.
The bug appears to have been introduced in the following build range:
Start: 09b974edc310176b90381ac705d9f00cef46320a (20240904145542)
End: c078a5b8f5bb201038f511233a8b977aa4f65034 (20240904160710)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=09b974edc310176b90381ac705d9f00cef46320a&tochange=c078a5b8f5bb201038f511233a8b977aa4f65034
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
Assignee | |
Comment 3•5 months ago
|
||
With the change in bug 1882670, nsFrameLoader::GetBrowsingContext could
be called when we've destroyed the nsFrameLoader.
|
||
Updated•5 months ago
|
Assignee: nobody → sefeng
Status: NEW → ASSIGNED
|
||
Updated•5 months ago
|
|
||
Comment 5•5 months ago
|
||
Set release status flags based on info from the regressing bug 1882670
status-firefox130:
--- → unaffected
status-firefox131:
--- → unaffected
status-firefox-esr115:
--- → unaffected
status-firefox-esr128:
--- → unaffected
|
|
Assignee | |
Updated•5 months ago
|
Severity: -- → S3
Pushed by sefeng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/29d6035fe8ee
Update the MOZ_ASSERT in nsFrameLoader::GetBrowsingContext r=emilio
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/48292 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 8•5 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 10•5 months ago
|
||
Verified bug as fixed on rev mozilla-central 20240921091547-f4ffb4b9ac47.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•