1952104 - Assertion failure: false (Late preference writes should be avoided.), at /builds/worker/checkouts/gecko/modules/libpref/Preferences.cpp:1835

Status: ASSIGNED

(Core :: Privacy: Anti-Tracking, defect)

Description

[Tyson Smith [:tsmith]]

Found while fuzzing m-c 20250106-dd8b1488a379 (--enable-debug --enable-fuzzing)

The test case was basically setTimeout(window.close, 500) so I assume this is due to prefs.

user_pref("javascript.options.blinterp.threshold", 100);
user_pref("javascript.options.ion.offthread_compilation", false);
user_pref("javascript.options.ion.threshold", 10);
user_pref("javascript.options.mem.gc_zeal.mode", 14);

A Pernosco session is available here: https://pernos.co/debug/j8pUN0uBeRpxIyAEn261LQ/index.html

Assertion failure: false (Late preference writes should be avoided.), at /builds/worker/checkouts/gecko/modules/libpref/Preferences.cpp:1835

#0 0x78124a6458d3 in pref_SetPref(nsTString<char> const&, mozilla::PrefType, mozilla::PrefValueKind, PrefValue, bool, bool, bool) /builds/worker/checkouts/gecko/modules/libpref/Preferences.cpp:1835:5
#1 0x78124a596b33 in mozilla::Preferences::SetCString(char const*, nsTSubstring<char> const&, mozilla::PrefValueKind) /builds/worker/checkouts/gecko/modules/libpref/Preferences.cpp:5209:10
#2 0x78124a596a2d in nsPrefBranch::SetCharPrefNoLengthCheck(char const*, nsTSubstring<char> const&) /builds/worker/checkouts/gecko/modules/libpref/Preferences.cpp:2405:10
#3 0x78124a57e001 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#4 0x78124b2bee3d in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1620:10
#5 0x78124b2bee3d in CallMethodHelper::Call() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1174:19
#6 0x78124b2beb17 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1120:23
#7 0x78124b2c0af8 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:966:10
#8 0x7812510736aa in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:532:13
#9 0x781251072e83 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:628:12
#10 0x7812510899c8 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:700:10
#11 0x7812510899c8 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3338:16
#12 0x78125107231a in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:502:13
#13 0x781251072d6d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:660:13
#14 0x7812510744d8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:727:8
#15 0x7812513cbb57 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1577:10
#16 0x781251127e51 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:156:8
#17 0x781251332a1d in AsyncFunctionPromiseReactionJob /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2117:10
#18 0x781251332a1d in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2175:12
#19 0x7812510736aa in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:532:13
#20 0x781251072e83 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:628:12
#21 0x7812510744d8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:727:8
#22 0x78125115ba9b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#23 0x78124c943400 in mozilla::dom::VoidFunction::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./JSActorBinding.cpp:35:8
#24 0x78124a43aa95 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
#25 0x78124a43a25f in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
#26 0x78124a43a25f in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:209:18
#27 0x78124a4264d8 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:768:17
#28 0x78124d7fadfa in LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:241:7
#29 0x78124d7fadfa in mozilla::dom::CallbackObject::CallSetup::~CallSetup() /builds/worker/checkouts/gecko/dom/bindings/CallbackObject.cpp:394:11
#30 0x78124c3534eb in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:391:3
#31 0x78124c352855 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:403:12
#32 0x78124c352855 in mozilla::dom::(anonymous namespace)::IdleDispatchRunnable::Run() /builds/worker/checkouts/gecko/dom/base/ChromeUtils.cpp:503:17
#33 0x78124a538217 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:688:16
#34 0x78124a52e6fd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1015:20
#35 0x78124a52d4de in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:880:15
#36 0x78124a52d7f5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:624:36
#37 0x78124a540a06 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:336:37
#38 0x78124a540a06 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#39 0x78124a554244 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#40 0x78124a550ca0 in NS_ProcessPendingEvents(nsIThread*, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:445:19
#41 0x78124a416e10 in mozilla::AppShutdown::AdvanceShutdownPhaseInternal(mozilla::ShutdownPhase, bool, char16_t const*, nsCOMPtr<nsISupports> const&) /builds/worker/checkouts/gecko/xpcom/base/AppShutdown.cpp:417:5
#42 0x78124a592255 in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:637:5
#43 0x781250eb0d0f in ScopedXPCOMStartup::~ScopedXPCOMStartup() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:1951:5
#44 0x781250ebdd50 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:460:5
#45 0x781250ebdd50 in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:302:7
#46 0x781250ebdd50 in mozilla::UniquePtr<ScopedXPCOMStartup, mozilla::DefaultDelete<ScopedXPCOMStartup>>::operator=(std::nullptr_t) /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:272:5
#47 0x781250ebd0e5 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6112:16
#48 0x781250ebdea8 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6148:21
#49 0x5d000a127a4e in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:232:22
#50 0x5d000a127a4e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:464:16

Comment 1

[Tyson Smith [:tsmith]]

I think zeal is to blame here.

Comment 2

[Jon Coppeard (:jonco)]

The pref it's complaining about is "captchadetection.lastSubmission". This is happening while clearing the microtask queue during shutdown.

Not sure how this is related to zeal. Redirecting.

Comment 3

[Tim Huang[:timhuang]]

Fatih, could you take a look?

Comment 4

[Fatih Kilic [:fkilic]]

Sure. Is this test running on the web and not just tests we have in the codebase? I'm just curios because I can't think of a case where we submit a captcha detection ping during testing as long as the whole test suite runs for less than 24 hours. Anyway, I'll take a look.

Comment 6

[Fatih Kilic [:fkilic]]

Attachment: Bug 1952104 - Don't submit captcha detection ping if profile is about to be closed or closed. r?tjr

Comment 7

[Pulsebot]

Pushed by fkilic@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/69bf8748fb43
Don't submit captcha detection ping if profile is about to be closed or closed. r=tjr

Comment 8

[Tyson Smith [:tsmith]]

(In reply to Fatih Kilic [:fkilic] from comment #4)

Is this test running on the web and not just tests we have in the codebase?

The reports have all been from fuzzing. So the max up time of the browser is likely <10m.

Comment 9

[Fatih Kilic [:fkilic]]

I wonder what caused ping submission. It flushes the ping when one of the prefs it observes changes (some of the privacy and cookie partitioning prefs), or when it has been more than 24 hours since last submission. Interesting. Thank you!

Comment 10

[Tyson Smith [:tsmith]]

Are you able to determine what is happening using Pernosco?

Comment 11

[Fatih Kilic [:fkilic]]

Ah I get it now. I didn't notice stdout/stderr section. It shows captcha actor initiation. Last submission pref is 0, so it sets it to Date.now() to later compare it again and submit the ping if it has been more than 24 hours. So it doesn't submit the ping during fuzzing. The issue is that it means D240860 wont fix the issue (fully) :/ I'll follow up with another patch quickly.

Comment 12

[Fatih Kilic [:fkilic]]

Attachment: Bug 1952104 - Don't set any preferences if profile is closing or about to be closed. r?tjr

Comment 13

[agoloman]

Backed out for causing valgrid failures.

• Backout link
• Push with failures
• Failure Log

Comment 14

[Fatih Kilic [:fkilic]]

This is because of bug 1937873. I'll fix it. Thanks!