Closed
Bug 1974827
Opened 3 months ago
Closed 2 months ago
Assertion failure: !mRawPtr, at /builds/worker/workspace/obj-build/dist/include/mozilla/AlreadyAddRefed.h:136
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
142 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | --- | unaffected |
| firefox140 | --- | unaffected |
| firefox141 | --- | unaffected |
| firefox142 | --- | fixed |
People
(Reporter: tsmith, Assigned: arai)
References
(Blocks 1 open bug, Regression, )
Details
(Keywords: assertion, pernosco, regression)
Attachments
(1 file)
Found with m-c 20250625-d6e1ecae6d1b (--enable-debug)
This was found by visiting a live website with a debug build.
STR:
- Launch browser and visit site
This issue was triggered by visiting http://thestarwarstrilogy.com/.
A Pernosco session is available here: https://pernos.co/debug/4INA5B5O6kAl-KSkrQx5pw/index.html
Assertion failure: !mRawPtr, at /builds/worker/workspace/obj-build/dist/include/mozilla/AlreadyAddRefed.h:136
0|0|libxul.so|mozilla::dom::ScriptLoader::GiveUpBytecodeEncoding()|hg:hg.mozilla.org/mozilla-central:dom/script/ScriptLoader.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|3642|0x4d9
0|1|libxul.so|mozilla::dom::Document::Destroy()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|12107|0xd0
0|2|libxul.so|nsDocumentViewer::Destroy()|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|1722|0x4ca
0|3|libxul.so|nsDocShell::Destroy()|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|4523|0x324
0|4|libxul.so|nsWebBrowser::SetDocShell(nsDocShell*)|hg:hg.mozilla.org/mozilla-central:toolkit/components/browser/nsWebBrowser.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|1054|0xa5
0|5|libxul.so|{virtual override thunk({offset(-24)}, nsWebBrowser::Destroy())}|hg:hg.mozilla.org/mozilla-central:toolkit/components/browser/nsWebBrowser.cpp:125c00ceb378e127366fd6d02234951f16a43c1a||0x13
0|6|libxul.so|mozilla::dom::BrowserChild::DestroyWindow()|hg:hg.mozilla.org/mozilla-central:dom/ipc/BrowserChild.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|707|0x1d0
0|7|libxul.so|mozilla::dom::BrowserChild::RecvDestroy()|hg:hg.mozilla.org/mozilla-central:dom/ipc/BrowserChild.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|2996|0x17d
0|8|libxul.so|mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:91c915847b72e4d7545e99e2913236fad59c5800d637742a720ed5448609836111565907ffc4e4916f5a0547fbbbfadacbff9cb18859006763b77ae07de2725b/ipc/ipdl/PBrowserChild.cpp:|7288|0x80e
0|9|libxul.so|mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:32556f98cfb32ec2734a878a589ed6738727bed4568dbf77bacaf427371cab052f99a8ba1439068f067bfe83732103707a036e179c034d838db6f1604dece17d/ipc/ipdl/PContentChild.cpp:|8388|0x60e
0|10|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|1795|0x128
0|11|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|1721|0x270
0|12|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|1512|0x178
0|13|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|1612|0xcd
0|14|libxul.so|mozilla::RunnableTask::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|703|0x17
0|15|libxul.so|mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|1310|0x50e
0|16|libxul.so|mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|1133|0x57
0|17|libxul.so|mozilla::TaskController::ProcessPendingMTTask(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|639|0x65
0|18|libxul.so|mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:125c00ceb378e127366fd6d02234951f16a43c1a|548|0x16
0|19|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|1159|0x5aa
0|20|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|480|0x4f
0|21|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|85|0xc0
0|22|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:125c00ceb378e127366fd6d02234951f16a43c1a|344|0x61
0|23|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|148|0x28
0|24|libxul.so|nsAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/gtk/nsAppShell.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|471|0x114
0|25|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|652|0x6b
0|26|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|235|0x3c
0|27|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:125c00ceb378e127366fd6d02234951f16a43c1a|344|0x61
0|28|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|590|0xae5
0|29|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:125c00ceb378e127366fd6d02234951f16a43c1a|397|0x1fe
|
Reporter | |
Updated•3 months ago
|
Component: Layout → DOM: Core & HTML
|
||
Comment 1•3 months ago
•
|
||
In the pernosco trace, we're crashing when the return value of the StealFirst() call here is discarded:
https://searchfox.org/mozilla-central/rev/d1350fc4e513f39a11070b1f3388dde353e7470b/dom/script/ScriptLoader.cpp#3641-3643
while (!mBytecodeEncodableDependencyModules.isEmpty()) {
(void)mBytecodeEncodableDependencyModules.StealFirst();
}
Facts about this^ situation:
StealFirstreturns typealready_AddRefed<ScriptLoadRequest>- The
already_AddRefedtype (that return value) must be adopted into some other value before it gets destroyed (unless it's already null), or else it will fatally assert in its own destructor. - Here, we are trivially not honoring that requirement; we're dropping the return value on the floor with the (void) cast. (Not sure why we'd do that - maybe we're assuming StealFirst should only return a null-valued already_AddRefed value here?)
In any case, this looks fishy/wrong. This was added last week in this line for bug 1973206:
https://hg-edge.mozilla.org/mozilla-central/rev/35733d378761276fe84324c4dcaf82fd200643e3#l1.119
arai, could you take a look?
|
Assignee | |
Comment 2•3 months ago
|
||
Thank you for the detailed analysis!
I'll fix that part to handle the return value.
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Flags: needinfo?(arai.unmht)
|
|
Assignee | |
Comment 3•3 months ago
|
||
|
||
Comment 4•2 months ago
|
||
Set release status flags based on info from the regressing bug 1973206
status-firefox140:
--- → unaffected
status-firefox141:
--- → unaffected
status-firefox-esr128:
--- → unaffected
status-firefox-esr140:
--- → unaffected
Pushed by arai_a@mac.com:
https://github.com/mozilla-firefox/firefox/commit/0d72b03aa63d
https://hg.mozilla.org/integration/autoland/rev/86f41bb0c4e5
Handle the abandoned dependency modules properly. r=bthrall
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 142 Branch
|
||
Comment 7•2 months ago
|
||
If this should be S3, feel free to change it.
Severity: -- → S2
OS: Unspecified → All
Hardware: Unspecified → All
|
||
Updated•2 months ago
|
QA Whiteboard: [qa-triage-done-c143/b142]
You need to log in
before you can comment on or make changes to this bug.
Description
•