Closed
Bug 1978589
Opened 26 days ago
Closed 5 days ago
Assertion failure: mRawPtr, at /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:50
Categories
(Core :: Networking, defect, P1)
Tracking
()
VERIFIED
FIXED
143 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | --- | affected |
| firefox141 | --- | wontfix |
| firefox142 | --- | wontfix |
| firefox143 | --- | verified |
People
(Reporter: jkratzer, Assigned: smayya)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed][necko-triaged])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 47d8d7840ccb (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 47d8d7840ccb --debug --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: mRawPtr, at /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:50
==786649==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f54d8856c0f bp 0x7ffc01ee5220 sp 0x7ffc01ee51f0 T786649)
==786649==The signal is caused by a WRITE memory access.
==786649==Hint: address points to the zero page.
#0 0x7f54d8856c0f in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
#1 0x7f54d8856c0f in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:50:5
#2 0x7f54d8856c0f in mozilla::dom::BrowsingContext::Get(unsigned long) /docshell/base/BrowsingContext.cpp:279:20
#3 0x7f54d2850f76 in GetBrowsingContext /netwerk/base/LoadInfo.cpp:1683:14
#4 0x7f54d2850f76 in mozilla::net::LoadInfo::UpdateParentAddressSpaceInfo() /netwerk/base/LoadInfo.cpp:2757:3
#5 0x7f54d28501f2 in mozilla::net::LoadInfo::LoadInfo(nsIPrincipal*, nsIPrincipal*, nsINode*, unsigned int, nsIContentPolicy::nsContentPolicyType, mozilla::Maybe<mozilla::dom::ClientInfo> const&, mozilla::Maybe<mozilla::dom::ServiceWorkerDescriptor> const&, unsigned int) /netwerk/base/LoadInfo.cpp:382:5
#6 0x7f54d284e948 in mozilla::net::LoadInfo::Create(nsIPrincipal*, nsIPrincipal*, nsINode*, unsigned int, nsIContentPolicy::nsContentPolicyType, mozilla::Maybe<mozilla::dom::ClientInfo> const&, mozilla::Maybe<mozilla::dom::ServiceWorkerDescriptor> const&, unsigned int) /netwerk/base/LoadInfo.cpp:89:33
#7 0x7f54d4165d98 in ShouldLoadCachedImage(imgRequest*, mozilla::dom::Document*, nsIPrincipal*, nsIContentPolicy::nsContentPolicyType, bool) /image/imgLoader.cpp:736:54
#8 0x7f54d416131d in ValidateSecurityInfo /image/imgLoader.cpp:826:10
#9 0x7f54d416131d in imgLoader::ValidateEntry(imgCacheEntry*, nsIURI*, nsIURI*, nsIReferrerInfo*, nsILoadGroup*, imgINotificationObserver*, mozilla::dom::Document*, unsigned int, nsIContentPolicy::nsContentPolicyType, bool, bool*, imgRequestProxy**, nsIPrincipal*, mozilla::CORSMode, bool, unsigned long, mozilla::dom::FetchPriority) /image/imgLoader.cpp:1987:8
#10 0x7f54d4162d58 in imgLoader::LoadImage(nsIURI*, nsIURI*, nsIReferrerInfo*, nsIPrincipal*, unsigned long, nsILoadGroup*, imgINotificationObserver*, nsINode*, mozilla::dom::Document*, unsigned int, nsISupports*, nsIContentPolicy::nsContentPolicyType, nsTSubstring<char16_t> const&, bool, bool, unsigned long, mozilla::dom::FetchPriority, imgRequestProxy**) /image/imgLoader.cpp:2458:9
#11 0x7f54d428d18d in nsContentUtils::LoadImage(nsIURI*, nsINode*, mozilla::dom::Document*, nsIPrincipal*, unsigned long, nsIReferrerInfo*, imgINotificationObserver*, int, nsTSubstring<char16_t> const&, imgRequestProxy**, nsIContentPolicy::nsContentPolicyType, bool, bool, unsigned long, mozilla::dom::FetchPriority) /dom/base/nsContentUtils.cpp:4619:21
#12 0x7f54d43b3464 in nsImageLoadingContent::LoadImage(nsIURI*, bool, bool, nsImageLoadingContent::ImageLoadType, unsigned int, mozilla::dom::Document*, nsIPrincipal*) /dom/base/nsImageLoadingContent.cpp:1219:17
#13 0x7f54d6435d12 in LoadImage /dom/base/nsImageLoadingContent.h:170:12
#14 0x7f54d6435d12 in mozilla::dom::HTMLImageElement::LoadSelectedImage(bool, bool) /dom/html/HTMLImageElement.cpp:735:10
#15 0x7f54d43b76b7 in operator()<StoreRefPtrPassByPtr<nsIURI> &, StoreRefPtrPassByPtr<nsIPrincipal> &, StoreCopyPassByConstLRef<bool> &, StoreCopyPassByConstLRef<bool> &, StoreCopyPassByConstLRef<bool> &> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#16 0x7f54d43b76b7 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), StoreRefPtrPassByPtr<nsIURI> &, StoreRefPtrPassByPtr<nsIPrincipal> &, StoreCopyPassByConstLRef<bool> &, StoreCopyPassByConstLRef<bool> &, StoreCopyPassByConstLRef<bool> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#17 0x7f54d43b76b7 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), StoreRefPtrPassByPtr<nsIURI> &, StoreRefPtrPassByPtr<nsIPrincipal> &, StoreCopyPassByConstLRef<bool> &, StoreCopyPassByConstLRef<bool> &, StoreCopyPassByConstLRef<bool> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#18 0x7f54d43b76b7 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<StoreRefPtrPassByPtr<nsIURI>, StoreRefPtrPassByPtr<nsIPrincipal>, StoreCopyPassByConstLRef<bool>, StoreCopyPassByConstLRef<bool>, StoreCopyPassByConstLRef<bool> > &, 0UL, 1UL, 2UL, 3UL, 4UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#19 0x7f54d43b76b7 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<StoreRefPtrPassByPtr<nsIURI>, StoreRefPtrPassByPtr<nsIPrincipal>, StoreCopyPassByConstLRef<bool>, StoreCopyPassByConstLRef<bool>, StoreCopyPassByConstLRef<bool> > &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#20 0x7f54d43b76b7 in apply<nsImageLoadingContent, void (nsImageLoadingContent::*)(nsIURI *, nsIPrincipal *, bool, bool, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#21 0x7f54d43b76b7 in mozilla::detail::RunnableMethodImpl<nsImageLoadingContent*, void (nsImageLoadingContent::*)(nsIURI*, nsIPrincipal*, bool, bool, bool), true, (mozilla::RunnableKind)0, nsIURI*, nsIPrincipal*, bool, bool, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#22 0x7f54d429dd3e in nsContentUtils::RemoveScriptBlocker() /dom/base/nsContentUtils.cpp:6910:17
#23 0x7f54d457a823 in ~nsAutoScriptBlocker /dom/base/nsContentUtils.h:3877:28
#24 0x7f54d457a823 in mozilla::dom::FragmentOrElement::cycleCollection::Unlink(void*) /dom/base/FragmentOrElement.cpp:1377:3
#25 0x7f54d2585fe0 in nsCycleCollector::CollectWhite() /xpcom/base/nsCycleCollector.cpp:3288:26
#26 0x7f54d2587a0a in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, JS::SliceBudget&, nsICycleCollectorListener*, bool) /xpcom/base/nsCycleCollector.cpp:3700:26
#27 0x7f54d25875fe in nsCycleCollector::ShutdownCollect() /xpcom/base/nsCycleCollector.cpp:3607:20
#28 0x7f54d2588fd6 in nsCycleCollector::Shutdown(bool) /xpcom/base/nsCycleCollector.cpp:3939:5
#29 0x7f54d258ad03 in nsCycleCollector_shutdown(bool) /xpcom/base/nsCycleCollector.cpp:4288:18
#30 0x7f54d26a952e in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:734:3
#31 0x7f54d8fe9d3b in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:589:16
#32 0x604243c8cd0f in main /browser/app/nsBrowserApp.cpp:397:22
#33 0x7f54e31741c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#34 0x7f54e317428a in __libc_start_main csu/../csu/libc-start.c:360:3
#35 0x604243c60588 in _start (/home/jkratzer/builds/m-c-20250722093426-fuzzing-debug/firefox-bin+0x57588) (BuildId: efea99cb1cdb9164b94e3342fdaed0d45110fa79)
==786649==Register values:
rax = 0x0000000000000000 rbx = 0x00007ffc01ee5238 rcx = 0x0000000000000032 rdx = 0x00007f54e334e563
rdi = 0x00007f54e334f700 rsi = 0x0000000000000000 rbp = 0x00007ffc01ee5220 rsp = 0x00007ffc01ee51f0
r8 = 0x0000000000000000 r9 = 0x0000000000000003 r10 = 0x0000000000000000 r11 = 0x0000000000000293
r12 = 0x0000000000000000 r13 = 0x0000604256c9c4d0 r14 = 0xaaaaaaaaaaaaaaaa r15 = 0x0000000000000003
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3 in MOZ_CrashSequence
==786649==ABORTING
|
Reporter | |
Comment 1•26 days ago
|
||
|
|
Reporter | |
Updated•26 days ago
|
Attachment #9502140 -
Attachment filename: tetscase.zip.undefined → tetscase.zip
|
||
Comment 2•26 days ago
|
||
Verified bug as reproducible on mozilla-central 20250722093426-47d8d7840ccb.
The bug appears to have been introduced in the following build range:
Start: 3ccb1d36b367c4d53d0f02eebc9cfa42c9d9d339 (20250522104802)
End: e2490aef03855cb7b1784dcb1a55e28d2d45f150 (20250522113032)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3ccb1d36b367c4d53d0f02eebc9cfa42c9d9d339&tochange=e2490aef03855cb7b1784dcb1a55e28d2d45f150
Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 3•23 days ago
|
||
This bug has been marked as a regression. Setting status flag for Nightly to affected.
status-firefox143:
--- → affected
|
||
Updated•23 days ago
|
status-firefox141:
--- → wontfix
status-firefox142:
--- → wontfix
status-firefox-esr115:
--- → unaffected
status-firefox-esr128:
--- → unaffected
status-firefox-esr140:
--- → affected
Flags: needinfo?(smayya)
Regressed by: 1948222
| Comment hidden (Intermittent Failures Robot) |
| Comment hidden (Intermittent Failures Robot) |
|
Assignee | |
Updated•11 days ago
|
Assignee: nobody → smayya
Flags: needinfo?(smayya)
|
|
Assignee | |
Updated•11 days ago
|
Component: DOM: Navigation → Networking
|
|
Assignee | |
Updated•11 days ago
|
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][necko-triaged]
|
|
Assignee | |
Comment 6•10 days ago
|
||
|
||
Updated•9 days ago
|
Severity: -- → S3
Priority: -- → P1
Pushed by smayya@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/307029bb3942
https://hg.mozilla.org/integration/autoland/rev/f63241bb5e39
add null checks before accessing sBrowsingContexts in BrowsingContext class. r=nika
|
||
Comment 8•5 days ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 days ago
Resolution: --- → FIXED
Target Milestone: --- → 143 Branch
|
|
||
Comment 9•5 days ago
|
||
Verified bug as fixed on rev mozilla-central 20250812094605-68d37f9acbd4.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•